diff --git a/docs/reference/index.asciidoc b/docs/reference/index.asciidoc index 6d595a6ba2a4c..ae2b0571cb1d9 100644 --- a/docs/reference/index.asciidoc +++ b/docs/reference/index.asciidoc @@ -68,7 +68,7 @@ include::frozen-indices.asciidoc[] include::rest-api/index.asciidoc[] -include::security/index.asciidoc[] +include::{xes-repo-dir}/security/index.asciidoc[] include::{xes-repo-dir}/watcher/index.asciidoc[] diff --git a/docs/reference/security/index.asciidoc b/docs/reference/security/index.asciidoc deleted file mode 100644 index ed11b5916cb2c..0000000000000 --- a/docs/reference/security/index.asciidoc +++ /dev/null @@ -1,18 +0,0 @@ -[[secure-cluster]] -= Secure a cluster - -[partintro] --- -The {stack-security-features} enable you to easily secure a cluster. You can -password-protect your data as well as implement more advanced security -measures such as encrypting communications, role-based access control, -IP filtering, and auditing. - -* <> -* <> - --- - -include::overview.asciidoc[] - -include::{xes-repo-dir}/security/configuring-es.asciidoc[] diff --git a/docs/reference/settings/license-settings.asciidoc b/docs/reference/settings/license-settings.asciidoc index 791d3f61d4598..5e69d4e020798 100644 --- a/docs/reference/settings/license-settings.asciidoc +++ b/docs/reference/settings/license-settings.asciidoc @@ -7,7 +7,7 @@ You can configure this licensing setting in the `elasticsearch.yml` file. For more information, see -{xpack-ref}/license-management.html[{xpack} License Management]. +{stack-ov}/license-management.html[License management]. `xpack.license.self_generated.type`:: Set to `basic` (default) to enable basic {xpack} features. + diff --git a/docs/reference/settings/security-settings.asciidoc b/docs/reference/settings/security-settings.asciidoc index 09ca01a58c5af..4fbb96144c585 100644 --- a/docs/reference/settings/security-settings.asciidoc +++ b/docs/reference/settings/security-settings.asciidoc @@ -69,8 +69,7 @@ See <>. Defaults to `bcrypt`. [[anonymous-access-settings]] ==== Anonymous access settings You can configure the following anonymous access settings in -`elasticsearch.yml`. For more information, see {stack-ov}/anonymous-access.html[ -Enabling anonymous access]. +`elasticsearch.yml`. For more information, see <>. `xpack.security.authc.anonymous.username`:: The username (principal) of the anonymous user. Defaults to `_es_anonymous_user`. @@ -120,8 +119,7 @@ Defaults to `48h` (48 hours). You can set the following document and field level security settings in `elasticsearch.yml`. For more information, see -{stack-ov}/field-and-document-access-control.html[Setting up document and field -level security]. +<>. `xpack.security.dls_fls.enabled`:: Set to `false` to prevent document and field level security @@ -206,7 +204,7 @@ xpack.security.authc.realms: ---------------------------------------- The valid settings vary depending on the realm type. For more -information, see {stack-ov}/setting-up-authentication.html[Setting up authentication]. +information, see <>. [float] [[ref-realm-settings]] @@ -245,8 +243,8 @@ Defaults to `ssha256`. `authentication.enabled`:: If set to `false`, disables authentication support in this realm, so that it only supports user lookups. -(See the {stack-ov}/run-as-privilege.html[run as] and -{stack-ov}/realm-chains.html#authorization_realms[authorization realms] features). +(See the <> and +<> features). Defaults to `true`. [[ref-users-settings]] @@ -261,7 +259,7 @@ the following settings: `cache.ttl`:: The time-to-live for cached user entries. A user and a hash of its credentials are cached for this configured period of time. Defaults to `20m`. Specify values -using the standard {es} {ref}/common-options.html#time-units[time units]. +using the standard {es} <>. Defaults to `20m`. `cache.max_users`:: @@ -274,8 +272,8 @@ user credentials. See <>. Defaults to `ssha256`. `authentication.enabled`:: If set to `false`, disables authentication support in this realm, so that it only supports user lookups. -(See the {stack-ov}/run-as-privilege.html[run as] and -{stack-ov}/realm-chains.html#authorization_realms[authorization realms] features). +(See the <> and +<> features). Defaults to `true`. [[ref-ldap-settings]] @@ -326,14 +324,14 @@ The DN template that replaces the user name with the string `{0}`. This setting is multivalued; you can specify multiple user contexts. Required to operate in user template mode. If `user_search.base_dn` is specified, this setting is not valid. For more information on -the different modes, see {stack-ov}/ldap-realm.html[LDAP realms]. +the different modes, see <>. `authorization_realms`:: The names of the realms that should be consulted for delegated authorization. If this setting is used, then the LDAP realm does not perform role mapping and instead loads the user from the listed realms. The referenced realms are consulted in the order that they are defined in this list. -See {stack-ov}/realm-chains.html#authorization_realms[Delegating authorization to another realm] +See <>. + -- NOTE: If any settings starting with `user_search` are specified, the @@ -350,7 +348,7 @@ to `memberOf`. Specifies a container DN to search for users. Required to operated in user search mode. If `user_dn_templates` is specified, this setting is not valid. For more information on -the different modes, see {stack-ov}/ldap-realm.html[LDAP realms]. +the different modes, see <>. `user_search.scope`:: The scope of the user search. Valid values are `sub_tree`, `one_level` or @@ -423,12 +421,12 @@ the filter. If not set, the user DN is passed into the filter. Defaults to Empt If set to `true`, the names of any unmapped LDAP groups are used as role names and assigned to the user. A group is considered to be _unmapped_ if it is not referenced in a -{stack-ov}/mapping-roles.html#mapping-roles-file[role-mapping file]. API-based +<>. API-based role mappings are not considered. Defaults to `false`. `files.role_mapping`:: -The <> for the {stack-ov}/mapping-roles.html#mapping-roles[ -YAML role mapping configuration file]. Defaults to +The <> for the +<>. Defaults to `ES_PATH_CONF/role_mapping.yml`. `follow_referrals`:: @@ -545,8 +543,8 @@ in-memory cached user credentials. See <>. Defaults to `ssha256 `authentication.enabled`:: If set to `false`, disables authentication support in this realm, so that it only supports user lookups. -(See the {stack-ov}/run-as-privilege.html[run as] and -{stack-ov}/realm-chains.html#authorization_realms[authorization realms] features). +(See the <> and +<> features). Defaults to `true`. [[ref-ad-settings]] @@ -786,7 +784,7 @@ Java Cryptography Architecture documentation]. Defaults to the value of `cache.ttl`:: Specifies the time-to-live for cached user entries. A user and a hash of its credentials are cached for this configured period of time. Use the -standard Elasticsearch {ref}/common-options.html#time-units[time units]). +standard Elasticsearch <>). Defaults to `20m`. `cache.max_users`:: @@ -799,8 +797,8 @@ the in-memory cached user credentials. See <>. Defaults to `ssh `authentication.enabled`:: If set to `false`, disables authentication support in this realm, so that it only supports user lookups. -(See the {stack-ov}/run-as-privilege.html[run as] and -{stack-ov}/realm-chains.html#authorization_realms[authorization realms] features). +(See the <> and +<> features). Defaults to `true`. `follow_referrals`:: @@ -841,19 +839,19 @@ for SSL. This setting cannot be used with `certificate_authorities`. `files.role_mapping`:: Specifies the <> of the -{stack-ov}/mapping-roles.html[YAML role mapping configuration file]. +<>. Defaults to `ES_PATH_CONF/role_mapping.yml`. `authorization_realms`:: The names of the realms that should be consulted for delegated authorization. If this setting is used, then the PKI realm does not perform role mapping and instead loads the user from the listed realms. -See {stack-ov}/realm-chains.html#authorization_realms[Delegating authorization to another realm] +See <>. `cache.ttl`:: Specifies the time-to-live for cached user entries. A user and a hash of its credentials are cached for this period of time. Use the -standard {es} {ref}/common-options.html#time-units[time units]). +standard {es} <>). Defaults to `20m`. `cache.max_users`:: @@ -973,7 +971,7 @@ provided by the SAML attributes. Defaults to `true`. The names of the realms that should be consulted for delegated authorization. If this setting is used, then the SAML realm does not perform role mapping and instead loads the user from the listed realms. -See {stack-ov}/realm-chains.html#authorization_realms[Delegating authorization to another realm] +See <>. `allowed_clock_skew`:: The maximum amount of skew that can be tolerated between the IdP's clock and the @@ -987,7 +985,7 @@ authenticate the current user. The Authentication Context of the corresponding authentication response should contain at least one of the requested values. + For more information, see -{stack-ov}/saml-guide-authentication.html#req-authn-context[Requesting specific authentication methods]. +<>. [float] [[ref-saml-signing-settings]] @@ -1221,7 +1219,7 @@ cache at any given time. Defaults to 100,000. The names of the realms that should be consulted for delegated authorization. If this setting is used, then the Kerberos realm does not perform role mapping and instead loads the user from the listed realms. -See {stack-ov}/realm-chains.html#authorization_realms[Delegating authorization to another realm] +See <>. [float] [[load-balancing]] @@ -1264,7 +1262,7 @@ endif::[] You can configure the following TLS/SSL settings in `elasticsearch.yml`. For more information, see -{stack-ov}/encrypting-communications.html[Encrypting communications]. These +<>. These settings are used unless they have been overridden by more specific settings such as those for HTTP or Transport. @@ -1422,7 +1420,7 @@ keystore files. See <>. [[pkcs12-truststore-note]] [NOTE] Storing trusted certificates in a PKCS#12 file, although supported, is -uncommon in practice. The {ref}/certutil.html[`elasticsearch-certutil`] tool, +uncommon in practice. The <> tool, as well as Java's `keytool`, are designed to generate PKCS#12 files that can be used both as a keystore and as a truststore, but this may not be the case for container files that are created using other tools. Usually, @@ -1509,7 +1507,7 @@ See also <>. [[ip-filtering-settings]] ==== IP filtering settings -You can configure the following settings for {stack-ov}/ip-filtering.html[IP filtering]. +You can configure the following settings for <>. `xpack.security.transport.filter.allow`:: List of IP addresses to allow. diff --git a/docs/reference/setup/install/docker.asciidoc b/docs/reference/setup/install/docker.asciidoc index 25e8e5f50fe85..8f6a0b50e8117 100644 --- a/docs/reference/setup/install/docker.asciidoc +++ b/docs/reference/setup/install/docker.asciidoc @@ -11,7 +11,7 @@ https://github.com/elastic/elasticsearch/blob/{branch}/distribution/docker[Githu These images are free to use under the Elastic license. They contain open source and free commercial features and access to paid commercial features. -{xpack-ref}/license-management.html[Start a 30-day trial] to try out all of the +{stack-ov}/license-management.html[Start a 30-day trial] to try out all of the paid commercial features. See the https://www.elastic.co/subscriptions[Subscriptions] page for information about Elastic license levels. diff --git a/docs/reference/setup/setup-xes.asciidoc b/docs/reference/setup/setup-xes.asciidoc index ca42437594c83..f5e37402fa14d 100644 --- a/docs/reference/setup/setup-xes.asciidoc +++ b/docs/reference/setup/setup-xes.asciidoc @@ -7,7 +7,7 @@ monitoring, reporting, machine learning, and many other capabilities. By default when you install {es}, {xpack} is installed. If you want to try all of the {xpack} features, you can -{xpack-ref}/license-management.html[start a 30-day trial]. At the end of the +{stack-ov}/license-management.html[start a 30-day trial]. At the end of the trial period, you can purchase a subscription to keep using the full functionality of the {xpack} components. For more information, see https://www.elastic.co/subscriptions. diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 417b26cbd09b3..ed49193db2476 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -18,7 +18,7 @@ The following is a list of the events that can be generated: realm type. | `access_denied` | | | Logged when an authenticated user attempts to execute an action they do not have the necessary - <> to perform. + <> to perform. | `access_granted` | | | Logged when an authenticated user attempts to execute an action they have the necessary privilege to perform. When the `system_access_granted` event is included, all system @@ -28,7 +28,7 @@ The following is a list of the events that can be generated: another user that they have the necessary privileges to do. | `run_as_denied` | | | Logged when an authenticated user attempts to <> another user action they do not have the necessary - <> to do so. + <> to do so. | `tampered_request` | | | Logged when the {security-features} detect that the request has been tampered with. Typically relates to `search/scroll` requests when the scroll ID is believed to have been diff --git a/x-pack/docs/en/security/authentication/index.asciidoc b/x-pack/docs/en/security/authentication/index.asciidoc index 7a0d469fe6670..0723f5ee30b37 100644 --- a/x-pack/docs/en/security/authentication/index.asciidoc +++ b/x-pack/docs/en/security/authentication/index.asciidoc @@ -12,11 +12,7 @@ include::native-realm.asciidoc[] include::pki-realm.asciidoc[] include::saml-realm.asciidoc[] include::kerberos-realm.asciidoc[] - -include::{xes-repo-dir}/security/authentication/custom-realm.asciidoc[] - -include::{xes-repo-dir}/security/authentication/anonymous-access.asciidoc[] - -include::{xes-repo-dir}/security/authentication/user-cache.asciidoc[] - -include::{xes-repo-dir}/security/authentication/saml-guide.asciidoc[] +include::custom-realm.asciidoc[] +include::anonymous-access.asciidoc[] +include::user-cache.asciidoc[] +include::saml-guide.asciidoc[] diff --git a/x-pack/docs/en/security/authentication/saml-guide.asciidoc b/x-pack/docs/en/security/authentication/saml-guide.asciidoc index 0ff903213e924..c02867aac8d2a 100644 --- a/x-pack/docs/en/security/authentication/saml-guide.asciidoc +++ b/x-pack/docs/en/security/authentication/saml-guide.asciidoc @@ -90,7 +90,7 @@ configure the HTTP interface to use SSL/TLS before you can enable SAML authentication. For more information, see -{ref}/configuring-tls.html#tls-http[Encrypting HTTP Client Communications]. +<>. [[saml-enable-token]] ==== Enable the token service @@ -378,7 +378,7 @@ successfully authenticated, the Authentication Statement of the SAML Response contains an indication of the restrictions that were satisfied. You can define the Authentication Context Class Reference values by using the `req_authn_context_class_ref` option in the SAML realm configuration. See -{ref}/security-settings.html#ref-saml-settings[SAML realm settings]. +<>. {es} supports only the `exact` comparison method for the Authentication Context. When it receives the Authentication Response from the IdP, {es} examines the @@ -496,7 +496,7 @@ You should consult the documentation for your IdP to determine what formats they support. Since PEM format is the most commonly supported format, the examples below will generate certificates in that format. -Using the {ref}/certutil.html[`elasticsearch-certutil`] tool, you can generate a +Using the <> tool, you can generate a signing certificate with the following command: [source, sh] @@ -536,7 +536,7 @@ The path to the PEM formatted key file. e.g. `saml/saml-sign.key` `signing.secure_key_passphrase`:: The passphrase for the key, if the file is encrypted. This is a -{ref}/secure-settings.html[secure setting] that must be set with the +<> that must be set with the `elasticsearch-keystore` tool. If you wish to use *PKCS#12 formatted* files or a *Java Keystore* for @@ -550,7 +550,7 @@ The alias of the key within the keystore. e.g. `signing-key` `signing.keystore.secure_password`:: The passphrase for the keystore, if the file is encrypted. This is a -{ref}/secure-settings.html[secure setting] that must be set with the +<> that must be set with the `elasticsearch-keystore` tool. If you wish to sign some, but not all outgoing *SAML messages*, then you @@ -587,7 +587,7 @@ The path to the PEM formatted key file. e.g. `saml/saml-crypt.key` `encryption.secure_key_passphrase`:: The passphrase for the key, if the file is encrypted. This is a -{ref}/secure-settings.html[secure setting] that must be set with the +<> that must be set with the `elasticsearch-keystore` tool. If you wish to use *PKCS#12 formatted* files or a *Java Keystore* for SAML @@ -601,7 +601,7 @@ The alias of the key within the keystore. e.g. `encryption-key` `encryption.keystore.secure_password`:: The passphrase for the keystore, if the file is encrypted. This is a -{ref}/secure-settings.html[secure setting] that must be set with the +<> that must be set with the `elasticsearch-keystore` tool. [[saml-sp-metadata]] @@ -614,7 +614,7 @@ between the IdP and the SP. The Elastic Stack supports generating such a metadata file using the `bin/elasticsearch-saml-metadata` command in your {es} directory. -The {ref}/saml-metadata.html[documentation for the elasticsearch-saml-metadata utility] +The <> describes how to run it, and the available command line options. [[saml-role-mapping]] @@ -626,10 +626,10 @@ access any data. Your SAML users cannot do anything until they are assigned roles. This can be done through either the -{ref}/security-api-put-role-mapping.html[add role mapping API], or with +<> or with <>. -NOTE: You cannot use {stack-ov}/mapping-roles.html#mapping-roles-file[role mapping files] +NOTE: You cannot use <> to grant roles to users authenticating via SAML. This is an example of a simple role mapping that grants the `kibana_user` role @@ -662,7 +662,7 @@ mapping are derived from the SAML attributes as follows: - `metadata`: See <> For more information, see <> and -{ref}/security-api.html#security-role-mapping-apis[role mapping APIs]. +<>. If your IdP has the ability to provide groups or roles to Service Providers, then you should map this SAML attribute to the `attributes.groups` setting in @@ -879,5 +879,5 @@ Additionally, different security domains have different security requirements th specific configuration to be satisfied. A conscious effort has been made to mask this complexity with sane defaults and the detailed documentation above but in case you encounter issues while configuring a SAML realm, you can -look through our {stack-ov}/trb-security-saml.html[SAML troubleshooting documentation] that has +look through our <> that has suggestions and resolutions for common issues. diff --git a/x-pack/docs/en/security/authentication/token-authentication-services.asciidoc b/x-pack/docs/en/security/authentication/token-authentication-services.asciidoc index 04e8238a89ed3..49621500db53d 100644 --- a/x-pack/docs/en/security/authentication/token-authentication-services.asciidoc +++ b/x-pack/docs/en/security/authentication/token-authentication-services.asciidoc @@ -13,7 +13,7 @@ The {security-features} provide the following built-in token-based authenticatio services, which are listed in the order they are consulted: _token-service_:: -The token service uses the {ref}/security-api-get-token.html[get token API] to +The token service uses the <> to generate access tokens and refresh tokens based on the OAuth2 specification. The access token is a short-lived token. By default, it expires after 20 minutes but it can be configured to last a maximum of 1 hour. It can be refreshed by @@ -32,7 +32,7 @@ curl -H "Authorization: Bearer dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvb _api-key-service_:: The API key service uses the -{ref}/security-api-create-api-key.html[create API key API] to generate API keys. +<> to generate API keys. By default, the API keys do not expire. When you make a request to create API keys, you can specify an expiration and permissions for the API key. The permissions are limited by the authenticated user's permissions. You can use the @@ -54,5 +54,5 @@ service to use to generate and manage the tokens. Non-expiring API keys may seem like the easy option but you must consider the security implications that come with non-expiring keys. Both the _token-service_ and _api-key-service_ permit you to invalidate the tokens. See -{ref}/security-api-invalidate-token.html[invalidate token API] and -{ref}/security-api-invalidate-api-key.html[invalidate API key API]. +<> and +<>. diff --git a/x-pack/docs/en/security/authorization/index.asciidoc b/x-pack/docs/en/security/authorization/index.asciidoc index d6df16e41e04d..df8210c4dd5ad 100644 --- a/x-pack/docs/en/security/authorization/index.asciidoc +++ b/x-pack/docs/en/security/authorization/index.asciidoc @@ -3,7 +3,7 @@ include::overview.asciidoc[] include::built-in-roles.asciidoc[] -include::{xes-repo-dir}/security/authorization/managing-roles.asciidoc[] +include::managing-roles.asciidoc[] include::privileges.asciidoc[] @@ -11,12 +11,12 @@ include::document-level-security.asciidoc[] include::field-level-security.asciidoc[] -include::{xes-repo-dir}/security/authorization/alias-privileges.asciidoc[] +include::alias-privileges.asciidoc[] -include::{xes-repo-dir}/security/authorization/mapping-roles.asciidoc[] +include::mapping-roles.asciidoc[] -include::{xes-repo-dir}/security/authorization/field-and-document-access-control.asciidoc[] +include::field-and-document-access-control.asciidoc[] -include::{xes-repo-dir}/security/authorization/run-as-privilege.asciidoc[] +include::run-as-privilege.asciidoc[] -include::{xes-repo-dir}/security/authorization/custom-authorization.asciidoc[] +include::custom-authorization.asciidoc[] diff --git a/x-pack/docs/en/security/configuring-es.asciidoc b/x-pack/docs/en/security/configuring-es.asciidoc index ac816ce3d0aec..9616e36a0bb0e 100644 --- a/x-pack/docs/en/security/configuring-es.asciidoc +++ b/x-pack/docs/en/security/configuring-es.asciidoc @@ -8,8 +8,7 @@ The {es} {security-features} enable you to easily secure a cluster. You can password-protect your data as well as implement more advanced security measures such as encrypting communications, role-based access control, IP filtering, and -auditing. For more information, see -{stack-ov}/elasticsearch-security.html[Securing the {stack}]. +auditing. To use {es} {security-features}: @@ -25,7 +24,7 @@ https://www.elastic.co/subscriptions and . Verify that the `xpack.security.enabled` setting is `true` on each node in your cluster. If you are using a trial license, the default value is `false`. -For more information, see {ref}/security-settings.html[Security Settings in {es}]. +For more information, see <>. . If you plan to run {es} in a Federal Information Processing Standard (FIPS) 140-2 enabled JVM, see <>. @@ -37,7 +36,7 @@ NOTE: This requirement applies to clusters with more than one node and to clusters with a single node that listens on an external interface. Single-node clusters that use a loopback interface do not have this requirement. For more information, see -{stack-ov}/encrypting-communications.html[Encrypting Communications]. +<>. -- .. <>. @@ -50,7 +49,7 @@ information, see + -- The {es} {security-features} provide -{stack-ov}/built-in-users.html[built-in users] to +<> to help you get up and running. The +elasticsearch-setup-passwords+ command is the simplest method to set the built-in users' passwords for the first time. @@ -125,7 +124,7 @@ curl -XPOST -u elastic 'localhost:9200/_xpack/security/user/johndoe' -H "Content xpack.security.audit.enabled: true ---------------------------- + -For more information, see {stack-ov}/auditing.html[Auditing Security Events] +For more information, see <> and <>. .. Restart {es}. @@ -135,27 +134,18 @@ By default, events are logged to a dedicated `elasticsearch-access.log` file in easier analysis and control what events are logged. deprecated[6.7.0] -- -include::{es-repo-dir}/security/securing-communications/securing-elasticsearch.asciidoc[] - -include::{es-repo-dir}/security/securing-communications/configuring-tls-docker.asciidoc[] - -include::{es-repo-dir}/security/securing-communications/enabling-cipher-suites.asciidoc[] - -include::{es-repo-dir}/security/securing-communications/separating-node-client-traffic.asciidoc[] - +include::securing-communications/securing-elasticsearch.asciidoc[] +include::securing-communications/configuring-tls-docker.asciidoc[] +include::securing-communications/enabling-cipher-suites.asciidoc[] +include::securing-communications/separating-node-client-traffic.asciidoc[] include::authentication/configuring-active-directory-realm.asciidoc[] include::authentication/configuring-file-realm.asciidoc[] include::authentication/configuring-ldap-realm.asciidoc[] include::authentication/configuring-native-realm.asciidoc[] include::authentication/configuring-pki-realm.asciidoc[] include::authentication/configuring-saml-realm.asciidoc[] - include::authentication/configuring-kerberos-realm.asciidoc[] - include::fips-140-compliance.asciidoc[] - include::{es-repo-dir}/settings/security-settings.asciidoc[] - -include::{es-repo-dir}/security/reference/files.asciidoc[] - +include::reference/files.asciidoc[] include::{es-repo-dir}/settings/audit-settings.asciidoc[] diff --git a/x-pack/docs/en/security/fips-140-compliance.asciidoc b/x-pack/docs/en/security/fips-140-compliance.asciidoc index 0216e61784cdb..0e46fd8c6f45a 100644 --- a/x-pack/docs/en/security/fips-140-compliance.asciidoc +++ b/x-pack/docs/en/security/fips-140-compliance.asciidoc @@ -114,7 +114,7 @@ features are not available while running in fips mode. The list is as follows: * Azure Classic Discovery Plugin * Ingest Attachment Plugin -* The {ref}/certutil.html[`elasticsearch-certutil`] tool. However, +* The <> tool. However, `elasticsearch-certutil` can very well be used in a non FIPS 140-2 enabled JVM (pointing `JAVA_HOME` environment variable to a different java installation) in order to generate the keys and certificates that diff --git a/x-pack/docs/en/security/get-started-builtin-users.asciidoc b/x-pack/docs/en/security/get-started-builtin-users.asciidoc index 0f8d109d58eae..23c656ddd6268 100644 --- a/x-pack/docs/en/security/get-started-builtin-users.asciidoc +++ b/x-pack/docs/en/security/get-started-builtin-users.asciidoc @@ -13,7 +13,7 @@ the following command from the {es} directory: ./bin/elasticsearch ---------------------------------------------------------------------- -See {ref}/starting-elasticsearch.html[Starting {es}]. +See <>. -- . Set the built-in users' passwords. Run the following command from the {es} diff --git a/x-pack/docs/en/security/get-started-enable-security.asciidoc b/x-pack/docs/en/security/get-started-enable-security.asciidoc index bbe2999fc6753..97012c0243dca 100644 --- a/x-pack/docs/en/security/get-started-enable-security.asciidoc +++ b/x-pack/docs/en/security/get-started-enable-security.asciidoc @@ -8,7 +8,7 @@ line. See {kibana-ref}/start-stop.html[Starting and stopping {kib}]. . Stop {es}. For example, if you installed {es} from an archive distribution, enter `Ctrl-C` on the command line. See -{ref}/stopping-elasticsearch.html[Stopping {es}]. +<>. . Add the `xpack.security.enabled` setting to the `ES_PATH_CONF/elasticsearch.yml` file. @@ -18,7 +18,7 @@ TIP: The `ES_PATH_CONF` environment variable contains the path for the {es} configuration files. If you installed {es} using archive distributions (`zip` or `tar.gz`), it defaults to `ES_HOME/config`. If you used package distributions (Debian or RPM), it defaults to `/etc/elasticsearch`. For more information, see -{ref}/settings.html[Configuring {es}]. +<>. For example, add the following setting: diff --git a/x-pack/docs/en/security/get-started-security.asciidoc b/x-pack/docs/en/security/get-started-security.asciidoc index 141dfd6860ad9..bf0fea3cdb350 100644 --- a/x-pack/docs/en/security/get-started-security.asciidoc +++ b/x-pack/docs/en/security/get-started-security.asciidoc @@ -19,7 +19,7 @@ IMPORTANT: To complete this tutorial, you must install the default {es} and authentication {security-features}. When you install these products, they apply basic licenses with no expiration dates. All of the subsequent steps in this tutorial assume that you are using a basic license. For more information, see -{subscriptions} and <>. +{subscriptions} and {stack-ov}/license-management.html[License management]. -- @@ -55,7 +55,7 @@ discovery.type: single-node ---- For more information, see -{ref}/bootstrap-checks.html#single-node-discovery[Single-node discovery]. +<>. -- When you enable {es} {security-features}, basic authentication is enabled by @@ -351,7 +351,7 @@ using the native realm. You learned how to create user IDs and roles that prevent unauthorized access to the {stack}. Next, you'll want to try other features that are unlocked by your trial license, -such as {ml}. See <>. +such as {ml}. See {stack-ov}/ml-getting-started.html[Getting started with {ml}]. Later, when you're ready to increase the number of nodes in your cluster or set up an production environment, you'll want to encrypt communications across the @@ -359,7 +359,7 @@ up an production environment, you'll want to encrypt communications across the For more detailed information about securing the {stack}, see: -* {ref}/configuring-security.html[Configuring security in {es}]. Encrypt +* <>. Encrypt inter-node communications, set passwords for the built-in users, and manage your users and roles. diff --git a/x-pack/docs/en/security/index.asciidoc b/x-pack/docs/en/security/index.asciidoc index 320342dec13be..7d591c558ede6 100644 --- a/x-pack/docs/en/security/index.asciidoc +++ b/x-pack/docs/en/security/index.asciidoc @@ -1,109 +1,39 @@ -[role="xpack"] -[[elasticsearch-security]] -= Securing the {stack} +[[secure-cluster]] += Secure a cluster [partintro] -- The {stack-security-features} enable you to easily secure a cluster. You can password-protect your data as well as implement more advanced security measures such as encrypting communications, role-based access control, -IP filtering, and auditing. This guide describes how to configure the security -features you need, and interact with your secured cluster. - -Security protects Elasticsearch clusters by: - -* <> - with password protection, role-based access control, and IP filtering. -* <> - with message authentication and SSL/TLS encryption. -* <> - so you know who's doing what to your cluster and the data it stores. - -[float] -[[preventing-unauthorized-access]] -=== Preventing unauthorized access - -To prevent unauthorized access to your Elasticsearch cluster, you must have a -way to _authenticate_ users. This simply means that you need a way to validate -that a user is who they claim to be. For example, you have to make sure only -the person named _Kelsey Andorra_ can sign in as the user `kandorra`. The -{es-security-features} provide a standalone authentication mechanism that enables -you to quickly password-protect your cluster. If you're already using -<>, <>, or -<> to manage users in your organization, the {security-features} -are able to integrate with those systems to perform user authentication. - -In many cases, simply authenticating users isn't enough. You also need a way to -control what data users have access to and what tasks they can perform. The -{es-security-features} enable you to _authorize_ users by assigning access -_privileges_ to _roles_ and assigning those roles to users. For example, this -<> mechanism (a.k.a RBAC) enables -you to specify that the user `kandorra` can only perform read operations on the -`events` index and can't do anything at all with other indices. - -The {security-features} also support <>. -You can whitelist and blacklist specific IP addresses or subnets to control -network-level access to a server. - -[float] -[[preserving-data-integrity]] -=== Preserving data integrity - -A critical part of security is keeping confidential data confidential. -Elasticsearch has built-in protections against accidental data loss and -corruption. However, there's nothing to stop deliberate tampering or data -interception. The {stack-security-features} preserve the integrity of your -data by <> to and from nodes. For even -greater protection, you can increase the <> and -<>. - - -[float] -[[maintaining-audit-trail]] -=== Maintaining an audit trail - -Keeping a system secure takes vigilance. By using {stack-security-features} to -maintain an audit trail, you can easily see who is accessing your cluster and -what they're doing. By analyzing access patterns and failed attempts to access -your cluster, you can gain insights into attempted attacks and data breaches. -Keeping an auditable log of the activity in your cluster can also help diagnose -operational issues. - -[float] -=== Where to Go Next - -* <> - steps through how to install and start using Security for basic authentication. - -* <> - provides more information about how Security supports user authentication, - authorization, and encryption. - +IP filtering, and auditing. + +* <> +* <> +* <> +* <> +* <> +* <> +* <> +* <> * <> - shows you how to interact with an Elasticsearch cluster protected by the - {stack-security-features}. +* <> +* <> +* <> +* <> -[float] -=== Have Comments, Questions, or Feedback? - -Head over to our {security-forum}[Security Discussion Forum] -to share your experience, questions, and suggestions. -- +include::overview.asciidoc[] +include::configuring-es.asciidoc[] include::how-security-works.asciidoc[] - include::authentication/index.asciidoc[] - include::authorization/index.asciidoc[] - -include::{xes-repo-dir}/security/auditing/index.asciidoc[] - -include::{xes-repo-dir}/security/securing-communications.asciidoc[] - -include::{xes-repo-dir}/security/using-ip-filtering.asciidoc[] - -include::{xes-repo-dir}/security/tribe-clients-integrations.asciidoc[] - +include::auditing/index.asciidoc[] +include::securing-communications/index.asciidoc[] +include::using-ip-filtering.asciidoc[] +include::tribe-clients-integrations/index.asciidoc[] include::get-started-security.asciidoc[] - include::securing-communications/tutorial-tls-intro.asciidoc[] +include::troubleshooting.asciidoc[] +include::limitations.asciidoc[] diff --git a/x-pack/docs/en/security/limitations.asciidoc b/x-pack/docs/en/security/limitations.asciidoc index 0d075847ca89d..5c0ada645aee3 100644 --- a/x-pack/docs/en/security/limitations.asciidoc +++ b/x-pack/docs/en/security/limitations.asciidoc @@ -1,6 +1,9 @@ [role="xpack"] [[security-limitations]] == Security limitations +++++ +Limitations +++++ [float] === Plugins diff --git a/docs/reference/security/overview.asciidoc b/x-pack/docs/en/security/overview.asciidoc similarity index 100% rename from docs/reference/security/overview.asciidoc rename to x-pack/docs/en/security/overview.asciidoc diff --git a/docs/reference/security/reference/files.asciidoc b/x-pack/docs/en/security/reference/files.asciidoc similarity index 100% rename from docs/reference/security/reference/files.asciidoc rename to x-pack/docs/en/security/reference/files.asciidoc diff --git a/docs/reference/security/securing-communications/configuring-tls-docker.asciidoc b/x-pack/docs/en/security/securing-communications/configuring-tls-docker.asciidoc similarity index 100% rename from docs/reference/security/securing-communications/configuring-tls-docker.asciidoc rename to x-pack/docs/en/security/securing-communications/configuring-tls-docker.asciidoc diff --git a/docs/reference/security/securing-communications/enabling-cipher-suites.asciidoc b/x-pack/docs/en/security/securing-communications/enabling-cipher-suites.asciidoc similarity index 96% rename from docs/reference/security/securing-communications/enabling-cipher-suites.asciidoc rename to x-pack/docs/en/security/securing-communications/enabling-cipher-suites.asciidoc index b727b55aadcfa..80d899c350e8e 100644 --- a/docs/reference/security/securing-communications/enabling-cipher-suites.asciidoc +++ b/x-pack/docs/en/security/securing-communications/enabling-cipher-suites.asciidoc @@ -1,6 +1,6 @@ [role="xpack"] [[ciphers]] -=== Enabling Cipher Suites for Stronger Encryption +=== Enabling cipher suites for stronger encryption The TLS and SSL protocols use a cipher suite that determines the strength of encryption used to protect the data. You may want to increase the strength of diff --git a/x-pack/docs/en/security/securing-communications.asciidoc b/x-pack/docs/en/security/securing-communications/index.asciidoc similarity index 69% rename from x-pack/docs/en/security/securing-communications.asciidoc rename to x-pack/docs/en/security/securing-communications/index.asciidoc index 4d4af4c405f3b..52a9a2868e4ab 100644 --- a/x-pack/docs/en/security/securing-communications.asciidoc +++ b/x-pack/docs/en/security/securing-communications/index.asciidoc @@ -18,14 +18,4 @@ This section shows how to: The authentication of new nodes helps prevent a rogue node from joining the cluster and receiving data through replication. -include::{es-repo-dir}/security/securing-communications/setting-up-ssl.asciidoc[] - -[[ciphers]] -=== Enabling cipher suites for stronger encryption - -See {ref}/ciphers.html[Enabling Cipher Suites for Stronger Encryption]. - -[[separating-node-client-traffic]] -=== Separating node-to-node and client traffic - -See {ref}/separating-node-client-traffic.html[Separating node-to-node and client traffic]. +include::setting-up-ssl.asciidoc[] diff --git a/docs/reference/security/securing-communications/node-certificates.asciidoc b/x-pack/docs/en/security/securing-communications/node-certificates.asciidoc similarity index 97% rename from docs/reference/security/securing-communications/node-certificates.asciidoc rename to x-pack/docs/en/security/securing-communications/node-certificates.asciidoc index d0d4d108abada..de1279874f22f 100644 --- a/docs/reference/security/securing-communications/node-certificates.asciidoc +++ b/x-pack/docs/en/security/securing-communications/node-certificates.asciidoc @@ -1,6 +1,6 @@ [role="xpack"] [[node-certificates]] -==== Generating Node Certificates +==== Generating node certificates TLS requires X.509 certificates to perform encryption and authentication of the application that is being communicated with. In order for the communication @@ -13,7 +13,7 @@ Additionally, it is recommended that the certificates contain subject alternativ names (SAN) that correspond to the node's IP address and DNS name so that hostname verification can be performed. -The {ref}/certutil.html[`elasticsearch-certutil`] command simplifies the process +The <> command simplifies the process of generating certificates for the {stack}. It takes care of generating a CA and signing certificates with the CA. It can be used interactively or in a silent mode through the use of an input file. It also supports generation of diff --git a/docs/reference/security/securing-communications/securing-elasticsearch.asciidoc b/x-pack/docs/en/security/securing-communications/securing-elasticsearch.asciidoc similarity index 100% rename from docs/reference/security/securing-communications/securing-elasticsearch.asciidoc rename to x-pack/docs/en/security/securing-communications/securing-elasticsearch.asciidoc diff --git a/docs/reference/security/securing-communications/separating-node-client-traffic.asciidoc b/x-pack/docs/en/security/securing-communications/separating-node-client-traffic.asciidoc similarity index 100% rename from docs/reference/security/securing-communications/separating-node-client-traffic.asciidoc rename to x-pack/docs/en/security/securing-communications/separating-node-client-traffic.asciidoc diff --git a/docs/reference/security/securing-communications/setting-up-ssl.asciidoc b/x-pack/docs/en/security/securing-communications/setting-up-ssl.asciidoc similarity index 100% rename from docs/reference/security/securing-communications/setting-up-ssl.asciidoc rename to x-pack/docs/en/security/securing-communications/setting-up-ssl.asciidoc diff --git a/docs/reference/security/securing-communications/tls-ad.asciidoc b/x-pack/docs/en/security/securing-communications/tls-ad.asciidoc similarity index 100% rename from docs/reference/security/securing-communications/tls-ad.asciidoc rename to x-pack/docs/en/security/securing-communications/tls-ad.asciidoc diff --git a/docs/reference/security/securing-communications/tls-http.asciidoc b/x-pack/docs/en/security/securing-communications/tls-http.asciidoc similarity index 100% rename from docs/reference/security/securing-communications/tls-http.asciidoc rename to x-pack/docs/en/security/securing-communications/tls-http.asciidoc diff --git a/docs/reference/security/securing-communications/tls-ldap.asciidoc b/x-pack/docs/en/security/securing-communications/tls-ldap.asciidoc similarity index 100% rename from docs/reference/security/securing-communications/tls-ldap.asciidoc rename to x-pack/docs/en/security/securing-communications/tls-ldap.asciidoc diff --git a/docs/reference/security/securing-communications/tls-transport.asciidoc b/x-pack/docs/en/security/securing-communications/tls-transport.asciidoc similarity index 100% rename from docs/reference/security/securing-communications/tls-transport.asciidoc rename to x-pack/docs/en/security/securing-communications/tls-transport.asciidoc diff --git a/x-pack/docs/en/security/securing-communications/tutorial-tls-addnodes.asciidoc b/x-pack/docs/en/security/securing-communications/tutorial-tls-addnodes.asciidoc index 707a8501102bc..9af46dfc20258 100644 --- a/x-pack/docs/en/security/securing-communications/tutorial-tls-addnodes.asciidoc +++ b/x-pack/docs/en/security/securing-communications/tutorial-tls-addnodes.asciidoc @@ -9,11 +9,11 @@ cluster and stores pieces of your data called _shards_. You can add more nodes to your cluster and optionally designate specific purposes for each node. For example, you can allocate master nodes, data nodes, ingest nodes, machine learning nodes, and dedicated coordinating nodes. For details -about each node type, see {ref}/modules-node.html[Nodes]. +about each node type, see <>. In a single cluster, you can have as many nodes as you want but they must be able to communicate with each other. The communication between nodes in a -cluster is handled by the {ref}/modules-transport.html[transport module]. To +cluster is handled by the <>. To secure your cluster, you must ensure that the internode communications are encrypted. @@ -25,8 +25,8 @@ When you are deploying a production environment, however, you are generally adding nodes on different machines so that your cluster is resilient to outages and avoids data loss. In a production scenario, there are additional requirements that are not covered in this tutorial. See -{ref}/bootstrap-checks.html#dev-vs-prod-mode[Development vs production mode] and -{ref}/add-elasticsearch-nodes.html[Adding nodes to your cluster]. +<> and +<>. Let's add two nodes to our cluster! @@ -42,19 +42,19 @@ tutorial. + -- .. Enable the {es} {security-features}. -.. Ensure that the nodes share the same {ref}/cluster.name.html[`cluster.name`]. -.. Give each node a unique {ref}/node.name.html[`node.name`]. +.. Ensure that the nodes share the same <>. +.. Give each node a unique <>. .. Specify the minimum number of master-eligible nodes that must be available to form a cluster. By default, each node is eligible to be elected as the -{ref}/modules-node.html#master-node[master node] and control the cluster. To +<> and control the cluster. To avoid a _split brain_ scenario where multiple nodes elect themselves as the master, use the `discovery.zen.minimum_master_nodes` setting. By default, if you run multiple {es} nodes on the same machine, it automatically uses free ports in the range 9200-9300 for HTTP and 9300-9400 for transport. If you want to assign specific port numbers to each node, however, -you can add {ref}/modules-transport.html[TCP transport settings]. You can then -provide a list of these {ref}/modules-discovery-zen.html#discovery-seed-nodes[seed nodes], +you can add <>. You can then +provide a list of these <>, which is used to discover the nodes in your cluster. For example, add the following settings to the `ES_PATH_CONF/elasticsearch.yml` @@ -114,7 +114,7 @@ package, run the following command from each {es} directory: ./bin/elasticsearch ---------------------------------------------------------------------- -See {ref}/starting-elasticsearch.html[Starting {es}]. +See <>. -- @@ -132,7 +132,7 @@ See {kibana-ref}/start-stop.html[Starting and stopping {kib}]. -- . Verify that your cluster now contains three nodes. For example, use the -{ref}/cluster-health.html[cluster health API]: +<>: + -- [source,js] @@ -143,7 +143,7 @@ GET _cluster/health Confirm the `number_of_nodes` in the response from this API. -You can also use the {ref}/cat-nodes.html[cat nodes API] to identify the master +You can also use the <> to identify the master node: [source,js] @@ -159,4 +159,4 @@ node. Now that you have multiple nodes, your data can be distributed across the cluster in multiple primary and replica shards. For more information about the concepts of clusters, nodes, and shards, see -{ref}/getting-started.html[Getting started with {es}]. +<>. diff --git a/x-pack/docs/en/security/securing-communications/tutorial-tls-certificates.asciidoc b/x-pack/docs/en/security/securing-communications/tutorial-tls-certificates.asciidoc index b9cbc4482350a..6bc04e4967d13 100644 --- a/x-pack/docs/en/security/securing-communications/tutorial-tls-certificates.asciidoc +++ b/x-pack/docs/en/security/securing-communications/tutorial-tls-certificates.asciidoc @@ -48,7 +48,7 @@ same IP address and hostname. In general, clusters are more resilient when they contain nodes from multiple servers and this list would reflect that diversity. For information about all of the possible fields in this file, see -{ref}/certutil.html#certutil-silent[Using elasticsearch-certutil in silent mode]. +<>. Then run the following command: @@ -120,7 +120,7 @@ node's `node.name` value in its `elasticsearch.yml` file. <3> A comma-separated list of DNS names for the new node. <4> A comma-separated list of IP addresses for the new node. -TIP: The {ref}/certutil.html[elasticsearch-certutil] command has a lot more +TIP: The <> command has a lot more options. For example, it can generate Privacy Enhanced Mail (PEM) formatted certificates and keys. It can also generate certificate signing requests (CSRs) that you can use to obtain signed certificates from a commercial or diff --git a/x-pack/docs/en/security/securing-communications/tutorial-tls-internode.asciidoc b/x-pack/docs/en/security/securing-communications/tutorial-tls-internode.asciidoc index 3e91bf834b99c..efa4be9712b40 100644 --- a/x-pack/docs/en/security/securing-communications/tutorial-tls-internode.asciidoc +++ b/x-pack/docs/en/security/securing-communications/tutorial-tls-internode.asciidoc @@ -7,7 +7,7 @@ you must update your cluster to use these files. . Stop each {es} node. For example, if you installed {es} from an archive distribution, enter `Ctrl-C` on the command line. See -{ref}/stopping-elasticsearch.html[Stopping {es}]. +<>. . On each node, enable Transport Layer Security (TLS/SSL) for transport (internode) communications. You must also configure each node to identify itself @@ -32,7 +32,7 @@ generate your certificates, you might have different values for these settings, but that scenario is not covered in this tutorial. For more information about these settings, see -{ref}/security-settings.html#transport-tls-ssl-settings[Transport TLS settings]. +<>. -- . On each node, store the password for PKCS#12 file in the {es} keystore. @@ -64,7 +64,7 @@ package, run the following command from each {es} directory: ./bin/elasticsearch ---------------------------------------------------------------------- -See {ref}/starting-elasticsearch.html[Starting {es}]. +See <>. -- . (Optional) Restart {kib}. For example, if you installed @@ -81,7 +81,7 @@ See {kibana-ref}/start-stop.html[Starting and stopping {kib}]. -- . Verify that your cluster is healthy. For example, use the -{ref}/cluster-health.html[cluster health API]: +<>: + -- [source,js] @@ -102,7 +102,7 @@ If you encounter errors, you can see some common problems and solutions in Congratulations! You've encrypted communications between the nodes in your cluster and can pass the -{ref}/bootstrap-checks-xpack.html#bootstrap-checks-tls[TLS bootstrap check]. +<>. If you want to encrypt communications between other products in the {stack}, see <>. diff --git a/x-pack/docs/en/security/securing-communications/tutorial-tls-intro.asciidoc b/x-pack/docs/en/security/securing-communications/tutorial-tls-intro.asciidoc index 9975dbbd1bd70..9a9ec006ae6ee 100644 --- a/x-pack/docs/en/security/securing-communications/tutorial-tls-intro.asciidoc +++ b/x-pack/docs/en/security/securing-communications/tutorial-tls-intro.asciidoc @@ -5,7 +5,7 @@ When you enable {es} {security-features}, unless you have a trial license, you must use Transport Layer Security (TLS) to encrypt internode communication. In this tutorial, you learn how to meet the minimum requirements to pass the -{ref}/bootstrap-checks-xpack.html#bootstrap-checks-tls[TLS bootstrap check]. +<>. NOTE: Single-node clusters that use a loopback interface do not have this requirement. @@ -33,7 +33,7 @@ particular, this tutorial provides instructions that work with the `zip` and By default, when you install {stack} products, they apply basic licenses with no expiration dates. To complete this tutorial, you must have a basic or trial license at a minimum. For more information, see {subscriptions} and -<>. +{stack-ov}/license-management.html[License management]. -- . <>. @@ -49,7 +49,7 @@ line. See {kibana-ref}/start-stop.html[Starting and stopping {kib}]. . Stop {es}. For example, if you installed {es} from an archive distribution, enter `Ctrl-C` on the command line. See -{ref}/stopping-elasticsearch.html[Stopping {es}]. +<>. include::tutorial-tls-addnodes.asciidoc[] include::tutorial-tls-certificates.asciidoc[] diff --git a/x-pack/docs/en/security/tribe-clients-integrations.asciidoc b/x-pack/docs/en/security/tribe-clients-integrations/index.asciidoc similarity index 67% rename from x-pack/docs/en/security/tribe-clients-integrations.asciidoc rename to x-pack/docs/en/security/tribe-clients-integrations/index.asciidoc index 1bbcf4a198f79..5ae83b082aa0b 100644 --- a/x-pack/docs/en/security/tribe-clients-integrations.asciidoc +++ b/x-pack/docs/en/security/tribe-clients-integrations/index.asciidoc @@ -5,14 +5,14 @@ When using {ref}/modules-cross-cluster-search.html[Cross Cluster Search] or {ref}/modules-tribe.html[Tribe Nodes] you need to take extra steps to secure communications with the connected clusters. -* <> -* <> +* <> +* <> You will need to update the configuration for several clients to work with a secured cluster: -* <> -* <> +* <> +* <> The {es} {security-features} enable you to secure your {es} cluster. But @@ -32,16 +32,10 @@ be secured as well, or at least communicate with the cluster in a secured way: * {kibana-ref}/secure-reporting.html[Reporting] * {winlogbeat-ref}/securing-beats.html[Winlogbeat] -include::tribe-clients-integrations/cross-cluster.asciidoc[] - -include::tribe-clients-integrations/tribe.asciidoc[] - -include::tribe-clients-integrations/java.asciidoc[] - -include::tribe-clients-integrations/http.asciidoc[] - -include::tribe-clients-integrations/hadoop.asciidoc[] - -include::tribe-clients-integrations/beats.asciidoc[] - -include::tribe-clients-integrations/monitoring.asciidoc[] +include::cross-cluster.asciidoc[] +include::tribe.asciidoc[] +include::java.asciidoc[] +include::http.asciidoc[] +include::hadoop.asciidoc[] +include::beats.asciidoc[] +include::monitoring.asciidoc[] diff --git a/x-pack/docs/en/security/tribe-clients-integrations/monitoring.asciidoc b/x-pack/docs/en/security/tribe-clients-integrations/monitoring.asciidoc index 37c7e38f651bd..a46767629a003 100644 --- a/x-pack/docs/en/security/tribe-clients-integrations/monitoring.asciidoc +++ b/x-pack/docs/en/security/tribe-clients-integrations/monitoring.asciidoc @@ -1,7 +1,7 @@ [[secure-monitoring]] === Monitoring and security -The <> consist of two components: +The {stack} {monitor-features} consist of two components: an agent that you install on on each {es} and Logstash node, and a Monitoring UI in {kib}. The monitoring agent collects and indexes metrics from the nodes and you visualize the data through the Monitoring dashboards in {kib}. The agent @@ -17,7 +17,7 @@ with the monitoring cluster. For more information, see: -* {ref}/configuring-monitoring.html[Configuring monitoring in {es}] +* <> * {kibana-ref}/monitoring-xpack-kibana.html[Configuring monitoring in {kib}] * {logstash-ref}/configuring-logstash.html[Configuring monitoring for Logstash nodes] diff --git a/x-pack/docs/en/security/troubleshooting.asciidoc b/x-pack/docs/en/security/troubleshooting.asciidoc index 6acde6db37bfc..03e276d4c51f9 100644 --- a/x-pack/docs/en/security/troubleshooting.asciidoc +++ b/x-pack/docs/en/security/troubleshooting.asciidoc @@ -2,7 +2,7 @@ [[security-troubleshooting]] == Troubleshooting security ++++ -Security +Troubleshooting ++++ Use the information in this section to troubleshoot common problems and find @@ -22,8 +22,11 @@ answers for frequently asked questions. * <> * <> - -To get help, see <>. +For issues that you cannot fix yourself … we’re here to help. +If you are an existing Elastic customer with a support contract, please create +a ticket in the +https://support.elastic.co/customers/s/login/[Elastic Support portal]. +Or post in the https://discuss.elastic.co/[Elastic forum]. [[security-auth-failure-upgrade]] === Can't log in after upgrading to {version} @@ -53,7 +56,7 @@ index in the old format to a 6.0 cluster. *Symptoms:* -* When you use the {ref}/cluster-nodes-info.html[nodes info API] to retrieve +* When you use the <> to retrieve settings for a node, some information is missing. *Resolution:* @@ -100,7 +103,7 @@ jacknich : monitoring,unknown_role* <1> <1> `unknown_role` was not found in `roles.yml` For more information about this command, see the -{ref}/users-command.html[`elasticsearch-users` command]. +<>. -- . If you are authenticating to LDAP, a number of configuration options can cause @@ -119,7 +122,7 @@ scenarios. | _group to role mapping_| Either the `role_mapping.yml` file or the location for this file could be -misconfigured. For more information, see {ref}/security-files.html[Security files]. +misconfigured. For more information, see <>. |_role definition_| @@ -159,7 +162,7 @@ recognizes `role1` as an expected parameter. The solution here is to quote the parameter: `-r "role1,role2"`. For more information about this command, see -{ref}/users-command.html[`elasticsearch-users` command]. +<>. [[trouble-shoot-active-directory]] === Users are frequently locked out of Active Directory @@ -299,7 +302,7 @@ verify that all nodes are using the same setting for `xpack.security.transport.ssl.enabled`. For more information about this setting, see -{ref}/security-settings.html[Security Settings in {es}]. +<>. -- `java.io.StreamCorruptedException: invalid internal transport message format, got`:: @@ -311,7 +314,7 @@ connects to a node that has encrypted communication disabled. Please verify that all nodes are using the same setting for `xpack.security.transport.ssl.enabled`. For more information about this setting, see -{ref}/security-settings.html[Security Settings in {es}]. +<>. -- `java.lang.IllegalArgumentException: empty text`:: @@ -327,7 +330,7 @@ xpack.security.http.ssl.enabled: true ---------------- For more information about this setting, see -{ref}/security-settings.html[Security Settings in {es}]. +<>. -- `ERROR: unsupported ciphers [...] were requested but cannot be used in this JVM`:: @@ -405,7 +408,7 @@ module use following Kerberos realm setting: xpack.security.authc.realms..krb.debug: true ---------------- -For detailed information, see {ref}/security-settings.html#ref-kerberos-settings[Kerberos realm settings]. +For detailed information, see <>. Sometimes you may need to go deeper to understand the problem during SPNEGO GSS context negotiation or look at the Kerberos message exchange. To enable @@ -415,7 +418,7 @@ Kerberos/SPNEGO debug logging on JVM, add following JVM system properties: `-Dsun.security.spnego.debug=true` -For more information about JVM system properties, see {ref}/jvm-options.html[configuring JVM options]. +For more information about JVM system properties, see <>. [[trb-security-saml]] === Common SAML issues @@ -596,7 +599,7 @@ and the most commonly encountered ones are: . `urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy`: The SAML Identity Provider cannot support releasing a NameID with the requested format. When creating SAML Authentication Requests, {es} sets the NameIDPolicy element of the Authentication request with the appropriate value. This is controlled - by the {ref}/security-settings.html#ref-saml-settings[`nameid_format`] configuration parameter in + by the <> configuration parameter in `elasticsearch.yml`, which if not set defaults to `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`. This instructs the Identity Provider to return a NameID with that specific format in the SAML Response. If the SAML Identity Provider cannot grant that request, for example because it is configured to release a @@ -699,7 +702,7 @@ Otherwise, {kib} cannot connect to {es}. [[trb-security-setup]] === Setup-passwords command fails due to connection failure -The {ref}/setup-passwords.html[elasticsearch-setup-passwords command] sets +The <> sets passwords for the built-in users by sending user management API requests. If your cluster uses SSL/TLS for the HTTP (REST) interface, the command attempts to establish a connection with the HTTPS protocol. If the connection attempt fails, @@ -776,7 +779,7 @@ Alternatively, set the `xpack.security.http.ssl.enabled` setting to `true`. `xpack.security.http.ssl.verification_mode` to `certificate`. For more information about these settings, see -{ref}/security-settings.html[Security Settings in {es}]. +<>. [[trb-security-path]] === Failures due to relocation of the configuration files @@ -792,7 +795,7 @@ log that indicate a config file is in a deprecated location. By default, in 6.2 and earlier releases, the security configuration files are located in the `ES_PATH_CONF/x-pack` directory, where `ES_PATH_CONF` is an environment variable that defines the location of the -{ref}/settings.html#config-files-location[config directory]. +<>. In 6.3 and later releases, the config directory no longer contains an `x-pack` directory. The files that were stored in this folder, such as the @@ -806,5 +809,5 @@ deprecated, however, and you should move your files out of that folder. In 6.3 and later releases, settings such as `files.role_mapping` default to `ES_PATH_CONF/role_mapping.yml`. If you do not want to use the default locations, you must update the settings appropriately. See -{ref}/security-settings.html[Security settings in {es}]. +<>. diff --git a/x-pack/docs/en/security/using-ip-filtering.asciidoc b/x-pack/docs/en/security/using-ip-filtering.asciidoc index 4e99ec4903dd1..3d44039b4b75f 100644 --- a/x-pack/docs/en/security/using-ip-filtering.asciidoc +++ b/x-pack/docs/en/security/using-ip-filtering.asciidoc @@ -78,7 +78,7 @@ xpack.security.http.filter.enabled: true [float] === Specifying TCP transport profiles -{ref}/modules-transport.html[TCP transport profiles] +<> enable Elasticsearch to bind on multiple hosts. The {es} {security-features} enable you to apply different IP filtering on different profiles.