vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/css/umn/css_04_0019.html
gtema 72909318a9 Add css docs 
Reviewed-by: Goncharov, Artem <artem.goncharov@t-systems.com>
Co-authored-by: gtema <artem.goncharov@gmail.com>
Co-committed-by: gtema <artem.goncharov@gmail.com>
2022-10-19 13:04:46 +00:00

87 lines
13 KiB
HTML
Raw Blame History

<a name="css_04_0019"></a><a name="css_04_0019"></a>
<h1 class="topictitle1">Clusters in Security Mode</h1>
<div id="body8662426"><p id="css_04_0019__en-us_topic_0178473803_p167096893912">Security mode is supported for Elasticsearch 7.1.1 and later versions. After you enable security mode, identity verification, authorization, and encryption are required.</p>
<p id="css_04_0019__en-us_topic_0178473803_p08261718545">This section describes the security mode using Kibana as an example.</p>
<div class="note" id="css_04_0019__en-us_topic_0178473803_note4949164712812"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="css_04_0019__en-us_topic_0178473803_p89490472282">You can enable security mode only during cluster creation and not after the cluster is created.</p>
</div></div>
<div class="section" id="css_04_0019__en-us_topic_0178473803_section87245114208"><h4 class="sectiontitle">Key Terms</h4>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="css_04_0019__en-us_topic_0178473803_table1130152932111" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Key terms of security mode</caption><thead align="left"><tr id="css_04_0019__en-us_topic_0178473803_row913192910216"><th align="left" class="cellrowborder" valign="top" width="19.759999999999998%" id="mcps1.3.4.2.2.3.1.1"><p id="css_04_0019__en-us_topic_0178473803_p11131129172116">Term</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="80.24%" id="mcps1.3.4.2.2.3.1.2"><p id="css_04_0019__en-us_topic_0178473803_p613112916211">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="css_04_0019__en-us_topic_0178473803_row4131629172119"><td class="cellrowborder" valign="top" width="19.759999999999998%" headers="mcps1.3.4.2.2.3.1.1 "><p id="css_04_0019__en-us_topic_0178473803_p169320115226">Permission</p>
</td>
<td class="cellrowborder" valign="top" width="80.24%" headers="mcps1.3.4.2.2.3.1.2 "><p id="css_04_0019__en-us_topic_0178473803_p1193210115228">Single action, for example, creating an index (for example, <strong id="css_04_0019__en-us_topic_0178473803_b111304271254">indices:admin/create</strong>)</p>
</td>
</tr>
<tr id="css_04_0019__en-us_topic_0178473803_row1513182932110"><td class="cellrowborder" valign="top" width="19.759999999999998%" headers="mcps1.3.4.2.2.3.1.1 "><p id="css_04_0019__en-us_topic_0178473803_p109321111122216">Action group</p>
</td>
<td class="cellrowborder" valign="top" width="80.24%" headers="mcps1.3.4.2.2.3.1.2 "><p id="css_04_0019__en-us_topic_0178473803_p1093216119229">A group of permissions. For example, the predefined <strong id="css_04_0019__en-us_topic_0178473803_b7611132955">SEARCH</strong> action group grants roles permissions to use <strong id="css_04_0019__en-us_topic_0178473803_b15628321514">_search</strong> and <strong id="css_04_0019__en-us_topic_0178473803_b12631932656">_msearchAPI</strong>.</p>
</td>
</tr>
<tr id="css_04_0019__en-us_topic_0178473803_row1313115297218"><td class="cellrowborder" valign="top" width="19.759999999999998%" headers="mcps1.3.4.2.2.3.1.1 "><p id="css_04_0019__en-us_topic_0178473803_p493214113229">Role</p>
</td>
<td class="cellrowborder" valign="top" width="80.24%" headers="mcps1.3.4.2.2.3.1.2 "><p id="css_04_0019__en-us_topic_0178473803_p18932711152220">A role is a combination of permissions and action groups, including operation permissions on clusters, indices, documents, or fields.</p>
</td>
</tr>
<tr id="css_04_0019__en-us_topic_0178473803_row18131629172113"><td class="cellrowborder" valign="top" width="19.759999999999998%" headers="mcps1.3.4.2.2.3.1.1 "><p id="css_04_0019__en-us_topic_0178473803_p09321211102218">Backend role</p>
</td>
<td class="cellrowborder" valign="top" width="80.24%" headers="mcps1.3.4.2.2.3.1.2 "><p id="css_04_0019__en-us_topic_0178473803_p1493210119227">(Optional) Other external roles from the backend such as LDAP/Active Directory</p>
</td>
</tr>
<tr id="css_04_0019__en-us_topic_0178473803_row1413182914217"><td class="cellrowborder" valign="top" width="19.759999999999998%" headers="mcps1.3.4.2.2.3.1.1 "><p id="css_04_0019__en-us_topic_0178473803_p1193381113221">User</p>
</td>
<td class="cellrowborder" valign="top" width="80.24%" headers="mcps1.3.4.2.2.3.1.2 "><p id="css_04_0019__en-us_topic_0178473803_p093351115224">A user can send operation requests to the Elasticsearch cluster. The user has credentials such as username and password, zero or more backend roles, and zero or more custom attributes.</p>
</td>
</tr>
<tr id="css_04_0019__en-us_topic_0178473803_row6131829112117"><td class="cellrowborder" valign="top" width="19.759999999999998%" headers="mcps1.3.4.2.2.3.1.1 "><p id="css_04_0019__en-us_topic_0178473803_p10933171182210">Role mapping</p>
</td>
<td class="cellrowborder" valign="top" width="80.24%" headers="mcps1.3.4.2.2.3.1.2 "><p id="css_04_0019__en-us_topic_0178473803_p18933161132219">A user will be assigned a role after successful authentication. Role mapping is to map a role to a user (or a backend role). For example, the mapping from <strong id="css_04_0019__en-us_topic_0178473803_b2032813464513">kibana_user</strong> (role) to <strong id="css_04_0019__en-us_topic_0178473803_b03291246759">jdoe</strong> (user) means that John Doe obtains all permissions of <strong id="css_04_0019__en-us_topic_0178473803_b53301461251">kibana_user</strong> after being authenticated by <strong id="css_04_0019__en-us_topic_0178473803_b433116469518">kibana_user</strong>. Similarly, the mapping from <strong id="css_04_0019__en-us_topic_0178473803_b136981461458">all_access</strong> (role) to <strong id="css_04_0019__en-us_topic_0178473803_b569918464512">admin</strong> (backend role) means that any user with the backend role <strong id="css_04_0019__en-us_topic_0178473803_b187012461556">admin</strong> (from the LDAP/Active Directory server) has all the permissions of role <strong id="css_04_0019__en-us_topic_0178473803_b1070284620513">all_access</strong> after being authenticated. You can map each role to multiple users or backend roles.</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section" id="css_04_0019__en-us_topic_0178473803_section1753019573712"><h4 class="sectiontitle">Identity Verification</h4><p id="css_04_0019__en-us_topic_0178473803_p1296192419373">After enabling the security mode, you need to log in to the cluster with the username and password that you set when you create the cluster. You can perform other operations after you log in successfully.</p>
<div class="fignone" id="css_04_0019__en-us_topic_0178473803_fig665855817396"><span class="figcap"><b>Figure 1 </b>Login for identity verification</span><br><span><img id="css_04_0019__en-us_topic_0178473803_image1865855810398" src="en-us_image_0000001338716501.png" height="366.08250000000004" width="523.6875" title="Click to enlarge" class="imgResize"></span></div>
</div>
<div class="section" id="css_04_0019__en-us_topic_0178473803_section44819400404"><h4 class="sectiontitle">Authorization</h4><p id="css_04_0019__en-us_topic_0178473803_p365213644117">On the <strong id="css_04_0019__en-us_topic_0178473803_b1398712310588">Kibana</strong> console, click <strong id="css_04_0019__en-us_topic_0178473803_b1298782319582">Security</strong> to control user permissions in Elasticsearch clusters. You can configure hierarchical user permissions by cluster, index, document, and field.</p>
<p id="css_04_0019__en-us_topic_0178473803_p48442213419">You can add or delete users, and map users to different roles for permissions control.</p>
<div class="fignone" id="css_04_0019__en-us_topic_0178473803_fig9206175294619"><span class="figcap"><b>Figure 2 </b>Configuring users</span><br><span><img id="css_04_0019__en-us_topic_0178473803_image1720625294617" src="en-us_image_0000001339036237.png" height="146.63250000000002" width="523.6875" title="Click to enlarge" class="imgResize"></span></div>
<p id="css_04_0019__en-us_topic_0178473803_p6540155417477">You can use role mapping to configure roles and map a user's username, backend role, and host name to a role.</p>
<div class="fignone" id="css_04_0019__en-us_topic_0178473803_fig1615521220484"><span class="figcap"><b>Figure 3 </b>Role mapping</span><br><span><img id="css_04_0019__en-us_topic_0178473803_image6155161254812" src="en-us_image_0000001286276514.png" height="157.60500000000002" width="523.6875" title="Click to enlarge" class="imgResize"></span></div>
<p id="css_04_0019__en-us_topic_0178473803_p9582122844812">You can set permissions for each role to access clusters, indices and documents and assign Kibana tenants different roles.</p>
<div class="fignone" id="css_04_0019__en-us_topic_0178473803_fig171866416485"><span class="figcap"><b>Figure 4 </b>Configuring role permissions</span><br><span><img id="css_04_0019__en-us_topic_0178473803_image15187124118484" src="en-us_image_0000001338716505.png" height="165.585" width="523.6875" title="Click to enlarge" class="imgResize"></span></div>
<p id="css_04_0019__en-us_topic_0178473803_p132331659124815">You can set action groups, assign the groups to roles, and configure the roles' permission for accessing indices and documents.</p>
<div class="fignone" id="css_04_0019__en-us_topic_0178473803_fig10424783491"><span class="figcap"><b>Figure 5 </b>Configuring action groups</span><br><span><img id="css_04_0019__en-us_topic_0178473803_image842488144911" src="en-us_image_0000001286116602.png" height="174.5625" width="523.6875" title="Click to enlarge" class="imgResize"></span></div>
<p id="css_04_0019__en-us_topic_0178473803_p11274924194916">You can view the parameters of authentication and authorization for the current cluster. You can also run the <strong id="css_04_0019__en-us_topic_0178473803_b20923314262">securityadmin</strong> command to modify the configuration.</p>
<div class="fignone" id="css_04_0019__en-us_topic_0178473803_fig1995754614499"><span class="figcap"><b>Figure 6 </b>Viewing cluster parameters</span><br><span><img id="css_04_0019__en-us_topic_0178473803_image8958174615492" src="en-us_image_0000001338836353.png" height="164.5875" width="523.6875" title="Click to enlarge" class="imgResize"></span></div>
<p id="css_04_0019__en-us_topic_0178473803_p6322121345017">You can also clear the security cache.</p>
<div class="fignone" id="css_04_0019__en-us_topic_0178473803_fig16691821165012"><span class="figcap"><b>Figure 7 </b>Clearing the security cache</span><br><span><img id="css_04_0019__en-us_topic_0178473803_image567012125016" src="en-us_image_0000001286276518.png" height="500.745" width="523.6875" title="Click to enlarge" class="imgResize"></span></div>
</div>
<div class="section" id="css_04_0019__en-us_topic_0178473803_section19601134845014"><h4 class="sectiontitle">Encryption</h4><p id="css_04_0019__en-us_topic_0178473803_p9146753145017">When key data is transferred between nodes or over HTTP, SSL/TLS encryption is used to ensure data security.</p>
<p id="css_04_0019__en-us_topic_0178473803_p8737413205115">You can perform the preceding functions on Kibana, using <strong id="css_04_0019__en-us_topic_0178473803_b19146388589">.yml</strong> files (not recommended), or by calling RESTful APIs. For more information about the security mode, see <a href="https://opendistro.github.io/for-elasticsearch-docs/docs/security/" target="_blank" rel="noopener noreferrer">Security</a>.</p>
</div>
<div class="section" id="css_04_0019__en-us_topic_0178473803_section166847002115"><h4 class="sectiontitle">Resetting Passwords</h4><p id="css_04_0019__en-us_topic_0178473803_p133252314210">If you want to change the login password of a cluster with the security mode enabled or you have forgotten the password, reset the cluster password.</p>
<ol id="css_04_0019__en-us_topic_0178473803_ol82011427134013"><li id="css_04_0019__en-us_topic_0178473803_li62021427154020">On the <strong id="css_04_0019__en-us_topic_0178473803_b7726194055311">Clusters</strong> page, locate the target cluster whose password you want to reset and click the cluster name. The <strong id="css_04_0019__en-us_topic_0178473803_b6742724105419">Basic Information</strong> page is displayed.</li><li id="css_04_0019__en-us_topic_0178473803_li2079816112418">On the <strong id="css_04_0019__en-us_topic_0178473803_b1292924155919">Basic Information</strong> page, click <strong id="css_04_0019__en-us_topic_0178473803_b1993584155917">Reset</strong> next to <strong id="css_04_0019__en-us_topic_0178473803_b159355435912">Reset Password</strong> to reset the password.<div class="note" id="css_04_0019__en-us_topic_0178473803_note1659782016559"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="css_04_0019__en-us_topic_0178473803_ul22881526105512"><li id="css_04_0019__en-us_topic_0178473803_li1928818265556">The password can contain 8 to 32 characters.</li><li id="css_04_0019__en-us_topic_0178473803_li13391595583">It must include letters, digits, and special characters. No spaces and backslashes (\) are allowed.</li><li id="css_04_0019__en-us_topic_0178473803_li9796211478">It cannot be the username or the username spelled backwards.</li><li id="css_04_0019__en-us_topic_0178473803_li76951243348">It is good practice to change the password periodically.</li></ul>
</div></div>
</li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="css_01_0001.html">Overview</a></div>
</div>
</div>
<script language="JavaScript">
<!--
image_size('.imgResize');
var msg_imageMax = "view original image";
var msg_imageClose = "close";
//--></script>
View Git Blame Copy Permalink