root
/
elasticsearch
mirror of https://github.com/elastic/elasticsearch.git
1
0
Fork 0
Code Issues Actions 1 Packages Projects Releases Wiki Activity
elasticsearch/docs/reference/migration/migrate_8_0/security.asciidoc

135 lines
4.8 KiB
Plaintext
Raw Normal View History

Remove obsolete security settings (#40496) Removes the deprecated accept_default_password setting. This setting become redundant when default passwords were removed from 6.0, but the setting was kept for BWC. Removes native role store cache settings. These have been unused since 5.2 but were kept for BWC.
2019-03-29 15:04:49 +08:00
[float]
[[breaking_80_security_changes]]
=== Security changes
[DOCS] Add notable-breaking-changes tags (#40990)
2019-04-09 09:20:59 +08:00
//NOTE: The notable-breaking-changes tagged regions are re-used in the
//Installation and Upgrade Guide
//tag::notable-breaking-changes[]
Make order setting required for Realm config (#51195) The order config must be explicitly specified for each realm. It must also be unique for each realm. This is a breaking change and will begin to take effect in 8.0 Resolves: #37614
2020-01-28 14:59:54 +08:00
[float]
==== The realm `order` setting is required
The `xpack.security.authc.realms.{type}.{name}.order` setting is now required and must be
specified for each explicitly configured realm. Each value must be unique.
The cluster will fail to start if the requirements are not met.
For example, the following configuration is invalid:
[source,yaml]
--------------------------------------------------
xpack.security.authc.realms.kerberos.kerb1:
keytab.path: es.keytab
remove_realm_name: false
--------------------------------------------------
And must be configured as:
[source,yaml]
--------------------------------------------------
xpack.security.authc.realms.kerberos.kerb1:
order: 0
keytab.path: es.keytab
remove_realm_name: false
--------------------------------------------------
[DOCS] Add notable-breaking-changes tags (#40990)
2019-04-09 09:20:59 +08:00
// end::notable-breaking-changes[]
Remove obsolete security settings (#40496) Removes the deprecated accept_default_password setting. This setting become redundant when default passwords were removed from 6.0, but the setting was kept for BWC. Removes native role store cache settings. These have been unused since 5.2 but were kept for BWC.
2019-03-29 15:04:49 +08:00
[float]
[DOCS] Add anchors for Asciidoctor migration (#41648)
2019-04-30 22:19:09 +08:00
[[accept-default-password-removed]]
Remove obsolete security settings (#40496) Removes the deprecated accept_default_password setting. This setting become redundant when default passwords were removed from 6.0, but the setting was kept for BWC. Removes native role store cache settings. These have been unused since 5.2 but were kept for BWC.
2019-03-29 15:04:49 +08:00
==== The `accept_default_password` setting has been removed
The `xpack.security.authc.accept_default_password` setting has not had any affect
since the 6.0 release of {es}. It has been removed and cannot be used.
[float]
[DOCS] Add anchors for Asciidoctor migration (#41648)
2019-04-30 22:19:09 +08:00
[[roles-index-cache-removed]]
Remove obsolete security settings (#40496) Removes the deprecated accept_default_password setting. This setting become redundant when default passwords were removed from 6.0, but the setting was kept for BWC. Removes native role store cache settings. These have been unused since 5.2 but were kept for BWC.
2019-03-29 15:04:49 +08:00
==== The `roles.index.cache.*` settings have been removed
The `xpack.security.authz.store.roles.index.cache.max_size` and
`xpack.security.authz.store.roles.index.cache.ttl` settings have
been removed. These settings have been redundant and deprecated
since the 5.2 release of {es}.
Remove the migrate tool (#42174) This commit removes the deprecated migrate tool which was used to migrate users from the file realm to native realm when the native realm was first created.
2019-05-18 02:49:05 +08:00
[float]
[[migrate-tool-removed]]
==== The `elasticsearch-migrate` tool has been removed
The `elasticsearch-migrate` tool provided a way to convert file
realm users and roles into the native realm. It has been deprecated
since 7.2.0. Users and roles should now be created in the native
realm directly.
Remove the client transport profile filter (#43236) Now that the transport client has been removed, the client transport profile filter can be removed from security. This filter prevented node actions from being executed using a transport client.
2019-07-03 17:32:24 +08:00
[float]
[[separating-node-and-client-traffic]]
==== The `transport.profiles.*.xpack.security.type` setting has been removed
The `transport.profiles.*.xpack.security.type` setting has been removed since
the Transport Client has been removed and therefore all client traffic now uses
the HTTP transport. Transport profiles using this setting should be removed.
Reject misconfigured/ambiguous SSL server config (#45892) This commit makes it an error to start a node where either of the server contexts (xpack.security.transport.ssl and xpack.security.http.ssl) meet either of these conditions: 1. The server lacks a certificate/key pair (i.e. neither ssl.keystore.path not ssl.certificate are configured) 2. The server has some ssl configuration, but ssl.enabled is not specified. This new validation does not care whether ssl.enabled is true or false (though other validation might), it simply makes it an error to configure server SSL without being explicit about whether to enable that configuration.
2019-11-08 00:51:48 +08:00
[float]
[[ssl-validation-changes]]
==== SSL/TLS configuration validation
[float]
===== The `xpack.security.transport.ssl.enabled` setting may be required
It is now an error to configure any SSL settings for
`xpack.security.transport.ssl` without also configuring
`xpack.security.transport.ssl.enabled`.
For example, the following configuration is invalid:
[source,yaml]
--------------------------------------------------
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
--------------------------------------------------
And must be configured as:
[source,yaml]
--------------------------------------------------
xpack.security.transport.ssl.enabled: true <1>
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
--------------------------------------------------
<1> or `false`.
[float]
===== The `xpack.security.http.ssl.enabled` setting may be required
It is now an error to configure any SSL settings for
`xpack.security.http.ssl` without also configuring
`xpack.security.http.ssl.enabled`.
For example, the following configuration is invalid:
[source,yaml]
--------------------------------------------------
Make order setting required for Realm config (#51195) The order config must be explicitly specified for each realm. It must also be unique for each realm. This is a breaking change and will begin to take effect in 8.0 Resolves: #37614
2020-01-28 14:59:54 +08:00
xpack.security.http.ssl.certificate: elasticsearch.crt
xpack.security.http.ssl.key: elasticsearch.key
Reject misconfigured/ambiguous SSL server config (#45892) This commit makes it an error to start a node where either of the server contexts (xpack.security.transport.ssl and xpack.security.http.ssl) meet either of these conditions: 1. The server lacks a certificate/key pair (i.e. neither ssl.keystore.path not ssl.certificate are configured) 2. The server has some ssl configuration, but ssl.enabled is not specified. This new validation does not care whether ssl.enabled is true or false (though other validation might), it simply makes it an error to configure server SSL without being explicit about whether to enable that configuration.
2019-11-08 00:51:48 +08:00
xpack.security.http.ssl.certificate_authorities: [ "corporate-ca.crt" ]
--------------------------------------------------
And must be configured as either:
[source,yaml]
--------------------------------------------------
xpack.security.http.ssl.enabled: true <1>
Make order setting required for Realm config (#51195) The order config must be explicitly specified for each realm. It must also be unique for each realm. This is a breaking change and will begin to take effect in 8.0 Resolves: #37614
2020-01-28 14:59:54 +08:00
xpack.security.http.ssl.certificate: elasticsearch.crt
xpack.security.http.ssl.key: elasticsearch.key
Reject misconfigured/ambiguous SSL server config (#45892) This commit makes it an error to start a node where either of the server contexts (xpack.security.transport.ssl and xpack.security.http.ssl) meet either of these conditions: 1. The server lacks a certificate/key pair (i.e. neither ssl.keystore.path not ssl.certificate are configured) 2. The server has some ssl configuration, but ssl.enabled is not specified. This new validation does not care whether ssl.enabled is true or false (though other validation might), it simply makes it an error to configure server SSL without being explicit about whether to enable that configuration.
2019-11-08 00:51:48 +08:00
xpack.security.http.ssl.certificate_authorities: [ "corporate-ca.crt" ]
--------------------------------------------------
<1> or `false`.
[float]
===== The `xpack.security.transport.ssl` Certificate and Key may be required
It is now an error to enable SSL for the transport interface without also configuring
a certificate and key through use of the `xpack.security.transport.ssl.keystore.path`
setting or the `xpack.security.transport.ssl.certificate` and
`xpack.security.transport.ssl.key` settings.
[float]
===== The `xpack.security.http.ssl` Certificate and Key may be required
It is now an error to enable SSL for the HTTP (Rest) server without also configuring
a certificate and key through use of the `xpack.security.http.ssl.keystore.path`
setting or the `xpack.security.http.ssl.certificate` and
`xpack.security.http.ssl.key` settings.