Built-in Elasticsearch security featuresedit

Elasticsearch Add-On for Heroku handles the installation of the security features for you, both for new deployments you create and for deployments that you upgrade. Which exact set of security features you use depends on the version of your Elasticsearch cluster.

In Elasticsearch version 5.0 and later, the security features to keep your Elasticsearch clusters safe are now part of X-Pack. If you create a cluster on Elasticsearch 5.0 or later, the X-Pack security features are always enabled, and there is no additional enablement step. With the move to X-Pack, the biggest changes to security features for the Elastic Stack include the names of the security configuration options, TLS/SSL configuration, and how roles are defined. A few privileges have also been removed. You work with users and roles in the Kibana Management app, accessible from the Security page in the Elasticsearch Add-On for Heroku console. Two users are always created with new version 5.x clusters in Elasticsearch Add-On for Heroku, the elastic superuser and the anonymous user. Note that in Elasticsearch versions 7.10 and higher the anonymous user is disabled by default. See Enabling anonymous access to enable it. If you upgrade a cluster to version 5.x, the users defined in your Shield configuration are also preserved.

For Elasticsearch versions before 5.0, the Shield plugin provides similar security features for your cluster, such as user authentication and role based access control. Shield is always installed and enabled for all newly created clusters. If your cluster did not originally enable Shield, save your Shield configuration to enable the security features. If Shield is not enabled, anyone who knows the ID of your cluster can connect to it. You work with users and roles in the Shield Editor directly in the Elasticsearch Add-On for Heroku console. Three users are always created for clusters in Elasticsearch Add-On for Heroku: The admin user, the readwrite user, and the readonly user.

Note that when you upgrade a cluster to Elasticsearch 5.0 or later from an earlier version of Elasticsearch, your Shield configuration is migrated to X-Pack. If you used the Shield Editor before upgrading to version 5.0, you will need to switch to the Kibana Management app after upgrading.

For Elasticsearch 5.0 and later, you work with users and roles in the Kibana Management app. If you’re using a version of Elasticsearch before 5.0, you use the Security editor to work with users and roles.

Before you beginedit

Some restrictions apply when securing your deployment on Elasticsearch Add-On for Heroku. To learn more, see Security.