You enable the Elasticsearch security features and then create passwords for built-in users. You can add more users later, but using the built-in users simplifies the process of enabling security for your cluster.
- Install and configure Elasticsearch and Kibana. See Getting started with the Elastic Stack.
Verify that you are using a license that includes the specific security features you want.
The basic license includes minimal security settings for the Elastic Stack, so you can just download the distribution and get to work. You can also enable a free trial license to access all features of the Elastic Stack. See subscriptions and license management.
When you use the basic license, the Elasticsearch security features are disabled by default. Enabling the Elasticsearch security features enables basic authentication so that you can run a local cluster with username and password authentication.
- Stop both Kibana and Elasticsearch if they are running.
xpack.security.enabledsetting to the
ES_PATH_CONF/elasticsearch.ymlfile and set the value to
ES_PATH_CONFvariable is the path for the Elasticsearch configuration files. If you installed Elasticsearch using archive distributions (
tar.gz), the variable defaults to
ES_HOME/config. If you used package distributions (Debian or RPM), the variable defaults to
To communicate with the cluster, you must configure a username for the built-in users. Unless you enable anonymous access, all requests that don’t include a user name and password are rejected.
You only need to set passwords for the
when enabling minimal or basic security.
Start Elasticsearch. For example, if you installed Elasticsearch with a
.tar.gzpackage, run the following command from the Elasticsearch directory:
In another terminal window, set the passwords for the built-in users by running the
elasticsearch-setup-passwordsutility. Using the
autoparameter outputs randomly-generated passwords to the console that you can change later if necessary:
If you want to use your own passwords, run the command with the
interactiveparameter instead of the
autoparameter. Using this mode steps you through password configuration for all of the built-in users.
- Save the generated passwords. You’ll need them to add the built-in user to Kibana.
After you set a password for the
elastic user, you cannot run the
elasticsearch-setup-passwords command a second time.
When the Elasticsearch security features are enabled, users must log in to Kibana with a valid username and password.
Kibana also performs some background tasks that require use of the built-in
You’ll configure Kibana to use the built-in
elastic user and the
password that you created earlier.
elasticsearch.usernamesetting to the
KIB_PATH_CONF/kibana.ymlfile and set the value to the
KIB_PATH_CONFvariable is the path for the Kibana configuration files. If you installed Kibana using archive distributions (
tar.gz), the variable defaults to
KIB_HOME/config. If you used package distributions (Debian or RPM), the variable defaults to
From the directory where you installed Kibana, run the following commands to create the Kibana keystore and add the secure settings:
Create the Kibana keystore:
Add the password for the
elasticuser to the Kibana keystore:
./bin/kibana-keystore add elasticsearch.password
When prompted, enter the password for the
Restart Kibana. For example, if you installed Kibana with a
.tar.gzpackage, run the following command from the Kibana directory:
Log in to Kibana as the
Congratulations! You enabled password protection for your local cluster to
prevent unauthorized access. You can log in to Kibana securely as the
To add another layer of security, Set up basic security for the Elastic Stack. You’ll configure Transport Layer Security (TLS) to secure all internal communication between nodes in your cluster.