Configure security in a self-managed cluster

Self Managed

Security needs vary depending on whether you’re developing locally on your laptop or securing all communications in a production environment. Regardless of where you’re deploying the Elastic Stack ("ELK"), running a secure cluster is incredibly important to protect your data. That’s why security is enabled and configured by default since Elasticsearch 8.0.

Never run an Elasticsearch cluster without security enabled. This principle cannot be overstated. Running Elasticsearch without security leaves your cluster exposed to anyone who can send network traffic to Elasticsearch, permitting these individuals to download, modify, or delete any data in your cluster. Start the Elastic Stack with security enabled or manually configure security to prevent unauthorized access to your clusters and ensure that internode communication is secure.

Never try to run Elasticsearch as the root user, which would invalidate any defense strategy and permit a malicious user to do anything on your server. You must create a dedicated, unprivileged user to run Elasticsearch. By default, the rpm, deb, docker, and Windows packages of Elasticsearch contain an elasticsearch user with this scope.

Even with security enabled, never expose Elasticsearch to public internet traffic. Using an application to sanitize requests to Elasticsearch still poses risks, such as a malicious user writing _search requests that could overwhelm an Elasticsearch cluster and bring it down. Keep Elasticsearch as isolated as possible, preferably behind a firewall and a VPN. Any internet-facing applications should run pre-canned aggregations, or not run aggregations at all.

Define roles for your users and assign appropriate privileges to ensure that users have access only to the resources that they need. This process determines whether the user behind an incoming request is allowed to run that request.

×

If you’ve been working with Elasticsearch and want to enable security on your existing, unsecured cluster, start here. You’ll set passwords for the built-in users to prevent unauthorized access to your local cluster, and also configure password authentication for Kibana.

Set up minimal security

This scenario configures TLS for communication between nodes. This security layer requires that nodes verify security certificates, which prevents unauthorized nodes from joining your Elasticsearch cluster.

Your external HTTP traffic between Elasticsearch and Kibana won’t be encrypted, but internode communication will be secured.

Set up basic security

This scenario builds on the one for basic security and secures all HTTP traffic with TLS. In addition to configuring TLS on the transport interface of your Elasticsearch cluster, you configure TLS on the HTTP interface for both Elasticsearch and Kibana.

You then configure Kibana and Beats to communicate with Elasticsearch using TLS so that all communications are encrypted. This level of security is strong, and ensures that any communications in and out of your cluster are secure.

Set up basic security plus HTTPS traffic

When you start Elasticsearch for the first time, the node startup process tries to automatically configure security for you. The process runs some checks to determine:

• If this is the first time that the node is starting
• Whether security is already configured
• If the startup process can modify the node configuration

If any of those checks fail, there’s a good indication that you manually configured security, or don’t want security to be configured automatically. In these cases, the node starts normally using the existing configuration.

If certain directories already exist, there’s a strong indication that the node was started previously. Similarly, if certain files don’t exist, or we can’t read or write to specific files or directories, then we’re likely not running as the user who installed Elasticsearch or an administrator imposed restrictions. If any of the following environment checks are true, security isn’t configured automatically.

The Elasticsearch /data directory exists and isn’t empty

The existence of this directory is a strong indicator that the node was started previously, and might already be part of a cluster.

The elasticsearch.yml file doesn’t exist (or isn’t readable), or the elasticsearch.keystore isn’t readable

If either of these files aren’t readable, we can’t determine whether Elasticsearch security features are already enabled. This state can also indicate that the node startup process isn’t running as a user with sufficient privileges to modify the node configuration.

The Elasticsearch configuration directory isn’t writable

This state likely indicates that an administrator made this directory read-only, or that the user who is starting Elasticsearch is not the user that installed Elasticsearch.

The following settings are incompatible with security auto configuration. If any of these settings exist, the node startup process skips configuring security automatically and the node starts normally.

• node.roles is set to a value where the node can’t be elected as master, or if the node can’t hold data

• xpack.security.autoconfiguration.enabled is set to false

• xpack.security.enabled has a value set

• Any of the xpack.security.transport.ssl.* or xpack.security.http.ssl.* settings have a value set in the elasticsearch.yml configuration file or in the elasticsearch.keystore

• Any of the discovery.type, discovery.seed_hosts, or cluster.initial_master_nodes discovery and cluster formation settings have a value set

  Note

  Exceptions are when discovery.type is set to single-node, or when cluster.initial_master_nodes exists but contains only the name of the current node.