youjiageng1/doc-exports
1
0
Fork 0
forked from laiweijian4/doc-exports
Code Pull Requests Activity
doc-exports/docs/css/umn/css_04_0019.html
Zheng, Xiu 0c90df93b1 CSS UMN 20230404 Version 
Reviewed-by: Pruthi, Vineet <vineet.pruthi@t-systems.com>
Co-authored-by: Zheng, Xiu <zhengxiu@huawei.com>
Co-committed-by: Zheng, Xiu <zhengxiu@huawei.com>
2023-04-05 08:45:09 +00:00

81 lines
12 KiB
HTML
Raw Blame History

<a name="css_04_0019"></a><a name="css_04_0019"></a>
<h1 class="topictitle1">Clusters in Security Mode</h1>
<div id="body8662426"><p id="css_04_0019__p636171114205">When creating an Elasticsearch cluster, you can enable the security mode for it. Identity authentication is required when users access a security cluster. You can also authorize and encrypt security clusters.</p>
<div class="section" id="css_04_0019__section133381042164710"><h4 class="sectiontitle">Context</h4><div class="p" id="css_04_0019__p17640543104717">You can create clusters in multiple security modes. For details about the differences between security modes, see <a href="#css_04_0019__en-us_topic_0000001410060261_table198661437165914">Table 1</a>.
<div class="tablenoborder"><a name="css_04_0019__en-us_topic_0000001410060261_table198661437165914"></a><a name="en-us_topic_0000001410060261_table198661437165914"></a><table cellpadding="4" cellspacing="0" summary="" id="css_04_0019__en-us_topic_0000001410060261_table198661437165914" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Cluster security modes</caption><thead align="left"><tr id="css_04_0019__en-us_topic_0000001410060261_row7867123765912"><th align="left" class="cellrowborder" valign="top" width="15.57%" id="mcps1.3.2.2.2.2.5.1.1"><p id="css_04_0019__en-us_topic_0000001410060261_p15867183785917">Security Mode</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="34.43%" id="mcps1.3.2.2.2.2.5.1.2"><p id="css_04_0019__en-us_topic_0000001410060261_p1386720375591">Scenario</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="25%" id="mcps1.3.2.2.2.2.5.1.3"><p id="css_04_0019__en-us_topic_0000001410060261_p12867123718593">Advantage</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="25%" id="mcps1.3.2.2.2.2.5.1.4"><p id="css_04_0019__en-us_topic_0000001410060261_p1186723705918">Disadvantage</p>
</th>
</tr>
</thead>
<tbody><tr id="css_04_0019__en-us_topic_0000001410060261_row986733765917"><td class="cellrowborder" valign="top" width="15.57%" headers="mcps1.3.2.2.2.2.5.1.1 "><p id="css_04_0019__en-us_topic_0000001410060261_p2867143711592">Non-Security Mode</p>
</td>
<td class="cellrowborder" valign="top" width="34.43%" headers="mcps1.3.2.2.2.2.5.1.2 "><p id="css_04_0019__en-us_topic_0000001410060261_p7867123745914">Intranet services and test scenarios</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.2.2.2.2.5.1.3 "><p id="css_04_0019__en-us_topic_0000001410060261_p15867137195915">Simple. Easy to access.</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.2.2.2.2.5.1.4 "><p id="css_04_0019__en-us_topic_0000001410060261_p1386718371595">Poor security. Anyone can access such clusters.</p>
</td>
</tr>
<tr id="css_04_0019__en-us_topic_0000001410060261_row686743705917"><td class="cellrowborder" valign="top" width="15.57%" headers="mcps1.3.2.2.2.2.5.1.1 "><p id="css_04_0019__en-us_topic_0000001410060261_p48671437125910">Security Mode + HTTP Protocol</p>
</td>
<td class="cellrowborder" valign="top" width="34.43%" headers="mcps1.3.2.2.2.2.5.1.2 "><p id="css_04_0019__en-us_topic_0000001410060261_p7867337165912">User permissions can be isolated, which is applicable to scenarios sensitive to cluster performance.</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.2.2.2.2.5.1.3 "><p id="css_04_0019__en-us_topic_0000001410060261_p198671737105912">Security authentication is required for accessing such clusters, which improves cluster security. Accessing a cluster through HTTP protocol can retain the high performance of the cluster.</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.2.2.2.2.5.1.4 "><p id="css_04_0019__en-us_topic_0000001410060261_p38671237155920">Cannot be accessed from the public network.</p>
</td>
</tr>
<tr id="css_04_0019__en-us_topic_0000001410060261_row386713755917"><td class="cellrowborder" valign="top" width="15.57%" headers="mcps1.3.2.2.2.2.5.1.1 "><p id="css_04_0019__en-us_topic_0000001410060261_p2086723715917">Security Mode + HTTPS Protocol</p>
</td>
<td class="cellrowborder" valign="top" width="34.43%" headers="mcps1.3.2.2.2.2.5.1.2 "><p id="css_04_0019__en-us_topic_0000001410060261_p5867153717599">Scenarios that require high security and public network access.</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.2.2.2.2.5.1.3 "><p id="css_04_0019__en-us_topic_0000001410060261_p128672370595">Security authentication is required for accessing such clusters, which improves cluster security. HTTPS protocol allows public network to access such clusters.</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.3.2.2.2.2.5.1.4 "><p id="css_04_0019__en-us_topic_0000001410060261_p18674376597">The performance of clusters using HTTPS is 20% lower than that of using HTTP.</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="section" id="css_04_0019__section98662589474"><h4 class="sectiontitle">Identity Verification</h4><p id="css_04_0019__p719400174815">To access a security cluster, you need to enter the username and password. The identity verification is required for the following two types of users:</p>
</div>
<ul id="css_04_0019__ul15961822191016"><li id="css_04_0019__li496622131020">Administrator: The default administrator username is <strong id="css_04_0019__b1882413620149">admin</strong>, and the password is the one specified during cluster creation.</li><li id="css_04_0019__li111651241101219">Users: Enter the username and password created through Kibana.</li></ul>
<p id="css_04_0019__p1684195611462"></p>
<div class="section" id="css_04_0019__en-us_topic_0178473803_section44819400404"><h4 class="sectiontitle">Authorization</h4><p id="css_04_0019__en-us_topic_0178473803_p365213644117">On the <strong id="css_04_0019__en-us_topic_0178473803_b1398712310588">Kibana</strong> console, click <strong id="css_04_0019__en-us_topic_0178473803_b1298782319582">Security</strong> to control user permissions in Elasticsearch clusters. You can configure hierarchical user permissions by cluster, index, document, and field.</p>
<p id="css_04_0019__en-us_topic_0178473803_p48442213419">You can add or delete users, and map users to different roles for permissions control.</p>
<div class="fignone" id="css_04_0019__en-us_topic_0178473803_fig9206175294619"><span class="figcap"><b>Figure 1 </b>Configuring users</span><br><span><img id="css_04_0019__en-us_topic_0178473803_image1720625294617" src="en-us_image_0000001503817384.png"></span></div>
<p id="css_04_0019__en-us_topic_0178473803_p6540155417477">You can use role mapping to configure roles and map a user's username, backend role, and host name to a role.</p>
<div class="fignone" id="css_04_0019__en-us_topic_0178473803_fig1615521220484"><span class="figcap"><b>Figure 2 </b>Role mapping</span><br><span><img id="css_04_0019__en-us_topic_0178473803_image6155161254812" src="en-us_image_0000001554897033.png"></span></div>
<p id="css_04_0019__en-us_topic_0178473803_p9582122844812">You can set permissions for each role to access clusters, indices and documents and assign Kibana tenants different roles.</p>
<div class="fignone" id="css_04_0019__en-us_topic_0178473803_fig171866416485"><span class="figcap"><b>Figure 3 </b>Configuring role permissions</span><br><span><img id="css_04_0019__en-us_topic_0178473803_image15187124118484" src="en-us_image_0000001503977284.png"></span></div>
<p id="css_04_0019__en-us_topic_0178473803_p132331659124815">You can set action groups, assign the groups to roles, and configure the roles' permission for accessing indices and documents.</p>
<div class="fignone" id="css_04_0019__en-us_topic_0178473803_fig10424783491"><span class="figcap"><b>Figure 4 </b>Configuring action groups</span><br><span><img id="css_04_0019__en-us_topic_0178473803_image842488144911" src="en-us_image_0000001503657480.png"></span></div>
<p id="css_04_0019__en-us_topic_0178473803_p11274924194916">You can view the parameters of authentication and authorization for the current cluster. You can also run the <strong id="css_04_0019__en-us_topic_0178473803_b20923314262">securityadmin</strong> command to modify the configuration.</p>
<div class="fignone" id="css_04_0019__en-us_topic_0178473803_fig1995754614499"><span class="figcap"><b>Figure 5 </b>Viewing cluster parameters</span><br><span><img id="css_04_0019__en-us_topic_0178473803_image8958174615492" src="en-us_image_0000001503817392.png"></span></div>
<p id="css_04_0019__en-us_topic_0178473803_p6322121345017">You can also clear the security cache.</p>
<div class="fignone" id="css_04_0019__en-us_topic_0178473803_fig16691821165012"><span class="figcap"><b>Figure 6 </b>Clearing the security cache</span><br><span><img id="css_04_0019__en-us_topic_0178473803_image567012125016" src="en-us_image_0000001554577133.png"></span></div>
</div>
<div class="section" id="css_04_0019__en-us_topic_0178473803_section19601134845014"><h4 class="sectiontitle">Encryption</h4><p id="css_04_0019__en-us_topic_0178473803_p9146753145017">When key data is transferred between nodes or over HTTP, SSL/TLS encryption is used to ensure data security.</p>
<p id="css_04_0019__en-us_topic_0178473803_p8737413205115">You can perform the preceding functions on Kibana, using <strong id="css_04_0019__en-us_topic_0178473803_b19146388589">.yml</strong> files (not recommended), or by calling RESTful APIs. For more information about the security mode, see <a href="https://opendistro.github.io/for-elasticsearch-docs/docs/security/" target="_blank" rel="noopener noreferrer">Security</a>.</p>
</div>
<div class="section" id="css_04_0019__en-us_topic_0178473803_section166847002115"><h4 class="sectiontitle">Resetting Passwords</h4><p id="css_04_0019__en-us_topic_0178473803_p133252314210">If you want to change the login password of a cluster with the security mode enabled or you have forgotten the password, reset the cluster password.</p>
<ol id="css_04_0019__en-us_topic_0178473803_ol82011427134013"><li id="css_04_0019__en-us_topic_0178473803_li62021427154020">On the <strong id="css_04_0019__en-us_topic_0178473803_b7726194055311">Clusters</strong> page, locate the target cluster whose password you want to reset and click the cluster name. The <strong id="css_04_0019__en-us_topic_0178473803_b6742724105419">Basic Information</strong> page is displayed.</li><li id="css_04_0019__en-us_topic_0178473803_li2079816112418">On the <strong id="css_04_0019__en-us_topic_0178473803_b1292924155919">Basic Information</strong> page, click <strong id="css_04_0019__en-us_topic_0178473803_b1993584155917">Reset</strong> next to <strong id="css_04_0019__en-us_topic_0178473803_b159355435912">Reset Password</strong> to reset the password.<div class="note" id="css_04_0019__en-us_topic_0178473803_note1659782016559"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="css_04_0019__en-us_topic_0178473803_ul22881526105512"><li id="css_04_0019__en-us_topic_0178473803_li1928818265556">The password can contain 8 to 32 characters.</li><li id="css_04_0019__en-us_topic_0178473803_li13391595583">It must include letters, digits, and special characters. No spaces and backslashes (\) are allowed.</li><li id="css_04_0019__en-us_topic_0178473803_li9796211478">It cannot be the username or the username spelled backwards.</li><li id="css_04_0019__en-us_topic_0178473803_li76951243348">It is good practice to change the password periodically.</li></ul>
</div></div>
</li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="css_01_0008.html">Creating and Accessing a Cluster</a></div>
</div>
</div>
View Git Blame Copy Permalink