Commit Graph

37 Commits

Author SHA1 Message Date
James Rodewig 693807a6d3
[DOCS] Fix double spaces (#71082) 2021-03-31 09:57:47 -04:00
Adam Locke 8dd563134c
[DOCS] Overhaul TLS security docs (#68946)
* Removing security overview and condensing.

* Adding new security file.

* Minor changes.

* Removing link to pass build.

* Adding minimal security page.

* Adding minimal security page.

* Changes to intro.

* Add basic and basic + http configurations.

* Lots of changes, removed files, and redirects.

* Moving some AD and LDAP sections, plus more redirects.

* Redirects for SAML.

* Updating snippet languages and redirects.

* Adding another SAML redirect.

* Hopefully fixing the ci/2 error.

* Fixing another broken link for SAML.

* Adding what's next sections and some cleanup.

* Removes both security tutorials from the TOC.

* Adding redirect for removed tutorial.

* Add graphic for Elastic Security layers.

* Incorporating reviewer feedback.

* Update x-pack/docs/en/security/securing-communications/security-basic-setup.asciidoc

Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>

* Update x-pack/docs/en/security/securing-communications/security-minimal-setup.asciidoc

Co-authored-by: Yang Wang <ywangd@gmail.com>

* Update x-pack/docs/en/security/securing-communications/security-basic-setup.asciidoc

Co-authored-by: Yang Wang <ywangd@gmail.com>

* Update x-pack/docs/en/security/index.asciidoc

Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>

* Update x-pack/docs/en/security/securing-communications/security-basic-setup-https.asciidoc

Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>

* Apply suggestions from code review

Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>
Co-authored-by: Yang Wang <ywangd@gmail.com>

* Additional changes from review feedback.

* Incorporating reviewer feedback.

* Incorporating more reviewer feedback.

* Clarify that TLS is for authenticating nodes

Co-authored-by: Tim Vernum <tim@adjective.org>

* Clarify security between nodes

Co-authored-by: Tim Vernum <tim@adjective.org>

* Clarify that TLS is between nodes

Co-authored-by: Tim Vernum <tim@adjective.org>

* Update title for configuring Kibana with a password

Co-authored-by: Tim Vernum <tim@adjective.org>

* Move section for enabling passwords between Kibana and ES to minimal security.

* Add section for transport description, plus incorporate more reviewer feedback.

* Moving operator privileges lower in the navigation.

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>
Co-authored-by: Yang Wang <ywangd@gmail.com>
Co-authored-by: Tim Vernum <tim@adjective.org>
2021-03-25 11:54:39 -04:00
James Rodewig 9b88ae92e6
[DOCS] Fix typos for duplicate words (#69125) 2021-02-17 10:34:20 -05:00
Ioannis Kakavas bd873698bc
Ensure CI is run in FIPS 140 approved only mode (#64024)
We were depending on the BouncyCastle FIPS own mechanics to set
itself in approved only mode since we run with the Security
Manager enabled. The check during startup seems to happen before we
set our restrictive SecurityManager though in
org.elasticsearch.bootstrap.Elasticsearch , and this means that
BCFIPS would not be in approved only mode, unless explicitly
configured so.

This commit sets the appropriate JVM property to explicitly set
BCFIPS in approved only mode in CI and adds tests to ensure that we
will be running with BCFIPS in approved only mode when we expect to.
It also sets xpack.security.fips_mode.enabled to true for all test clusters
used in fips mode and sets the distribution to the default one. It adds a
password to the elasticsearch keystore for all test clusters that run in fips
mode.
Moreover, it changes a few unit tests where we would use bcrypt even in
FIPS 140 mode. These would still pass since we are bundling our own
bcrypt implementation, but are now changed to use FIPS 140 approved
algorithms instead for better coverage.

It also addresses a number of tests that would fail in approved only mode
Mainly:

    Tests that use PBKDF2 with a password less than 112 bits (14char). We
    elected to change the passwords used everywhere to be at least 14
    characters long instead of mandating
    the use of pbkdf2_stretch because both pbkdf2 and
    pbkdf2_stretch are supported and allowed in fips mode and it makes sense
    to test with both. We could possibly figure out the password algorithm used
    for each test and adjust password length accordingly only for pbkdf2 but
    there is little value in that. It's good practice to use strong passwords so if
    our docs and tests use longer passwords, then it's for the best. The approach
    is brittle as there is no guarantee that the next test that will be added won't
    use a short password, so we add some testing documentation too.
    This leaves us with a possible coverage gap since we do support passwords
    as short as 6 characters but we only test with > 14 chars but the
    validation itself was not tested even before. Tests can be added in a followup,
    outside of fips related context.

    Tests that use a PKCS12 keystore and were not already muted.

    Tests that depend on running test clusters with a basic license or
    using the OSS distribution as FIPS 140 support is not available in
    neither of these.

Finally, it adds some information around FIPS 140 testing in our testing
documentation reference so that developers can hopefully keep in
mind fips 140 related intricacies when writing/changing docs.
2020-12-23 21:00:49 +02:00
James Rodewig a94e5cb7c4
[DOCS] Replace Wikipedia links with attribute (#61171) 2020-08-17 09:44:24 -04:00
James Rodewig 512649c990
[DOCS] Add data streams to security docs (#59084) 2020-07-08 11:54:55 -04:00
Brandon Morelli 4407ae34c1
docs: update links to beats security docs (#56875) 2020-05-19 08:46:27 -07:00
Lisa Cawley 5ef7aacbf7
[DOCS] Adds documentation for secondary authorization headers (#55365)
Co-authored-by: Tim Vernum <tim@adjective.org>
2020-04-29 08:28:42 -07:00
Lisa Cawley 729fe26c5a
[DOCS] Fixes monitoring links (#52790) 2020-02-25 16:57:38 -08:00
Jonathan Budzenski 23b31d6abe
[DOCS] Change http://elastic.co -> https (#48479) 2020-02-03 08:52:34 -05:00
Larry Gregory fa4869a94b Deprecating kibana_user and kibana_dashboard_only_user roles (#46456)
This change adds a new `kibana_admin` role, and deprecates
the old `kibana_user` and`kibana_dashboard_only_user`roles.

The deprecation is implemented via a new reserved metadata
attribute, which can be consumed from the API and also triggers
deprecation logging when used (by a user authenticating to
Elasticsearch).

Some docs have been updated to avoid references to these
deprecated roles.

Co-authored-by: Tim Vernum <tim@adjective.org>
Co-authored-by: Larry Gregory <legrego@users.noreply.github.com>
2020-01-14 18:08:44 +11:00
Lisa Cawley 56e30b6f16
[DOCS] Removes Beats security page (#49276) 2019-11-19 09:08:36 -08:00
James Rodewig 279a31e868
[DOCS] Add Java to list of HTTP client libraries for basic authentication (#48647) 2019-11-05 17:07:39 -05:00
Peter Dyson 2b88d2d31c [DOCS] Reorder bullet items in CCS security docs (#48501)
Adjust the last bullet item to be above the code block for better readability and to avoid it being skimmed over
2019-10-25 08:11:31 -05:00
Lisa Cawley 09071116b0
[DOCS] Security link fixes (#48172) 2019-10-17 07:19:17 -07:00
lcawl beb50968d2 [DOCS] Minor fixes to security documentation 2019-10-04 10:58:59 -07:00
Lisa Cawley f7edcb0857
[DOCS] Fixes build errors (#47536) 2019-10-03 15:22:41 -07:00
Lisa Cawley 5c49ac13dc
[DOCS] Copies security source files from stack-docs (#47521) 2019-10-03 13:39:21 -07:00
Lisa Cawley 279e9fec9b
[DOCS] Fixes link to Kibana security (#46690) 2019-09-12 16:28:40 -07:00
James Rodewig 5c78f606c2
[DOCS] Change // CONSOLE comments to [source,console] (#46440) 2019-09-09 10:45:37 -04:00
James Rodewig bd52e148c5
[DOCS] Remove :edit_url: overrides. (#44445)
These overrides do not work in Asciidoctor and are no longer needed.
2019-07-16 15:02:38 -04:00
Tim Vernum ec74dfe05b
[Docs] Name remote cluster "two" (#42976)
All the text and the search example refer to the remote cluster as
"two" rather than "cluster_two". This commit changes the definition
that is stored through the settings API to match the rest of the
examples.
2019-06-14 17:21:21 +10:00
Ryan Ernst 4520e88b22
Remove transport client from xpack (#42202)
This commit removes support for the transport client from xpack.
2019-05-23 10:16:48 -07:00
James Rodewig 4900c0dd6b [DOCS] Fix broken link to elasticsearch-php security page 2019-04-23 12:42:37 -04:00
Jay Modi f3edbe2911
Security: remove SSL settings fallback (#36846)
This commit removes the fallback for SSL settings. While this may be
seen as a non user friendly change, the intention behind this change
is to simplify the reasoning needed to understand what is actually
being used for a given SSL configuration. Each configuration now needs
to be explicitly specified as there is no global configuration or
fallback to some other configuration.

Closes #29797
2019-01-14 14:06:22 -07:00
Josh Soref edb48321ba [DOCS] Various spelling corrections (#37046) 2019-01-07 14:44:12 +01:00
lcawl 8b8121279a [DOCS] Fix typos 2018-12-19 15:28:25 -08:00
Lisa Cawley 4140b9eede
[DOCS] Update X-Pack terminology in security docs (#36564) 2018-12-19 14:53:37 -08:00
Ioannis Kakavas d7c5d8049a
Deprecate /_xpack/security/* in favor of /_security/* (#36293)
* This commit is part of our plan to deprecate and ultimately remove the use of _xpack in the REST APIs.

- REST API docs
- HLRC docs and doc tests
- Handle REST actions with deprecation warnings
- Changed endpoints in rest-api-spec and relevant file names
2018-12-11 11:13:10 +02:00
Jason Tedor 8bed0c68e2
Fix remote clusters section link
This commit fixes the remote clusters section link by changing some
underscores to dashes.
2018-10-20 11:16:39 -04:00
Jason Tedor 77d23a2007
Fix remote clusters section link
This fixes a link to the configuring remote clusters section of the
docs.
2018-10-20 10:28:25 -04:00
Jason Tedor 19ee5da037
Fix reference to remote clusters configuration
This commit fixes a reference to configuring a remote cluster in the
cross-cluster search and security docs.
2018-10-20 09:35:24 -04:00
Jason Tedor d71ced1b00
Generalize search.remote settings to cluster.remote (#33413)
With features like CCR building on the CCS infrastructure, the settings
prefix search.remote makes less sense as the namespace for these remote
cluster settings than does a more general namespace like
cluster.remote. This commit replaces these settings with cluster.remote
with a fallback to the deprecated settings search.remote.
2018-09-05 20:43:44 -04:00
lcawl 94e1bdba33 [DOCS] Fixes kibana security file location 2018-05-30 07:47:20 -07:00
Lisa Cawley ab047ca28d
[DOCS] Fix more edit URLs in Stack Overview (#30704) 2018-05-23 09:37:55 -07:00
Jay Modi 13e2223680
Docs: remove transport_client from CCS role example (#30263)
This commit removes the unnecessary transport_client cluster permission
from the role that is used as an example in our documentation. This
permission is not needed to use cross cluster search.
2018-05-04 11:52:11 -06:00
Ryan Ernst 2efd22454a Migrate x-pack-elasticsearch source to elasticsearch 2018-04-20 15:29:54 -07:00