Elastic
Loading

User authentication

ECE ECK Elastic Cloud Hosted Self Managed

Authentication identifies an individual. To gain access to restricted resources, a user must prove their identity, using passwords, credentials, or some other means (typically referred to as authentication tokens).

The Elastic Stack authenticates users by identifying the users behind the requests that hit the cluster and verifying that they are who they claim to be. The authentication process is handled by one or more authentication services called realms.

You can manage and authenticate users natively, or integrate with external user management systems such as LDAP and Active Directory. If none of the built-in realms meet your needs, you can also build your own custom realm and plug it into the Elastic Stack.

When security features are enabled, depending on the realms you’ve configured, you must attach your user credentials to requests sent to Elasticsearch. For example, when using realms that support usernames and passwords, you can attach a basic auth header to the requests.

The security features provide two services: the token service and the API key service. You can use these services to exchange the current authentication for a token or key. This token or key can then be used as credentials for authenticating new requests. The API key service is enabled by default. The token service is enabled by default when TLS/SSL is enabled for HTTP.

Review the following topics to learn about authentication in your Elasticsearch cluster.

Tip

If you use Elastic Cloud Enterprise or Elastic Cloud Hosted, then you can also manage authentication at the level of your Elastic Cloud Enterprise orchestrator or Elastic Cloud organization.

If you use Elastic Cloud Serverless, then you can only manage authentication at the Elastic Cloud organization level.