mirror of
https://github.com/elastic/kibana.git
synced 2025-06-28 11:05:39 -04:00
8b015ebedd
This adds support a password protected keystore. The UX should match other stack products. Closes https://github.com/elastic/kibana/issues/21756. ``` [jon@mbpkbn1]/tmp/kibana-8.15.0-SNAPSHOT% bin/kibana-keystore create --password A Kibana keystore already exists. Overwrite? [y/N] y Enter new password for the kibana keystore (empty for no password): ******** Created Kibana keystore in /tmp/kibana-8.15.0-SNAPSHOT/config/kibana.keystore [jon@mbpkbn1]/tmp/kibana-8.15.0-SNAPSHOT% bin/kibana-keystore add elasticsearch.username Enter password for the kibana keystore: ******** Enter value for elasticsearch.username: ************* [jon@mbpkbn1]/tmp/kibana-8.15.0-SNAPSHOT% bin/kibana-keystore add elasticsearch.password Enter password for the kibana keystore: ******** Enter value for elasticsearch.password: ******** [jon@mbpkbn1]/tmp/kibana-8.15.0-SNAPSHOT% bin/kibana ... Enter password for the kibana keystore: ******** [2024-04-30T09:47:03.560-05:00][INFO ][root] Kibana is starting [jon@mbpkbn1]/tmp/kibana-8.15.0-SNAPSHOT% bin/kibana-keystore has-passwd Keystore is password-protected [jon@mbpkbn1]/tmp/kibana-8.15.0-SNAPSHOT% ./bin/kibana-keystore show elasticsearch.username Enter password for the kibana keystore: ******** kibana_system [jon@mbpkbn1]/tmp/kibana-8.15.0-SNAPSHOT% ./bin/kibana-keystore remove elasticsearch.username Enter password for the kibana keystore: ******** [jon@mbpkbn1]/tmp/kibana-8.15.0-SNAPSHOT% ./bin/kibana-keystore show elasticsearch.username Enter password for the kibana keystore: ******** ERROR: Kibana keystore doesn't have requested key. [jon@mbpkbn1]/tmp/kibana-8.15.0-SNAPSHOT% bin/kibana-keystore passwd Enter password for the kibana keystore: ******** Enter new password for the kibana keystore (empty for no password): [jon@mbpkbn1]/tmp/kibana-8.15.0-SNAPSHOT% ./bin/kibana-keystore has-passwd Error: Keystore is not password protected [jon@mbpkbn1]/tmp/kibana-8.15.0-SNAPSHOT% ./bin/kibana ... [2024-04-30T09:49:03.220-05:00][INFO ][root] Kibana is starting ``` ## Password input Environment variable usage is not consistent across stack products. I implemented `KBN_KEYSTORE_PASSWORD_FILE` and `KBN_KEYSTORE_PASSWORD` to be used to avoid prompts. @elastic/kibana-security do you have any thoughts? - `LOGSTASH_KEYSTORE_PASS` - https://www.elastic.co/guide/en/logstash/current/keystore.html#keystore-password - `KEYSTORE_PASSWORD` - https://www.elastic.co/guide/en/elasticsearch/reference/current/docker.html#docker-keystore-bind-mount - `ES_KEYSTORE_PASSPHRASE_FILE` - https://www.elastic.co/guide/en/elasticsearch/reference/current/rpm.html#rpm-running-systemd - Beats discussion, unresolved: https://github.com/elastic/beats/issues/5737 ## Release note Adds password support to the Kibana keystore.
120 lines
No EOL
3.8 KiB
Text
120 lines
No EOL
3.8 KiB
Text
[[secure-settings]]
|
|
=== Secure settings
|
|
|
|
Some settings are sensitive, and relying on filesystem permissions to protect
|
|
their values is not sufficient. For this use case, Kibana provides a
|
|
keystore, and the `kibana-keystore` tool to manage the settings in the keystore.
|
|
|
|
[NOTE]
|
|
====
|
|
* Run all commands as the user who runs {kib}.
|
|
* Only the settings with the `(Secure)` qualifier should be stored in the keystore.
|
|
Unsupported, extraneous or invalid JSON-string settings cause {kib} to fail to start up.
|
|
====
|
|
|
|
[float]
|
|
[[creating-keystore]]
|
|
=== Create the keystore
|
|
|
|
To create the `kibana.keystore`, use the `create` command:
|
|
|
|
[source,sh]
|
|
----------------------------------------------------------------
|
|
bin/kibana-keystore create
|
|
----------------------------------------------------------------
|
|
|
|
The file `kibana.keystore` will be created in the `config` directory defined by the
|
|
environment variable `KBN_PATH_CONF`.
|
|
|
|
To create a password protected keystore use the `--password` flag.
|
|
|
|
[float]
|
|
[[list-settings]]
|
|
=== List settings in the keystore
|
|
|
|
A list of the settings in the keystore is available with the `list` command:
|
|
|
|
[source,sh]
|
|
----------------------------------------------------------------
|
|
bin/kibana-keystore list
|
|
----------------------------------------------------------------
|
|
|
|
[float]
|
|
[[add-string-to-keystore]]
|
|
=== Add string settings
|
|
|
|
NOTE: Your input will be JSON-parsed to allow for object/array input configurations.
|
|
To enforce string values, use "double quotes" around your input.
|
|
|
|
Sensitive string settings, like authentication credentials for Elasticsearch
|
|
can be added using the `add` command:
|
|
|
|
[source,sh]
|
|
----------------------------------------------------------------
|
|
bin/kibana-keystore add the.setting.name.to.set
|
|
----------------------------------------------------------------
|
|
|
|
Once added to the keystore, these setting will be automatically applied
|
|
to this instance of Kibana when started. For example if you do
|
|
|
|
[source,sh]
|
|
----------------------------------------------------------------
|
|
bin/kibana-keystore add elasticsearch.username
|
|
----------------------------------------------------------------
|
|
|
|
you will be prompted to provide the value for elasticsearch.username.
|
|
(Your input will show as asterisks.)
|
|
|
|
The tool will prompt for the value of the setting. To pass the value
|
|
through stdin, use the `--stdin` flag:
|
|
|
|
[source,sh]
|
|
----------------------------------------------------------------
|
|
cat /file/containing/setting/value | bin/kibana-keystore add the.setting.name.to.set --stdin
|
|
----------------------------------------------------------------
|
|
|
|
[float]
|
|
[[remove-settings]]
|
|
=== Remove settings
|
|
|
|
To remove a setting from the keystore, use the `remove` command:
|
|
|
|
[source,sh]
|
|
----------------------------------------------------------------
|
|
bin/kibana-keystore remove the.setting.name.to.remove
|
|
----------------------------------------------------------------
|
|
|
|
[float]
|
|
[[read-settings]]
|
|
=== Read settings
|
|
|
|
To display the configured setting values, use the `show` command:
|
|
|
|
[source, sh]
|
|
----------------------------------------------------------------
|
|
bin/kibana-keystore show setting.key
|
|
----------------------------------------------------------------
|
|
|
|
[float]
|
|
[[change-password]]
|
|
=== Change password
|
|
|
|
To change the password of the keystore, use the `passwd` command:
|
|
|
|
[source, sh]
|
|
----------------------------------------------------------------
|
|
bin/kibana-keystore passwd
|
|
----------------------------------------------------------------
|
|
|
|
[float]
|
|
[[has-password]]
|
|
=== Has password
|
|
|
|
To check if the keystore is password protected, use the `has-passwd` command.
|
|
An exit code of 0 will be returned if the keystore is password protected,
|
|
and the command will fail otherwise.
|
|
|
|
[source, sh]
|
|
----------------------------------------------------------------
|
|
bin/kibana-keystore has-passwd
|
|
---------------------------------------------------------------- |