Elasticsearch keystore

Elasticsearch keystore DEFAULT

elasticsearch-keystoreedit

The command manages secure settings in the Elasticsearch keystore.

Synopsisedit

bin/elasticsearch-keystore ( [add <settings>] [-f] [--stdin] | [add-file (<setting> <path>)+] | [create] [-p] | [has-passwd] | [list] | [passwd] | [remove <setting>] | [show [-o <output-file>] <setting>] | [upgrade] ) [-h, --help] ([-s, --silent] | [-v, --verbose])

Descriptionedit

This command should be run as the user that will run Elasticsearch.

Currently, all secure settings are node-specific settings that must have the same value on every node. Therefore you must run this command on every node.

When the keystore is password-protected, you must supply the password each time Elasticsearch starts.

Modifications to the keystore are not automatically applied to the running Elasticsearch node. Any changes to the keystore will take effect when you restart Elasticsearch. Some secure settings can be explicitly reloaded without restart.

Only some settings are designed to be read from the keystore. However, there is no validation to block unsupported settings from the keystore and they can cause Elasticsearch to fail to start. To see whether a setting is supported in the keystore, see the setting reference.

Parametersedit

Adds settings to the keystore. Multiple setting names can be specified as arguments to the command. By default, you are prompted for the values of the settings. If the keystore is password protected, you are also prompted to enter the password. If a setting already exists in the keystore, you must confirm that you want to overwrite the current value. If the keystore does not exist, you must confirm that you want to create a keystore. To avoid these two confirmation prompts, use the parameter.
Adds files to the keystore.
Creates the keystore.
When used with the parameter, the command no longer prompts you before overwriting existing entries in the keystore. Also, if you haven’t created a keystore yet, it creates a keystore that is obfuscated but not password protected.
Returns all of the command parameters.
Returns a success message if the keystore exists and is password-protected. Otherwise, the command fails with exit code 1 and returns an error message.
Lists the settings in the keystore. If the keystore is password protected, you are prompted to enter the password.
When used with the parameter, the command prompts you to enter a keystore password. If you don’t specify the flag or if you enter an empty password, the keystore is obfuscated but not password protected.
Changes or sets the keystore password. If the keystore is password protected, you are prompted to enter the current password and the new one. You can optionally use an empty string to remove the password. If the keystore is not password protected, you can use this command to set a password.
Removes settings from the keystore. Multiple setting names can be specified as arguments to the command.
Displays the value of a single setting in the keystore. Pass the (or ) parameter to write the setting to a file. If writing to the standard output (the terminal) the setting’s value is always interpretted as a UTF-8 string. If the setting contains binary data (for example for data that was added via the command), always use the option to write to a file.
Shows minimal output.
When used with the parameter, you can pass the settings values through standard input (stdin). Separate multiple values with carriage returns or newlines. See Add settings to the keystore.
Upgrades the internal format of the keystore.
Shows verbose output.

Examplesedit

Create the keystoreedit

To create the , use the command:

bin/elasticsearch-keystore create -p

You are prompted to enter the keystore password. A password-protected file is created alongside the file.

Change the password of the keystoreedit

To change the password of the , use the command:

bin/elasticsearch-keystore passwd

If the Elasticsearch keystore is password protected, you are prompted to enter the current password and then enter the new one. If it is not password protected, you are prompted to set a password.

List settings in the keystoreedit

To list the settings in the keystore, use the command.

bin/elasticsearch-keystore list

If the Elasticsearch keystore is password protected, you are prompted to enter the password.

Add settings to the keystoreedit

Sensitive string settings, like authentication credentials for Cloud plugins, can be added with the command:

bin/elasticsearch-keystore add the.setting.name.to.set

You are prompted to enter the value of the setting. If the Elasticsearch keystore is password protected, you are also prompted to enter the password.

You can also add multiple settings with the command:

bin/elasticsearch-keystore add \ the.setting.name.to.set \ the.other.setting.name.to.set

You are prompted to enter the values of the settings. If the Elasticsearch keystore is password protected, you are also prompted to enter the password.

To pass the settings values through standard input (stdin), use the flag:

cat /file/containing/setting/value | bin/elasticsearch-keystore add --stdin the.setting.name.to.set

Values for multiple settings must be separated by carriage returns or newlines.

Add files to the keystoreedit

You can add sensitive files, like authentication key files for Cloud plugins, using the command. Settings and file paths are specified in pairs consisting of .

bin/elasticsearch-keystore add-file the.setting.name.to.set /path/example-file.json

You can add multiple files with the command:

bin/elasticsearch-keystore add-file \ the.setting.name.to.set /path/example-file.json \ the.other.setting.name.to.set /path/other-example-file.json

If the Elasticsearch keystore is password protected, you are prompted to enter the password.

Show settings in the keystoreedit

To display the value of a setting in the keystorem use the command:

bin/elasticsearch-keystore show the.name.of.the.setting.to.show

If the setting contains binary data you should write it to a file with the (or ) option:

bin/elasticsearch-keystore show -o my_file binary.setting.name

If the Elasticsearch keystore is password protected, you are prompted to enter the password.

Remove settings from the keystoreedit

To remove a setting from the keystore, use the command:

bin/elasticsearch-keystore remove the.setting.name.to.remove

You can also remove multiple settings with the command:

bin/elasticsearch-keystore remove \ the.setting.name.to.remove \ the.other.setting.name.to.remove

If the Elasticsearch keystore is password protected, you are prompted to enter the password.

Upgrade the keystoreedit

Occasionally, the internal format of the keystore changes. When Elasticsearch is installed from a package manager, an upgrade of the on-disk keystore to the new format is done during package upgrade. In other cases, Elasticsearch performs the upgrade during node startup. This requires that Elasticsearch has write permissions to the directory that contains the keystore. Alternatively, you can manually perform such an upgrade by using the command:

bin/elasticsearch-keystore upgrade
Sours: https://www.elastic.co/guide/en/elasticsearch/reference/master/elasticsearch-keystore.html

elasticsearch-keystoreedit

The command manages secure settings in the Elasticsearch keystore.

Synopsisedit

bin/elasticsearch-keystore ([add <settings>] [-f] [--stdin] | [add-file (<setting> <path>)+] | [create] [-p] | [has-passwd] | [list] | [passwd] | [remove <setting>] | [upgrade]) [-h, --help] ([-s, --silent] | [-v, --verbose])

Descriptionedit

This command should be run as the user that will run Elasticsearch.

Currently, all secure settings are node-specific settings that must have the same value on every node. Therefore you must run this command on every node.

When the keystore is password-protected, you must supply the password each time Elasticsearch starts.

Modifications to the keystore do not take effect until you restart Elasticsearch.

Only some settings are designed to be read from the keystore. However, there is no validation to block unsupported settings from the keystore and they can cause Elasticsearch to fail to start. To see whether a setting is supported in the keystore, see the setting reference.

Parametersedit

Adds settings to the keystore. Multiple setting names can be specified as arguments to the command. By default, you are prompted for the values of the settings. If the keystore is password protected, you are also prompted to enter the password. If a setting already exists in the keystore, you must confirm that you want to overwrite the current value. If the keystore does not exist, you must confirm that you want to create a keystore. To avoid these two confirmation prompts, use the parameter.
Adds files to the keystore.
Creates the keystore.
When used with the parameter, the command no longer prompts you before overwriting existing entries in the keystore. Also, if you haven’t created a keystore yet, it creates a keystore that is obfuscated but not password protected.
Returns all of the command parameters.
Returns a success message if the keystore exists and is password-protected. Otherwise, the command fails with exit code 1 and returns an error message.
Lists the settings in the keystore. If the keystore is password protected, you are prompted to enter the password.
When used with the parameter, the command prompts you to enter a keystore password. If you don’t specify the flag or if you enter an empty password, the keystore is obfuscated but not password protected.
Changes or sets the keystore password. If the keystore is password protected, you are prompted to enter the current password and the new one. You can optionally use an empty string to remove the password. If the keystore is not password protected, you can use this command to set a password.
Removes settings from the keystore. Multiple setting names can be specified as arguments to the command.
Shows minimal output.
When used with the parameter, you can pass the settings values through standard input (stdin). Separate multiple values with carriage returns or newlines. See Add settings to the keystore.
Upgrades the internal format of the keystore.
Shows verbose output.

Examplesedit

Create the keystoreedit

To create the , use the command:

bin/elasticsearch-keystore create -p

You are prompted to enter the keystore password. A password-protected file is created alongside the file.

Change the password of the keystoreedit

To change the password of the , use the command:

bin/elasticsearch-keystore passwd

If the Elasticsearch keystore is password protected, you are prompted to enter the current password and then enter the new one. If it is not password protected, you are prompted to set a password.

List settings in the keystoreedit

To list the settings in the keystore, use the command.

bin/elasticsearch-keystore list

If the Elasticsearch keystore is password protected, you are prompted to enter the password.

Add settings to the keystoreedit

Sensitive string settings, like authentication credentials for Cloud plugins, can be added with the command:

bin/elasticsearch-keystore add the.setting.name.to.set

You are prompted to enter the value of the setting. If the Elasticsearch keystore is password protected, you are also prompted to enter the password.

You can also add multiple settings with the command:

bin/elasticsearch-keystore add \ the.setting.name.to.set \ the.other.setting.name.to.set

You are prompted to enter the values of the settings. If the Elasticsearch keystore is password protected, you are also prompted to enter the password.

To pass the settings values through standard input (stdin), use the flag:

cat /file/containing/setting/value | bin/elasticsearch-keystore add --stdin the.setting.name.to.set

Values for multiple settings must be separated by carriage returns or newlines.

Add files to the keystoreedit

You can add sensitive files, like authentication key files for Cloud plugins, using the command. Settings and file paths are specified in pairs consisting of .

bin/elasticsearch-keystore add-file the.setting.name.to.set /path/example-file.json

You can add multiple files with the command:

bin/elasticsearch-keystore add-file \ the.setting.name.to.set /path/example-file.json \ the.other.setting.name.to.set /path/other-example-file.json

If the Elasticsearch keystore is password protected, you are prompted to enter the password.

Remove settings from the keystoreedit

To remove a setting from the keystore, use the command:

bin/elasticsearch-keystore remove the.setting.name.to.remove

You can also remove multiple settings with the command:

bin/elasticsearch-keystore remove \ the.setting.name.to.remove \ the.other.setting.name.to.remove

If the Elasticsearch keystore is password protected, you are prompted to enter the password.

Upgrade the keystoreedit

Occasionally, the internal format of the keystore changes. When Elasticsearch is installed from a package manager, an upgrade of the on-disk keystore to the new format is done during package upgrade. In other cases, Elasticsearch performs the upgrade during node startup. This requires that Elasticsearch has write permissions to the directory that contains the keystore. Alternatively, you can manually perform such an upgrade by using the command:

bin/elasticsearch-keystore upgrade
Sours: https://www.elastic.co/guide/en/elasticsearch/reference/current/elasticsearch-keystore.html
  1. Antonyms for harbinger
  2. Mouse driver synaptics
  3. Bolt action game
  4. Super tactical droid

Some settings are sensitive, and relying on filesystem permissions to protect their values is not sufficient. For this use case, Elasticsearch provides a keystore and the tool to manage the settings in the keystore.

Only some settings are designed to be read from the keystore. However, the keystore has no validation to block unsupported settings. Adding unsupported settings to the keystore causes Elasticsearch to fail to start. To see whether a setting is supported in the keystore, look for a "Secure" qualifier the setting reference.

All the modifications to the keystore take effect only after restarting Elasticsearch.

These settings, just like the regular ones in the config file, need to be specified on each node in the cluster. Currently, all secure settings are node-specific settings that must have the same value on every node.

Reloadable secure settingsedit

Just like the settings values in , changes to the keystore contents are not automatically applied to the running Elasticsearch node. Re-reading settings requires a node restart. However, certain secure settings are marked as reloadable. Such settings can be re-read and applied on a running node.

The values of all secure settings, reloadable or not, must be identical across all cluster nodes. After making the desired secure settings changes, using the command, call:

POST _nodes/reload_secure_settings { "secure_settings_password": "keystore-password" }

The password that the Elasticsearch keystore is encrypted with.

This API decrypts and re-reads the entire keystore, on every cluster node, but only the reloadable secure settings are applied. Changes to other settings do not go into effect until the next restart. Once the call returns, the reload has been completed, meaning that all internal data structures dependent on these settings have been changed. Everything should look as if the settings had the new value from the start.

When changing multiple reloadable secure settings, modify all of them on each cluster node, then issue a call instead of reloading after each modification.

There are reloadable secure settings for:

Sours: https://www.elastic.co/guide/en/elasticsearch/reference/current/secure-settings.html

Some settings are sensitive, and relying on filesystem permissions to protect their values is not sufficient. For this use case, Elasticsearch provides a keystore and the tool to manage the settings in the keystore.

All commands here should be run as the user which will run Elasticsearch.

Only some settings are designed to be read from the keystore. However, the keystore has no validation to block unsupported settings. Adding unsupported settings to the keystore will cause Elasticsearch to fail to start. See documentation for each setting to see if it is supported as part of the keystore.

All the modifications to the keystore take affect only after restarting Elasticsearch.

The elasticsearch keystore currently only provides obfuscation. In the future, password protection will be added.

These settings, just like the regular ones in the config file, need to be specified on each node in the cluster. Currently, all secure settings are node-specific settings that must have the same value on every node.

Creating the keystoreedit

To create the , use the command:

bin/elasticsearch-keystore create

The file will be created alongside .

Listing settings in the keystoreedit

A list of the settings in the keystore is available with the command:

bin/elasticsearch-keystore list

Adding string settingsedit

Sensitive string settings, like authentication credentials for cloud plugins, can be added using the command:

bin/elasticsearch-keystore add the.setting.name.to.set

The tool will prompt for the value of the setting. To pass the value through stdin, use the flag:

cat /file/containing/setting/value | bin/elasticsearch-keystore add --stdin the.setting.name.to.set

Adding file settingsedit

You can add sensitive files, like authentication key files for cloud plugins, using the command. Be sure to include your file path as an argument after the setting name.

bin/elasticsearch-keystore add-file the.setting.name.to.set /path/example-file.json

Removing settingsedit

To remove a setting from the keystore, use the command:

bin/elasticsearch-keystore remove the.setting.name.to.remove

Upgrading the keystoreedit

Occasionally, the internal format of the keystore changes. When Elasticsearch is installed from a package manager, an upgrade of the on-disk keystore to the new format is done during package upgrade. In other cases, Elasticsearch will perform such an upgrade during node startup. This requires that Elasticsearch have write permissions to the directory that contains the keystore. Alternatively, you can manually perform such an upgrade by using the command:

bin/elasticsearch-keystore upgrade

Reloadable secure settingsedit

Just like the settings values in , changes to the keystore contents are not automatically applied to the running elasticsearch node. Re-reading settings requires a node restart. However, certain secure settings are marked as reloadable. Such settings can be re-read and applied on a running node.

The values of all secure settings, reloadable or not, must be identical across all cluster nodes. After making the desired secure settings changes, using the command, call:

POST _nodes/reload_secure_settings

This API will decrypt and re-read the entire keystore, on every cluster node, but only the reloadable secure settings will be applied. Changes to other settings will not go into effect until the next restart. Once the call returns, the reload has been completed, meaning that all internal datastructures dependent on these settings have been changed. Everything should look as if the settings had the new value from the start.

When changing multiple reloadable secure settings, modify all of them, on each cluster node, and then issue a call, instead of reloading after each modification.

Sours: https://www.elastic.co/guide/en/elasticsearch/reference/6.8/secure-settings.html

Keystore elasticsearch

Security settings in Elasticsearchedit

By default, the Elasticsearch security features are disabled when you have a basic or trial license. To enable security features, use the setting.

You configure settings to enable anonymous access and perform message authentication, set up document and field level security, configure realms, encrypt communications with SSL,and audit security events.

All of these settings can be added to the configuration file, with the exception of the secure settings, which you add to the Elasticsearch keystore. For more information about creating and updating the Elasticsearch keystore, see Secure settings.

General security settingsedit

(Static) Set to to enable Elasticsearch security features on the node.

If set to , which is the default value for basic and trial licenses, security features are disabled. It also affects all Kibana instances that connect to this Elasticsearch instance; you do not need to disable security features in those files. For more information about disabling security features in specific Kibana instances, see Kibana security settings.

If you have gold or higher licenses, the default value is ; we recommend that you explicitly add this setting to avoid confusion.

(Static) A comma-separated list of settings that are omitted from the results of the cluster nodes info API. You can use wildcards to include multiple settings in the list. For example, the following value hides all the settings for the ad1 active_directory realm: . The API already omits all settings, , and due to the sensitive nature of the information.
(Static) Enables fips mode of operation. Set this to if you run this Elasticsearch instance in a FIPS 140-2 enabled JVM. For more information, see FIPS 140-2. Defaults to .

Password hashing settingsedit

Anonymous access settingsedit

You can configure the following anonymous access settings in . For more information, see Enabling anonymous access.

(Static) The username (principal) of the anonymous user. Defaults to .
(Static) The roles to associate with the anonymous user. Required.
(Static) When , an HTTP 403 response is returned if the anonymous user does not have the appropriate permissions for the requested action. The user is not prompted to provide credentials to access the requested resource. When set to , an HTTP 401 response is returned and the user can provide credentials with the appropriate permissions to gain access. Defaults to .

Automata Settingsedit

In places where the security features accept wildcard patterns (e.g. index patterns in roles, group matches in the role mapping API), each pattern is compiled into an Automaton. The follow settings are available to control this behaviour.

(Static) The upper limit on how many automaton states may be created by a single pattern. This protects against too-difficult (e.g. exponentially hard) patterns. Defaults to .
(Static) Whether to cache the compiled automata. Compiling automata can be CPU intensive and may slowdown some operations. The cache reduces the frequency with which automata need to be compiled. Defaults to .
(Static) The maximum number of items to retain in the automata cache. Defaults to .
(Static) The length of time to retain in an item in the automata cache (based on most recent usage). Defaults to (48 hours).

Document and field level security settingsedit

You can set the following document and field level security settings in . For more information, see Setting up field and document level security.

(Static) Set to to prevent document and field level security from being configured. Defaults to .
(Static) The time-to-live for cached entries for document level security. Document level security queries may depend on Lucene BitSet objects, and these are automatically cached to improve performance. Defaults to expire entries that are unused for (7 days).
(Static) The maximum memory usage of cached entries for document level security. Document level security queries may depend on Lucene BitSet objects, and these are automatically cached to improve performance. Defaults to , after which least-recently-used entries will be evicted.

Token service settingsedit

You can set the following token service settings in .

(Static) Set to to disable the built-in token service. Defaults to unless is . This prevents sniffing the token from a connection over plain http.
(Static) The length of time that a token is valid for. By default this value is or 20 minutes. The maximum value is 1 hour.

API key service settingsedit

You can set the following API key service settings in .

(Static) Set to to disable the built-in API key service. Defaults to unless is . This prevents sniffing the API key from a connection over plain http.
(Static) Specifies the hashing algorithm that is used for securing API key credentials. See Table 2, “Password hashing algorithms”. Defaults to .
(Static) The time-to-live for cached API key entries. A API key id and a hash of its API key are cached for this period of time. Specify the time period using the standard Elasticsearch time units. Defaults to .
(Static) The maximum number of API key entries that can live in the cache at any given time. Defaults to 10,000.
(Static, Expert) The hashing algorithm that is used for the in-memory cached API key credentials. For possible values, see Table 1, “Cache hash algorithms”. Defaults to .

Realm settingsedit

You configure realm settings in the namespace in .

For example:

xpack.security.authc.realms: native.realm1: order: 0 ... ldap.realm2: order: 1 ... active_directory.realm3: order: 2 ... ...

Specifies the type of realm (for example, , , , , , , ) and the realm name. This information is required.

The valid settings vary depending on the realm type. For more information, see User authentication.

Settings valid for all realmsedit
(Static) The priority of the realm within the realm chain. Realms with a lower order are consulted first. Although not required, use of this setting is strongly recommended when you configure multiple realms. Defaults to .
(Static) Indicates whether a realm is enabled. You can use this setting to disable a realm without removing its configuration information. Defaults to .
Native realm settingsedit

In addition to the settings that are valid for all realms, you can specify the following optional settings:

(Static) The time-to-live for cached user entries. A user and a hash of its credentials are cached for this period of time. Specify the time period using the standard Elasticsearch time units. Defaults to .
(Static) The maximum number of user entries that can live in the cache at any given time. Defaults to 100,000.
(Static, Expert) The hashing algorithm that is used for the in-memory cached user credentials. For possible values, see Table 1, “Cache hash algorithms”. Defaults to .
(Static) If set to , disables authentication support in this realm, so that it only supports user lookups. (See the run as and authorization realms features). Defaults to .
File realm settingsedit

In addition to the settings that are valid for all realms, you can specify the following settings:

(Static) The time-to-live for cached user entries. A user and a hash of its credentials are cached for this configured period of time. Defaults to . Specify values using the standard Elasticsearch time units. Defaults to .
(Static) The maximum number of user entries that can live in the cache at a given time. Defaults to 100,000.
(Static, Expert) The hashing algorithm that is used for the in-memory cached user credentials. See Table 1, “Cache hash algorithms”. Defaults to .
(Static) If set to , disables authentication support in this realm, so that it only supports user lookups. (See the run as and authorization realms features). Defaults to .
LDAP realm settingsedit

In addition to the Settings valid for all realms, you can specify the following settings:

(Static) One or more LDAP URLs in the format. Required.

To provide multiple URLs, use a YAML array () or comma-separated string ().

While both are supported, you can’t mix the and protocols.

(Static) The behavior to use when there are multiple LDAP URLs defined. For supported values see load balancing and failover types. Defaults to .
(Static) When using or as the load balancing type, this setting controls the amount of time to cache DNS lookups. Defaults to .
(Static) The DN of the user that is used to bind to the LDAP and perform searches. Only applicable in user search mode. If not specified, an anonymous bind is attempted. Defaults to Empty. Due to its potential security impact, is not exposed via the nodes info API.
(Static) [6.3] Deprecated in 6.3. Use instead. The password for the user that is used to bind to the LDAP directory. Defaults to Empty. Due to its potential security impact, is not exposed via the nodes info API.
(Secure) The password for the user that is used to bind to the LDAP directory. Defaults to Empty.
(Static) The DN template that replaces the user name with the string . This setting is multivalued; you can specify multiple user contexts. Required to operate in user template mode. If is specified, this setting is not valid. For more information on the different modes, see LDAP user authentication.

(Static) The names of the realms that should be consulted for delegated authorization. If this setting is used, then the LDAP realm does not perform role mapping and instead loads the user from the listed realms. The referenced realms are consulted in the order that they are defined in this list. See Delegating authorization to another realm.

If any settings starting with are specified, the settings are ignored.

(Static) Specifies the attribute to examine on the user for group membership. If any settings are specified, this setting is ignored. Defaults to .
(Static) Specifies a container DN to search for users. Required to operated in user search mode. If is specified, this setting is not valid. For more information on the different modes, see LDAP user authentication.
(Static) The scope of the user search. Valid values are , or . only searches objects directly contained within the . searches all objects contained under . specifies that the is the user object, and that it is the only user considered. Defaults to .
(Static) Specifies the filter used to search the directory in attempts to match an entry with the username provided by the user. Defaults to . is substituted with the username provided when searching.
(Static) [5.6] Deprecated in 5.6. Use instead. The attribute to match with the username sent with the request. Defaults to .
(Static) Enables or disables connection pooling for user search. If set to , a new connection is created for every search. The default is when is set.
(Static) The maximum number of connections to the LDAP server to allow in the connection pool. Defaults to .
(Static) The initial number of connections to create to the LDAP server on startup. Defaults to . If the LDAP server is down, values greater than could cause startup failures.
(Static) Enables or disables a health check on LDAP connections in the connection pool. Connections are checked in the background at the specified interval. Defaults to .
(Static) The distinguished name that is retrieved as part of the health check. Defaults to the value of if present; if not, falls back to .
(Static) The interval to perform background checks of connections in the pool. Defaults to .
(Static) The container DN to search for groups in which the user has membership. When this element is absent, Elasticsearch searches for the attribute specified by set on the user in order to determine group membership.
(Static) Specifies whether the group search should be , or . only searches objects directly contained within the . searches all objects contained under . specifies that the is a group object, and that it is the only group considered. Defaults to .
(Static) Specifies a filter to use to look up a group. When not set, the realm searches for , , , or with the attributes , , or . Any instance of in the filter is replaced by the user attribute defined in .
(Static) Specifies the user attribute that is fetched and provided as a parameter to the filter. If not set, the user DN is passed into the filter. Defaults to Empty.
(Static) If set to , the names of any unmapped LDAP groups are used as role names and assigned to the user. A group is considered to be unmapped if it is not referenced in a role-mapping file. API-based role mappings are not considered. Defaults to .
(Static) The location for the YAML role mapping configuration file. Defaults to .
(Static) Specifies whether Elasticsearch should follow referrals returned by the LDAP server. Referrals are URLs returned by the server that are to be used to continue the LDAP operation (for example, search). Defaults to .
(Static) A list of additional LDAP attributes that should be loaded from the LDAP server and stored in the authenticated user’s metadata field.
(Static) The TCP connect timeout period for establishing an LDAP connection. An at the end indicates seconds, or indicates milliseconds. Defaults to (5 seconds ).
(Static) [7.7] Deprecated in 7.7. The TCP read timeout period after establishing an LDAP connection. This is equivalent to and is deprecated in favor of and they cannot be used simultaneously. An at the end indicates seconds, or indicates milliseconds.
(Static) The time interval to wait for the response from the LDAP server. An at the end indicates seconds, or indicates milliseconds. Defaults to the value of .
(Static) The timeout period for an LDAP search. The value is specified in the request and is enforced by the receiving LDAP Server. An at the end indicates seconds, or indicates milliseconds. Defaults to (5 seconds ).

(Static) Path to a PEM encoded file containing the private key.

If HTTP client authentication is required, it uses this file. You cannot use this setting and at the same time.

If the LDAP server requires client authentication, it uses this file. You cannot use this setting and at the same time.

(Static) The passphrase that is used to decrypt the private key. Since the key might not be encrypted, this value is optional.

You cannot use this setting and at the same time.

(Secure) The passphrase that is used to decrypt the private key. Since the key might not be encrypted, this value is optional.

(Static) Specifies the path for the PEM encoded certificate (or certificate chain) that is associated with the key.

This setting can be used only if is set.

This certificate is presented to clients when they connect.

(Static) List of paths to PEM encoded certificate files that should be trusted.

This setting and cannot be used at the same time.

You cannot use this setting and at the same time.

(Static) The path for the keystore file that contains a private key and certificate.

It must be either a Java keystore (jks) or a PKCS#12 file. You cannot use this setting and at the same time.

You cannot use this setting and at the same time.

(Static) The format of the keystore file. It must be either or . If the keystore path ends in ".p12", ".pfx", or ".pkcs12", this setting defaults to . Otherwise, it defaults to .
(Static) The password for the keystore.
(Secure) The password for the keystore.

(Static) The password for the key in the keystore. The default is the keystore password.

You cannot use this setting and at the same time.

(Static) The password for the key in the keystore. The default is the keystore password.

(Static) The path for the keystore that contains the certificates to trust. It must be either a Java keystore (jks) or a PKCS#12 file.

You cannot use this setting and at the same time.

You cannot use this setting and at the same time.

(Static) The password for the truststore.

You cannot use this setting and at the same time.

(Secure) Password for the truststore.
(Static) The format of the truststore file. For the Java keystore format, use . For PKCS#12 files, use . For a PKCS#11 token, use . The default is .

(Static) Indicates the type of verification when using to protect against man in the middle attacks and certificate forgery. Controls the verification of certificates.

Valid values are:

  • , which verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate.
  • , which verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification.
  • , which performs no verification of the server’s certificate. This mode disables many of the security benefits of SSL/TLS and should only be used after very careful consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors; its use on production clusters is strongly discouraged.

    The default value is .

(Static) Supported protocols with versions. Valid protocols: , , , , , . If the JVM’s SSL provider supports TLSv1.3, the default is . Otherwise, the default is .

Elasticsearch relies on your JDK’s implementation of SSL and TLS. View Supported SSL/TLS versions by JDK version for more information.

If is , you cannot use or . See FIPS 140-2.

(Static) Specifies the cipher suites that should be supported when communicating with the LDAP server. Supported cipher suites vary depending on which version of Java you use. For example, for version 12 the default value is , , , , , , , , , , , , , , , , , , , , , , .

For more information, see Oracle’s Java Cryptography Architecture documentation.

(Static) Specifies the time-to-live for cached user entries. A user and a hash of its credentials are cached for this period of time. Use the standard Elasticsearch time units. Defaults to .
(Static) Specifies the maximum number of user entries that the cache can contain. Defaults to .
(Static, Expert) Specifies the hashing algorithm that is used for the in-memory cached user credentials. See Table 1, “Cache hash algorithms”. Defaults to .
(Static) If set to , disables authentication support in this realm, so that it only supports user lookups. (See the run as and authorization realms features). Defaults to .
Active Directory realm settingsedit

In addition to the settings that are valid for all realms, you can specify the following settings:

(Static) One or more LDAP URLs in the format. Defaults to . This setting is required when connecting using SSL/TLS or when using a custom port.

To provide multiple URLs, use a YAML array () or comma-separated string ().

While both are supported, you can’t mix the and protocols.

If no URL is provided, Elasticsearch uses a default of . This default uses the setting value and assumes an unencrypted connection to port 389.

(Static) The behavior to use when there are multiple LDAP URLs defined. For supported values see load balancing and failover types. Defaults to .
(Static) When using or as the load balancing type, this setting controls the amount of time to cache DNS lookups. Defaults to .
(Static) The domain name of Active Directory. If the and the settings are not specified, the cluster can derive those values from this setting. Required.
(Static) The DN of the user that is used to bind to Active Directory and perform searches. Defaults to Empty. Due to its potential security impact, is not exposed via the nodes info API.
(Static) [6.3] Deprecated in 6.3. Use instead. The password for the user that is used to bind to Active Directory. Defaults to Empty. Due to its potential security impact, is not exposed via the nodes info API.
(Secure) The password for the user that is used to bind to Active Directory. Defaults to Empty.
(Static) If set to , the names of any unmapped Active Directory groups are used as role names and assigned to the user. A group is considered unmapped when it is not referenced in any role-mapping files. API-based role mappings are not considered. Defaults to .
(Static) The location for the YAML role mapping configuration file. Defaults to .
(Static) The context to search for a user. Defaults to the root of the Active Directory domain.
(Static) Specifies whether the user search should be , or . only searches users directly contained within the . searches all objects contained under . specifies that the is a user object, and that it is the only user considered. Defaults to .
(Static) Specifies a filter to use to lookup a user given a username. The default filter looks up objects with either or . If specified, this must be a valid LDAP user search filter. For example . For more information, see Search Filter Syntax.
(Static) Specifies a filter to use to lookup a user given a user principal name. The default filter looks up objects with a matching . If specified, this must be a valid LDAP user search filter. For example, . is the full user principal name provided by the user. For more information, see Search Filter Syntax.
(Static) Specifies a filter to use to lookup a user given a down level logon name (DOMAIN\user). The default filter looks up objects with a matching in the domain provided. If specified, this must be a valid LDAP user search filter. For example, . For more information, see Search Filter Syntax.
(Static) Enables or disables connection pooling for user search. When disabled a new connection is created for every search. The default is when is provided.
(Static) The maximum number of connections to the Active Directory server to allow in the connection pool. Defaults to .
(Static) The initial number of connections to create to the Active Directory server on startup. Defaults to . If the LDAP server is down, values greater than 0 could cause startup failures.
(Static) Enables or disables a health check on Active Directory connections in the connection pool. Connections are checked in the background at the specified interval. Defaults to .
(Static) The distinguished name to be retrieved as part of the health check. Defaults to the value of if that setting is present. Otherwise, it defaults to the value of the setting.
(Static) The interval to perform background checks of connections in the pool. Defaults to .
(Static) The context to search for groups in which the user has membership. Defaults to the root of the Active Directory domain.
(Static) Specifies whether the group search should be , or . searches for groups directly contained within the . searches all objects contained under . specifies that the is a group object, and that it is the only group considered. Defaults to .
(Static) A list of additional LDAP attributes that should be loaded from the LDAP server and stored in the authenticated user’s metadata field.
(Static) The TCP connect timeout period for establishing an LDAP connection. An at the end indicates seconds, or indicates milliseconds. Defaults to (5 seconds ).
(Static) [7.7] Deprecated in 7.7. The TCP read timeout period after establishing an LDAP connection. This is equivalent to and is deprecated in favor of and they cannot be used simultaneously. An at the end indicates seconds, or indicates milliseconds. Defaults to the value of .
(Static) The time interval to wait for the response from the AD server. An at the end indicates seconds, or indicates milliseconds. Defaults to the value of .
(Static) The timeout period for an LDAP search. The value is specified in the request and is enforced by the receiving LDAP Server. An at the end indicates seconds, or indicates milliseconds. Defaults to (5 seconds ).

(Static) Specifies the path for the PEM encoded certificate (or certificate chain) that is associated with the key.

This setting can be used only if is set.

This certificate is presented to clients when they connect.

(Static) List of paths to PEM encoded certificate files that should be trusted.

This setting and cannot be used at the same time.

You cannot use this setting and at the same time.

(Static) Path to a PEM encoded file containing the private key.

If HTTP client authentication is required, it uses this file. You cannot use this setting and at the same time.

If the Active Directory server requires client authentication, it uses this file. You cannot use this setting and at the same time.

(Static) The passphrase that is used to decrypt the private key. Since the key might not be encrypted, this value is optional.

You cannot use this setting and at the same time.

(Secure) The passphrase that is used to decrypt the private key. Since the key might not be encrypted, this value is optional.

(Static) The password for the key in the keystore. The default is the keystore password.

You cannot use this setting and at the same time.

(Secure) The password for the key in the keystore. The default is the keystore password.
(Static) The password for the keystore.
(Secure) The password for the keystore.

(Static) The path for the keystore file that contains a private key and certificate.

It must be either a Java keystore (jks) or a PKCS#12 file. You cannot use this setting and at the same time.

You cannot use this setting and at the same time.

(Static) The format of the keystore file. It must be either or . If the keystore path ends in ".p12", ".pfx", or ".pkcs12", this setting defaults to . Otherwise, it defaults to .

(Static) The password for the truststore.

You cannot use this setting and at the same time.

(Secure) Password for the truststore.

(Static) The path for the keystore that contains the certificates to trust. It must be either a Java keystore (jks) or a PKCS#12 file.

You cannot use this setting and at the same time.

You cannot use this setting and at the same time.

(Static) The format of the truststore file. For the Java keystore format, use . For PKCS#12 files, use . For a PKCS#11 token, use . The default is .

(Static) Indicates the type of verification when using to protect against man in the middle attacks and certificate forgery. Controls the verification of certificates.

Valid values are:

  • , which verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate.
  • , which verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification.
  • , which performs no verification of the server’s certificate. This mode disables many of the security benefits of SSL/TLS and should only be used after very careful consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors; its use on production clusters is strongly discouraged.

    The default value is .

(Static) Supported protocols with versions. Valid protocols: , , , , , . If the JVM’s SSL provider supports TLSv1.3, the default is . Otherwise, the default is .

Elasticsearch relies on your JDK’s implementation of SSL and TLS. View Supported SSL/TLS versions by JDK version for more information.

If is , you cannot use or . See FIPS 140-2.

(Static) Specifies the cipher suites that should be supported when communicating with the Active Directory server. Supported cipher suites vary depending on which version of Java you use. For example, for version 12 the default value is , , , , , , , , , , , , , , , , , , , , , , .

For more information, see Oracle’s Java Cryptography Architecture documentation.

(Static) Specifies the time-to-live for cached user entries. A user and a hash of its credentials are cached for this configured period of time. Use the standard Elasticsearch time units). Defaults to .
(Static) Specifies the maximum number of user entries that the cache can contain. Defaults to .
(Static, Expert) Specifies the hashing algorithm that is used for the in-memory cached user credentials. See Table 1, “Cache hash algorithms”. Defaults to .
(Static) If set to , disables authentication support in this realm, so that it only supports user lookups. (See the run as and authorization realms features). Defaults to .
(Static) If set to , Elasticsearch follows referrals returned by the LDAP server. Referrals are URLs returned by the server that are to be used to continue the LDAP operation (such as ). Defaults to .
PKI realm settingsedit

In addition to the settings that are valid for all realms, you can specify the following settings:

(Static) The regular expression pattern used to extract the username from the certificate DN. The first match group is the used as the username. Defaults to .
(Static) List of paths to the PEM certificate files that should be used to authenticate a user’s certificate as trusted. Defaults to the trusted certificates configured for SSL. This setting cannot be used with .
(Static) Algorithm for the truststore. Defaults to .

(Static) The password for the truststore.

You cannot use this setting and at the same time.

If is set, this setting is required.

(Secure) Password for the truststore.
(Static) The path of a truststore to use. Defaults to the trusted certificates configured for SSL. This setting cannot be used with .
(Static) Specifies the location of the YAML role mapping configuration file. Defaults to .
(Static) The names of the realms that should be consulted for delegated authorization. If this setting is used, then the PKI realm does not perform role mapping and instead loads the user from the listed realms. See Delegating authorization to another realm.
(Static) Specifies the time-to-live for cached user entries. A user and a hash of its credentials are cached for this period of time. Use the standard Elasticsearch time units). Defaults to .
(Static) Specifies the maximum number of user entries that the cache can contain. Defaults to .
(Static) Generally, in order for the clients to be authenticated by the PKI realm they must connect directly to Elasticsearch. That is, they must not pass through proxies which terminate the TLS connection. In order to allow for a trusted and smart proxy, such as Kibana, to sit before Elasticsearch and terminate TLS connections, but still allow clients to be authenticated on Elasticsearch by this realm, you need to toggle this to . Defaults to . If delegation is enabled, then either or setting must be defined. For more details, see Configuring authentication delegation for PKI realms.
SAML realm settingsedit

In addition to the settings that are valid for all realms, you can specify the following settings.

logo cloud
(Static) The Entity ID of the SAML Identity Provider. An Entity ID is a URI with a maximum length of 1024 characters. It can be a URL (https://idp.example.com/) or a URN () and can be found in the configuration or the SAML metadata of the Identity Provider.
logo cloud
(Static) The path (recommended) or URL to a SAML 2.0 metadata file describing the capabilities and configuration of the Identity Provider. If a path is provided, then it is resolved relative to the Elasticsearch config directory. If a URL is provided, then it must be either a URL or a URL. Elasticsearch automatically polls this metadata resource and reloads the IdP configuration when changes are detected. File based resources are polled at a frequency determined by the global Elasticsearch setting, which defaults to 5 seconds. HTTPS resources are polled at a frequency determined by the realm’s setting.
logo cloud
(Static) Controls the frequency with which metadata is checked for changes. Defaults to (1 hour).
logo cloud
(Static) Indicates whether to utilise the Identity Provider’s Single Logout service (if one exists in the IdP metadata file). Defaults to .
logo cloud
(Static) The Entity ID to use for this SAML Service Provider. This should be entered as a URI. We recommend that you use the base URL of your Kibana instance. For example, .
logo cloud
(Static) The URL of the Assertion Consumer Service within Kibana. Typically this is the "api/security/saml/callback" endpoint of your Kibana server. For example, .
logo cloud
(Static) The URL of the Single Logout service within Kibana. Typically this is the "logout" endpoint of your Kibana server. For example, .
logo cloud
(Static) The Name of the SAML attribute that contains the user’s principal (username).
logo cloud
(Static) The Name of the SAML attribute that contains the user’s groups.
logo cloud
(Static) The Name of the SAML attribute that contains the user’s full name.
logo cloud
(Static) The Name of the SAML attribute that contains the user’s email address.
logo cloud
(Static) The Name of the SAML attribute that contains the user’s X.50 Distinguished Name.
logo cloud
(Static) A Java regular expression that is matched against the SAML attribute specified by before it is applied to the user’s principal property. The attribute value must match the pattern and the value of the first capturing group is used as the principal. For example, matches email addresses from the "example.com" domain and uses the local-part as the principal.
logo cloud
(Static) As per , but for the group property.
logo cloud
(Static) As per , but for the name property.
logo cloud
(Static) As per , but for the mail property.
logo cloud
(Static) As per , but for the dn property.
logo cloud
(Static) The NameID format that should be requested when asking the IdP to authenticate the current user. Defaults to requesting transient names ().
logo cloud
(Static) The value of the attribute of the element in an authentication request. The default value is false.
logo cloud
(Static) The value of the attribute of the element in an authentication request. The default is to not include the attribute.
logo cloud
(Static) Specifies whether to set the attribute when requesting that the IdP authenticate the current user. If set to , the IdP is required to verify the user’s identity, irrespective of any existing sessions they might have. Defaults to .
logo cloud
(Static) Specifies whether to populate the Elasticsearch user’s metadata with the values that are provided by the SAML attributes. Defaults to .
(Static) The names of the realms that should be consulted for delegated authorization. If this setting is used, then the SAML realm does not perform role mapping and instead loads the user from the listed realms. See Delegating authorization to another realm.
logo cloud
(Static) The maximum amount of skew that can be tolerated between the IdP’s clock and the Elasticsearch node’s clock. Defaults to (3 minutes).
logo cloud

(Static) A comma separated list of Authentication Context Class Reference values to be included in the Requested Authentication Context when requesting the IdP to authenticate the current user. The Authentication Context of the corresponding authentication response should contain at least one of the requested values.

For more information, see Requesting specific authentication methods.

SAML realm signing settingsedit

If a signing key is configured (that is, either or is set), then Elasticsearch signs outgoing SAML messages. Signing can be configured using the following settings:

logo cloud
(Static) A list of SAML message types that should be signed or to sign all messages. Each element in the list should be the local name of a SAML XML Element. Supported element types are , and . Only valid if or is also specified. Defaults to .
logo cloud
(Static) Specifies the path to the PEM encoded private key to use for SAML message signing. and cannot be used at the same time.
logo cloud
(Secure) Specifies the passphrase to decrypt the PEM encoded private key () if it is encrypted.
logo cloud
(Static) Specifies the path to the PEM encoded certificate (or certificate chain) that corresponds to the . This certificate must also be included in the Service Provider metadata or manually configured within the IdP to allow for signature validation. This setting can only be used if is set.
logo cloud
(Static) The path to the keystore that contains a private key and certificate. It must be either a Java keystore (jks) or a PKCS#12 file. You cannot use this setting and at the same time.
logo cloud
(Static) The type of the keystore in . Must be either or . If the keystore path ends in ".p12", ".pfx", or "pkcs12", this setting defaults to . Otherwise, it defaults to .
logo cloud
(Static) Specifies the alias of the key within the keystore that should be used for SAML message signing. If the keystore contains more than one private key, this setting must be specified.
logo cloud
(Secure) The password to the keystore in .
logo cloud
(Secure) The password for the key in the keystore (). Defaults to the keystore password.
SAML realm encryption settingsedit

If an encryption key is configured (that is, either or is set), then Elasticsearch publishes an encryption certificate when generating metadata and attempts to decrypt incoming SAML content. Encryption can be configured using the following settings:

logo cloud
(Static) Specifies the path to the PEM encoded private key to use for SAML message decryption. and cannot be used at the same time.
(Secure) Specifies the passphrase to decrypt the PEM encoded private key () if it is encrypted.
logo cloud
(Static) Specifies the path to the PEM encoded certificate (or certificate chain) that is associated with the . This certificate must also be included in the Service Provider metadata or manually configured within the IdP to enable message encryption. This setting can be used only if is set.
logo cloud
(Static) The path to the keystore that contains a private key and certificate. It must be either a Java keystore (jks) or a PKCS#12 file. You cannot use this setting and at the same time.
logo cloud
(Static) The type of the keystore (). Must be either or . If the keystore path ends in ".p12", ".pfx", or "pkcs12", this setting defaults to . Otherwise, it defaults to .
logo cloud
(Static) Specifies the alias of the key within the keystore () that should be used for SAML message decryption. If not specified, all compatible key pairs from the keystore are considered as candidate keys for decryption.
(Secure) The password to the keystore ().
(Secure) The password for the key in the keystore (). Only a single password is supported. If you are using multiple decryption keys, they cannot have individual passwords.
SAML realm SSL settingsedit

If you are loading the IdP metadata over SSL/TLS (that is, is a URL using the protocol), the following settings can be used to configure SSL.

These settings are not used for any purpose other than loading metadata over https.

logo cloud

(Static) Path to a PEM encoded file containing the private key.

If HTTP client authentication is required, it uses this file. You cannot use this setting and at the same time.

logo cloud

(Static) The passphrase that is used to decrypt the private key. Since the key might not be encrypted, this value is optional.

You cannot use this setting and at the same time.

(Secure) The passphrase that is used to decrypt the private key. Since the key might not be encrypted, this value is optional.

You cannot use this setting and at the same time.

logo cloud

(Static) Specifies the path for the PEM encoded certificate (or certificate chain) that is associated with the key.

This setting can be used only if is set.

logo cloud

(Static) List of paths to PEM encoded certificate files that should be trusted.

This setting and cannot be used at the same time.

logo cloud

(Static) The path for the keystore file that contains a private key and certificate.

It must be either a Java keystore (jks) or a PKCS#12 file. You cannot use this setting and at the same time.

logo cloud
(Static) The format of the keystore file. It must be either or . If the keystore path ends in ".p12", ".pfx", or ".pkcs12", this setting defaults to . Otherwise, it defaults to .
logo cloud
(Static) The password for the keystore.

(Secure) The password for the keystore.

You cannot use this setting and at the same time.

(Static) The password for the key in the keystore. The default is the keystore password.

You cannot use this setting and at the same time.

You cannot use this setting and at the same time.

(Secure) The password for the key in the keystore. The default is the keystore password.

You cannot use this setting and at the same time.

logo cloud

(Static) The path for the keystore that contains the certificates to trust. It must be either a Java keystore (jks) or a PKCS#12 file.

You cannot use this setting and at the same time.

logo cloud
(Static) The format of the truststore file. It must be either or . If the file name ends in ".p12", ".pfx" or "pkcs12", the default is . Otherwise, it defaults to .
logo cloud

(Static) The password for the truststore.

You cannot use this setting and at the same time.

(Secure) Password for the truststore.

This setting cannot be used with .

logo cloud

(Static) Controls the verification of certificates.

Valid values are:

  • , which verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate.
  • , which verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification.
  • , which performs no verification of the server’s certificate. This mode disables many of the security benefits of SSL/TLS and should only be used after very careful consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors; its use on production clusters is strongly discouraged.

    The default value is .

logo cloud

(Static) Supported protocols with versions. Valid protocols: , , , , , . If the JVM’s SSL provider supports TLSv1.3, the default is . Otherwise, the default is .

Elasticsearch relies on your JDK’s implementation of SSL and TLS. View Supported SSL/TLS versions by JDK version for more information.

If is , you cannot use or . See FIPS 140-2.

logo cloud

(Static) Supported cipher suites vary depending on which version of Java you use. For example, for version 12 the default value is , , , , , , , , , , , , , , , , , , , , , , .

For more information, see Oracle’s Java Cryptography Architecture documentation.

Kerberos realm settingsedit

In addition to the settings that are valid for all realms, you can specify the following settings:

logo cloud
(Static) Specifies the path to the Kerberos keytab file that contains the service principal used by this Elasticsearch node. This must be a location within the Elasticsearch configuration directory and the file must have read permissions. Required.
logo cloud
(Static) Set to to remove the realm part of principal names. Principal names in Kerberos have the form . If this option is , the realm part () will not be included in the username. Defaults to .
(Static) Set to to enable debug logs for the Java login module that provides support for Kerberos authentication. Defaults to .
logo cloud
(Static) The time-to-live for cached user entries. A user is cached for this period of time. Specify the time period using the standard Elasticsearch time units. Defaults to .
logo cloud
(Static) The maximum number of user entries that can live in the cache at any given time. Defaults to 100,000.
logo cloud
(Static) The names of the realms that should be consulted for delegated authorization. If this setting is used, then the Kerberos realm does not perform role mapping and instead loads the user from the listed realms. See Delegating authorization to another realm.
OpenID Connect realm settingsedit

In addition to the settings that are valid for all realms, you can specify the following settings.

logo cloud
(Static) A verifiable Identifier for your OpenID Connect Provider. An Issuer Identifier is usually a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components. The value for this setting should be provided by your OpenID Connect Provider.
logo cloud
(Static) The URL for the Authorization Endpoint at the OpenID Connect Provider. The value for this setting should be provided by your OpenID Connect Provider.
logo cloud
(Static) The URL for the Token Endpoint at the OpenID Connect Provider. The value for this setting should be provided by your OpenID Connect Provider.
logo cloud
(Static) The URL for the User Info Endpoint at the OpenID Connect Provider. The value for this setting should be provided by your OpenID Connect Provider.
logo cloud
(Static) The URL for the End Session Endpoint at the OpenID Connect Provider. The value for this setting should be provided by your OpenID Connect Provider.
logo cloud

(Static) The path or URL to a JSON Web Key Set with the key material that the OpenID Connect Provider uses for signing tokens and claims responses. If a path is provided, then it is resolved relative to the Elasticsearch config directory. If a URL is provided, then it must be either a URL or a URL. Elasticsearch automatically caches the retrieved JWK set to avoid unnecessary HTTP requests but will attempt to refresh the JWK upon signature verification failure, as this might indicate that the OpenID Connect Provider has rotated the signing keys.

File-based resources are polled at a frequency determined by the global Elasticsearch setting, which defaults to 5 seconds.

(Static) The names of the realms that should be consulted for delegated authorization. If this setting is used, then the OpenID Connect realm does not perform role mapping and instead loads the user from the listed realms. See Delegating authorization to another realm.
logo cloud
(Static) The OAuth 2.0 Client Identifier that was assigned to Elasticsearch during registration at the OpenID Connect Provider.
(Secure) The OAuth 2.0 Client Secret that was assigned to Elasticsearch during registration at the OpenID Connect Provider.
logo cloud
(Static) The client authentication method used by Elasticsearch to authenticate to the OpenID Connect Provider. Can be , , or . Defaults to .
logo cloud
(Static) The signature algorithm that Elasticsearch uses to sign the JWT with which it authenticates as a client to the OpenID Connect Provider when is selected for . Can be either , , or . Defaults to .
logo cloud
(Static) The Redirect URI within Kibana. If you want to use the authorization code flow, this is the endpoint of your Kibana server. If you want to use the implicit flow, it is the endpoint. For example, .
logo cloud
(Static) OAuth 2.0 Response Type value that determines the authorization processing flow to be used. Can be for authorization code grant flow, or one of , for the implicit flow.
logo cloud
(Static) The signature algorithm that will be used by Elasticsearch in order to verify the signature of the id tokens it will receive from the OpenID Connect Provider. Defaults to .
logo cloud
(Static) The scope values that will be requested by the OpenID Connect Provider as part of the Authentication Request. Optional, defaults to
logo cloud
(Static) The Redirect URI (usually within Kibana) that the OpenID Connect Provider should redirect the browser to after a successful Single Logout.
(Static) The name of the OpenID Connect claim that contains the user’s principal (username).
logo cloud
(Static) The name of the OpenID Connect claim that contains the user’s groups.
logo cloud
(Static) The name of the OpenID Connect claim that contains the user’s full name.
logo cloud
(Static) The name of the OpenID Connect claim that contains the user’s email address.
logo cloud
(Static) The name of the OpenID Connect claim that contains the user’s X.509 Distinguished Name.
logo cloud
(Static) A Java regular expression that is matched against the OpenID Connect claim specified by before it is applied to the user’s principal property. The attribute value must match the pattern and the value of the first capturing group is used as the principal. For example, matches email addresses from the "example.com" domain and uses the local-part as the principal.
logo cloud
(Static) As per , but for the group property.
logo cloud
(Static) As per , but for the name property.
logo cloud
(Static) As per , but for the mail property.
logo cloud
(Static) As per , but for the dn property.
logo cloud
(Static) The maximum allowed clock skew to be taken into consideration when validating id tokens with regards to their creation and expiration times.
logo cloud
(Static) Specifies whether to populate the Elasticsearch user’s metadata with the values that are provided by the OpenID Connect claims. Defaults to .
(Static) Specifies the address of the proxy server that will be used by the internal http client for all back-channel communication to the OpenID Connect Provider endpoints. This includes requests to the Token Endpoint, the Userinfo Endpoint and requests to fetch the JSON Web Key Set from the OP if is set as a URL.
(Static) Specifies the protocol to use to connect to the proxy server that will be used by the http client for all back-channel communication to the OpenID Connect Provider endpoints. Defaults to . Allowed values are or .
(Static) Specifies the port of the proxy server that will be used by the http client for all backchannel communication to the OpenID Connect Provider endpoints. Defaults to .
logo cloud
(Static) Controls the behavior of the http client used for back-channel communication to the OpenID Connect Provider endpoints. Specifies the timeout until a connection is established. A value of zero means the timeout is not used. Defaults to .
logo cloud
(Static) Controls the behavior of the http client used for back-channel communication to the OpenID Connect Provider endpoints. Specifies the timeout used when requesting a connection from the connection manager. Defaults to
logo cloud
(Static) Controls the behavior of the http client used for back-channel communication to the OpenID Connect Provider endpoints. Specifies the socket timeout (SO_TIMEOUT) in milliseconds, which is the timeout for waiting for data or, put differently, a maximum period inactivity between two consecutive data packets). Defaults to .
logo cloud
(Static) Controls the behavior of the http client used for back-channel communication to the OpenID Connect Provider endpoints. Specifies the maximum number of connections allowed across all endpoints.
logo cloud
(Static) Controls the behavior of the http client used for back-channel communication to the OpenID Connect Provider endpoints. Specifies the maximum number of connections allowed per endpoint.
OpenID Connect realm SSL settingsedit

The following settings can be used to configure SSL for all outgoing http connections to the OpenID Connect Provider endpoints.

These settings are only used for the back-channel communication between Elasticsearch and the OpenID Connect Provider

logo cloud

(Static) Path to a PEM encoded file containing the private key.

If HTTP client authentication is required, it uses this file. You cannot use this setting and at the same time.

logo cloud

(Static) The passphrase that is used to decrypt the private key. Since the key might not be encrypted, this value is optional.

You cannot use this setting and at the same time.

(Secure) The passphrase that is used to decrypt the private key. Since the key might not be encrypted, this value is optional.

You cannot use this setting and at the same time.

logo cloud

(Static) Specifies the path for the PEM encoded certificate (or certificate chain) that is associated with the key.

This setting can be used only if is set.

logo cloud

(Static) List of paths to PEM encoded certificate files that should be trusted.

This setting and cannot be used at the same time.

logo cloud

(Static) The path for the keystore file that contains a private key and certificate.

It must be either a Java keystore (jks) or a PKCS#12 file. You cannot use this setting and at the same time.

logo cloud
(Static) The format of the keystore file. It must be either or . If the keystore path ends in ".p12", ".pfx", or ".pkcs12", this setting defaults to . Otherwise, it defaults to .
logo cloud
(Static) The password for the keystore.

(Secure) The password for the keystore.

You cannot use this setting and at the same time.

(Static) The password for the key in the keystore. The default is the keystore password.

You cannot use this setting and at the same time.

You cannot use this setting and at the same time.

(Secure) The password for the key in the keystore. The default is the keystore password.

You cannot use this setting and at the same time.

logo cloud

(Static) The path for the keystore that contains the certificates to trust. It must be either a Java keystore (jks) or a PKCS#12 file.

You cannot use this setting and at the same time.

logo cloud
(Static) The format of the truststore file. It must be either or . If the file name ends in ".p12", ".pfx" or "pkcs12", the default is . Otherwise, it defaults to .
logo cloud

(Static) The password for the truststore.

You cannot use this setting and at the same time.

(Secure) Password for the truststore.

You cannot use this setting and at the same time.

logo cloud

(Static) Controls the verification of certificates. Controls the verification of certificates.

Valid values are:

  • , which verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate.
  • , which verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification.
  • , which performs no verification of the server’s certificate. This mode disables many of the security benefits of SSL/TLS and should only be used after very careful consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors; its use on production clusters is strongly discouraged.

    The default value is .

logo cloud

(Static) Supported protocols with versions. Valid protocols: , , , , , . If the JVM’s SSL provider supports TLSv1.3, the default is . Otherwise, the default is .

Elasticsearch relies on your JDK’s implementation of SSL and TLS. View Supported SSL/TLS versions by JDK version for more information.

If is , you cannot use or . See FIPS 140-2.

logo cloud

(Static) Supported cipher suites vary depending on which version of Java you use. For example, for version 12 the default value is , , , , , , , , , , , , , , , , , , , , , , .

For more information, see Oracle’s Java Cryptography Architecture documentation.

Load balancing and failoveredit

The static setting can have the following values:

  • : The URLs specified are used in the order that they are specified. The first server that can be connected to will be used for all subsequent connections. If a connection to that server fails then the next server that a connection can be established to will be used for subsequent connections.
  • : In this mode of operation, only a single URL may be specified. This URL must contain a DNS name. The system will be queried for all IP addresses that correspond to this DNS name. Connections to the Active Directory or LDAP server will always be tried in the order in which they were retrieved. This differs from in that there is no reordering of the list and if a server has failed at the beginning of the list, it will still be tried for each subsequent connection.
  • : Connections will continuously iterate through the list of provided URLs. If a server is unavailable, iterating through the list of URLs will continue until a successful connection is made.
  • : In this mode of operation, only a single URL may be specified. This URL must contain a DNS name. The system will be queried for all IP addresses that correspond to this DNS name. Connections will continuously iterate through the list of addresses. If a server is unavailable, iterating through the list of URLs will continue until a successful connection is made.

General TLS settingsedit

(Static) Controls whether to output diagnostic messages for SSL/TLS trust failures. If this is (the default), a message will be printed to the Elasticsearch log whenever an SSL connection (incoming or outgoing) is rejected due to a failure to establish trust. This diagnostic message contains information that can be used to determine the cause of the failure and assist with resolving the problem. Set to to disable these messages. NOTE: This defaults to when is .
TLS/SSL key and trusted certificate settingsedit

The following settings are used to specify a private key, certificate, and the trusted certificates that should be used when communicating over an SSL/TLS connection. If no trusted certificates are configured, the default certificates that are trusted by the JVM will be trusted along with the certificate(s) associated with a key in the same context. The key and certificate must be in place for connections that require client authentication or when acting as a SSL enabled server.

Storing trusted certificates in a PKCS#12 file, although supported, is uncommon in practice. The tool, as well as Java’s , are designed to generate PKCS#12 files that can be used both as a keystore and as a truststore, but this may not be the case for container files that are created using other tools. Usually, PKCS#12 files only contain secret and private entries. To confirm that a PKCS#12 container includes trusted certificate ("anchor") entries look for in the output, or in the output.

HTTP TLS/SSL settingsedit

You can configure the following TLS/SSL settings.

(Static) Used to enable or disable TLS/SSL. The default is .

(Static) Supported protocols with versions. Valid protocols: , , , , , . If the JVM’s SSL provider supports TLSv1.3, the default is . Otherwise, the default is .

Elasticsearch relies on your JDK’s implementation of SSL and TLS. View Supported SSL/TLS versions by JDK version for more information.

If is , you cannot use or . See FIPS 140-2.

(Static) Controls the server’s behavior in regard to requesting a certificate from client connections. Valid values are , , and . forces a client to present a certificate, while requests a client certificate but the client is not required to present one. Defaults to .

(Static) Supported cipher suites vary depending on which version of Java you use. For example, for version 12 the default value is , , , , , , , , , , , , , , , , , , , , , , .

For more information, see Oracle’s Java Cryptography Architecture documentation.

HTTP TLS/SSL key and trusted certificate settingsedit

The following settings are used to specify a private key, certificate, and the trusted certificates that should be used when communicating over an SSL/TLS connection. A private key and certificate must be configured.

When using PEM encoded files, use the following settings:

(Static) Path to a PEM encoded file containing the private key.

If HTTP client authentication is required, it uses this file. You cannot use this setting and at the same time.

(Static) The passphrase that is used to decrypt the private key. Since the key might not be encrypted, this value is optional.

You cannot use this setting and at the same time.

(Secure) The passphrase that is used to decrypt the private key. Since the key might not be encrypted, this value is optional.

(Static) Specifies the path for the PEM encoded certificate (or certificate chain) that is associated with the key.

This setting can be used only if is set.

(Static) List of paths to PEM encoded certificate files that should be trusted.

This setting and cannot be used at the same time.

When using Java keystore files (JKS), which contain the private key, certificate and certificates that should be trusted, use the following settings:

(Static) The path for the keystore file that contains a private key and certificate.

It must be either a Java keystore (jks) or a PKCS#12 file. You cannot use this setting and at the same time.

(Static) The password for the keystore.
(Secure) The password for the keystore.

(Static) The password for the key in the keystore. The default is the keystore password.

You cannot use this setting and at the same time.

(Secure) The password for the key in the keystore. The default is the keystore password.

(Static) The path for the keystore that contains the certificates to trust. It must be either a Java keystore (jks) or a PKCS#12 file.

You cannot use this setting and at the same time.

(Static) The password for the truststore.

You cannot use this setting and at the same time.

(Secure) Password for the truststore.

Elasticsearch can be configured to use PKCS#12 container files ( or files) that contain the private key, certificate and certificates that should be trusted.

PKCS#12 files are configured in the same way as Java keystore files:

(Static) The path for the keystore file that contains a private key and certificate.

It must be either a Java keystore (jks) or a PKCS#12 file. You cannot use this setting and at the same time.

(Static) The format of the keystore file. It must be either or . If the keystore path ends in ".p12", ".pfx", or ".pkcs12", this setting defaults to . Otherwise, it defaults to .
(Static) The password for the keystore.
(Secure) The password for the keystore.

(Static) The password for the key in the keystore. The default is the keystore password.

You cannot use this setting and at the same time.

(Secure) The password for the key in the keystore. The default is the keystore password.

(Static) The path for the keystore that contains the certificates to trust. It must be either a Java keystore (jks) or a PKCS#12 file.

You cannot use this setting and at the same time.

(Static) Set this to to indicate that the truststore is a PKCS#12 file.

(Static) The password for the truststore.

You cannot use this setting and at the same time.

(Secure) Password for the truststore.

Elasticsearch can be configured to use a PKCS#11 token that contains the private key, certificate and certificates that should be trusted.

PKCS#11 token require additional configuration on the JVM level and can be enabled via the following settings:

(Static) Set this to to indicate that the PKCS#11 token should be used as a keystore.
(Static) The format of the truststore file. For the Java keystore format, use . For PKCS#12 files, use . For a PKCS#11 token, use . The default is .

When configuring the PKCS#11 token that your JVM is configured to use as a keystore or a truststore for Elasticsearch, the PIN for the token can be configured by setting the appropriate value to or in the context that you are configuring. Since there can only be one PKCS#11 token configured, only one keystore and truststore will be usable for configuration in Elasticsearch. This in turn means that only one certificate can be used for TLS both in the transport and the http layer.

Transport TLS/SSL settingsedit

You can configure the following TLS/SSL settings.

(Static) Used to enable or disable TLS/SSL. The default is .

(Static) Supported protocols with versions. Valid protocols: , , , , , . If the JVM’s SSL provider supports TLSv1.3, the default is . Otherwise, the default is .

Elasticsearch relies on your JDK’s implementation of SSL and TLS. View Supported SSL/TLS versions by JDK version for more information.

If is , you cannot use or . See FIPS 140-2.

(Static) Controls the server’s behavior in regard to requesting a certificate from client connections. Valid values are , , and . forces a client to present a certificate, while requests a client certificate but the client is not required to present one. Defaults to .

(Static) Controls the verification of certificates. Controls the verification of certificates.

Valid values are:

  • , which verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate.
  • , which verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification.
  • , which performs no verification of the server’s certificate. This mode disables many of the security benefits of SSL/TLS and should only be used after very careful consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors; its use on production clusters is strongly discouraged.

    The default value is .

(Static) Supported cipher suites vary depending on which version of Java you use. For example, for version 12 the default value is ,

Sours: https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html
Elasticsearch Snapshot and Restore to AWS S3 Bucket - Let's Deploy a Host Intrusion Detection System

deviantony / docker-elk Public template

edit: Does not work. Please ignore. See #579 (comment).


@cebor it works fine for me but I noticed some errors in Docker for Windows, if that's what you use.

I'll write a more detailed procedure in the README but here is what I did, step by step:

1. Create keystore

$ docker run --rm -v $(pwd)/elasticsearch/config/:/usr/share/elasticsearch/config/ docker.elastic.co/elasticsearch/elasticsearch:7.11.2 elasticsearch-keystore createCreated elasticsearch keystore in /usr/share/elasticsearch/config/elasticsearch.keystore

2. Change ownership

The created keystore is owned by , unless you run the previous command with , which I didn't.
We need to change its owner to , which is the uid of the user inside the Elasticsearch image.

$ ls -l elasticsearch/config/elasticsearch.keystore-rw-rw---- 1 root root 199 Mar 27 18:09 elasticsearch/config/elasticsearch.keystore
$ sudo chown -v 1000 elasticsearch/config/elasticsearch.keystorechanged ownership of 'elasticsearch/config/elasticsearch.keystore' from root to 1000

3. Mount the keystore in the expected location

$ git diff diff --git a/docker-compose.yml b/docker-compose.yml index 669e337..a9ee0ea 100644 --- a/docker-compose.yml+++ b/[email protected]@ -11,6 +11,10 @@ services: source: ./elasticsearch/config/elasticsearch.yml target: /usr/share/elasticsearch/config/elasticsearch.yml read_only: true + - type: bind+ source: ./elasticsearch/config/elasticsearch.keystore+ target: /usr/share/elasticsearch/config/elasticsearch.keystore+ read_only: false - type: volume source: elasticsearch target: /usr/share/elasticsearch/data

4. Run

$ docker-compose up elasticsearchelasticsearch_1 | {"type": "server", "timestamp": "2021-03-27T17:40:17,308Z", "level": "INFO", "component": "o.e.n.Node", "cluster.name": "docker-cluster", "node.name": "51691320c358", "message": "version[7.11.2], pid[7], build[default/docker/3e5a16cfec50876d20ea77b075070932c6464c7d/2021-03-06T05:54:38.141101Z], OS[Linux/4.19.128-microsoft-standard/amd64], JVM[AdoptOpenJDK/OpenJDK 64-Bit Server VM/15.0.1/15.0.1+9]" }...
$ curl -D- localhost:9200 -u elastic:changemeHTTP/1.1 200 OKcontent-type: application/json; charset=UTF-8content-length: 542{ "name" : "51691320c358", "cluster_name" : "docker-cluster", "cluster_uuid" : "ZUQ-rbdUR_20YCN6Qe4fOA", "version" : { "number" : "7.11.2", "build_flavor" : "default", "build_type" : "docker", "build_hash" : "3e5a16cfec50876d20ea77b075070932c6464c7d", "build_date" : "2021-03-06T05:54:38.141101Z", "build_snapshot" : false, "lucene_version" : "8.7.0", "minimum_wire_compatibility_version" : "6.8.0", "minimum_index_compatibility_version" : "6.0.0-beta1" }, "tagline" : "You Know, for Search"}
Sours: https://github.com/deviantony/docker-elk/issues/579

Similar news:

Some settings are sensitive, and relying on filesystem permissions to protect their values is not sufficient. For this use case, Elasticsearch provides a keystore and the tool to manage the settings in the keystore.

Note

All commands here should be run as the user which will run Elasticsearch.

Note

Only some settings are designed to be read from the keystore. See documentation for each setting to see if it is supported as part of the keystore.

Note

All the modifications to the keystore take affect only after restarting Elasticsearch.

Note

The elasticsearch keystore currently only provides obfuscation. In the future, password protection will be added.

These settings, just like the regular ones in the config file, need to be specified on each node in the cluster. Currently, all secure settings are node-specific settings that must have the same value on every node.

Creating the keystore

To create the , use the command:

bin/elasticsearch-keystore create

The file will be created alongside .

Listing settings in the keystore

A list of the settings in the keystore is available with the command:

bin/elasticsearch-keystore list

Adding string settings

Sensitive string settings, like authentication credentials for cloud plugins, can be added using the command:

bin/elasticsearch-keystore add the.setting.name.to.set

The tool will prompt for the value of the setting. To pass the value through stdin, use the flag:

cat /file/containing/setting/value | bin/elasticsearch-keystore add --stdin the.setting.name.to.set

Adding file settings

You can add sensitive files, like authentication key files for cloud plugins, using the command. Be sure to include your file path as an argument after the setting name.

bin/elasticsearch-keystore add-file the.setting.name.to.set /path/example-file.json

Removing settings

To remove a setting from the keystore, use the command:

bin/elasticsearch-keystore remove the.setting.name.to.remove

Reloadable secure settings

Just like the settings values in , changes to the keystore contents are not automatically applied to the running elasticsearch node. Re-reading settings requires a node restart. However, certain secure settings are marked as reloadable. Such settings can be re-read and applied on a running node.

The values of all secure settings, reloadable or not, must be identical across all cluster nodes. After making the desired secure settings changes, using the command, call:

POST _nodes/reload_secure_settings

This API will decrypt and re-read the entire keystore, on every cluster node, but only the reloadable secure settings will be applied. Changes to other settings will not go into effect until the next restart. Once the call returns, the reload has been completed, meaning that all internal datastructures dependent on these settings have been changed. Everything should look as if the settings had the new value from the start.

When changing multiple reloadable secure settings, modify all of them, on each cluster node, and then issue a call, instead of reloading after each modification.

Sours: http://man.hubwiz.com/docset/ElasticSearch.docset/Contents/Resources/Documents/www.elastic.co/guide/en/elasticsearch/reference/current/secure-settings.html


2207 2208 2209 2210 2211