Configure authentication credentials
editConfigure authentication credentials
editWhen sending data to a secured cluster through the elasticsearch
output, APM Server must either provide basic authentication credentials
or present a client certificate.
To configure authentication credentials for APM Server:
-
Create a writer role that has the following privileges:
-
Cluster:
manage_index_templates
andmonitor
-
Index:
write
andcreate_index
on the APM Server indices
You can create roles from the Management / Roles UI in Kibana or through the
role
API. For example, the following request creates a role namedapm_writer
: -
Cluster:
-
Assign the writer role to the user that APM Server will use to connect to Elasticsearch. If you plan to load the pre-built Kibana dashboards, also assign the
kibana_user
role.-
To authenticate as a native user, create a user for APM Server to use internally and assign it the writer role, plus any other roles that are needed.
You can create users from the Management / Users UI in Kibana or through the
user
API. For example, following request creates a user namedapm_internal
that has theapm_writer
andkibana_user
roles:POST /_xpack/security/user/apm_internal { "password" : "YOUR_PASSWORD", "roles" : [ "apm_writer","kibana_user"], "full_name" : "Internal APM Server User" }
-
To use PKI authentication, assign the writer role, plus any other roles that are needed, in the
role_mapping.yml
configuration file. Specify the user by the distinguished name that appears in its certificate:apm_writer: - "cn=Internal APM Server User,ou=example,o=com" kibana_user: - "cn=Internal APM Server User,ou=example,o=com"
For more information, see Using Role Mapping Files.
-
-
In the APM Server configuration file, specify authentication credentials for the
elasticsearch
output:-
To use basic authentication, configure the
username
andpassword
settings. For example, the following APM Server output configuration uses the nativeapm_internal
user to connect to Elasticsearch:You created this user earlier.
The example shows a hard-coded password, but you should store sensitive values in the secrets keystore.
-
To use PKI authentication, configure the
certificate
andkey
settings:
-