Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DOCS] Adds apm_system user and role #120

Merged
merged 3 commits into from
Sep 12, 2018
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 19 additions & 5 deletions docs/en/stack/security/authentication/built-in-users.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ passwords have been set. The `elastic` user can be used to
`kibana`:: The user Kibana uses to connect and communicate with Elasticsearch.
`logstash_system`:: The user Logstash uses when storing monitoring information in Elasticsearch.
`beats_system`:: The user the Beats use when storing monitoring information in Elasticsearch.
`apm_system`:: The user APM uses when storing monitoring information in {es}.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we clarify that this is the user the APM server uses?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done!



[float]
Expand Down Expand Up @@ -58,7 +59,8 @@ The +elasticsearch-setup-passwords+ tool is the simplest method to set the
built-in users' passwords for the first time. It uses the `elastic` user's
bootstrap password to run user management API requests. For example, you can run
the command in an "interactive" mode, which prompts you to enter new passwords
for the `elastic`, `kibana`, `logstash_system`, and `beats_system` users:
for the `elastic`, `kibana`, `logstash_system`, `beats_system`, and `apm_system`
users:

[source,shell]
--------------------------------------------------
Expand Down Expand Up @@ -95,7 +97,7 @@ since at that point the bootstrap password is no longer required.

[float]
[[add-built-in-user-passwords]]
==== Adding Built-in User Passwords To {kib}, Logstash, and Beats
==== Adding built-in user passwords to {kib}, Logstash, Beats, and APM

After the `kibana` user password is set, you need to update the {kib} server
with the new password by setting `elasticsearch.password` in the `kibana.yml`
Expand Down Expand Up @@ -140,11 +142,23 @@ xpack.monitoring.elasticsearch.username: beats_system
xpack.monitoring.elasticsearch.password: beatspassword
----------------------------------------------------------

The `apm_system` user is used internally within APM when monitoring is enabled.

To enable this feature in APM, you need to update the
{apm-server-ref}/configuring-howto-apm-server.html[APM configuration file] to
reference the correct username and password. For example:

[source,yaml]
----------------------------------------------------------
xpack.monitoring.elasticsearch.username: apm_system
xpack.monitoring.elasticsearch.password: apmserverpassword
----------------------------------------------------------

If you have upgraded from an older version of {es}, then you may not have set a
password for the `beats_system` user. If this is the case, then you should use
the *Management > Users* page in {kib} or the
password for the `apm_system` or `beats_system` users. If this is the case,
then you should use the *Management > Users* page in {kib} or the
{ref}/security-api-change-password.html[Change Password API] to set a password
for this user.
for these users.

[float]
[[disabling-default-password]]
Expand Down
47 changes: 30 additions & 17 deletions docs/en/stack/security/authorization/built-in-roles.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,29 @@ themselves.
{security} also provides a set of built-in roles you can explicitly assign
to users. These roles have a fixed set of privileges and cannot be updated.

[[built-in-roles-apm-system]] `apm_system` ::
Grants access necessary for the APM system user to send system-level data
(such as monitoring) to {es}.

[[built-in-roles-beats-admin]] `beats_admin` ::
Grants access to the `.management-beats` index, which contains configuration
information for the Beats.

[[built-in-roles-beats-system]] `beats_system` ::
Grants access necessary for the Beats system user to send system-level data
(such as monitoring) to {es}.
+
--
[NOTE]
===============================
* This role should not be assigned to users as the granted permissions may
change between releases.
* This role does not provide access to the beats indices and is not
suitable for writing beats output to {es}.
===============================

--

[[built-in-roles-ingest-user]] `ingest_admin` ::
Grants access to manage *all* index templates and *all* ingest pipeline configurations.
+
Expand Down Expand Up @@ -44,25 +67,15 @@ Grants access necessary for the Logstash system user to send system-level data
(such as monitoring) to {es}. For more information, see
{logstash-ref}/ls-security.html[Configuring Security in Logstash].
+
NOTE: This role should not be assigned to users as the granted permissions may
--
[NOTE]
===============================
* This role should not be assigned to users as the granted permissions may
change between releases.
+
NOTE: This role does not provide access to the logstash indices and is not
* This role does not provide access to the logstash indices and is not
suitable for use within a Logstash pipeline.

[[built-in-roles-beats-admin]] `beats_admin` ::
Grants access to the `.management-beats` index, which contains configuration
information for the Beats.

[[built-in-roles-beats-system]] `beats_system` ::
Grants access necessary for the Beats system user to send system-level data
(such as monitoring) to {es}.
+
NOTE: This role should not be assigned to users as the granted permissions may
change between releases.
+
NOTE: This role does not provide access to the beats indices and is not
suitable for writing beats output to {es}.
===============================
--

[[built-in-roles-ml-admin]] `machine_learning_admin`::
Grants `manage_ml` cluster privileges and read access to the `.ml-*` indices.
Expand Down
2 changes: 1 addition & 1 deletion docs/en/stack/security/get-started-builtin-users.asciidoc
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
There are built-in users that you can use for specific administrative purposes:
`elastic`, `kibana`, `logstash_system`, and `beats_system`.
`elastic`, `kibana`, `logstash_system`, `apm_system`, and `beats_system`.

Before you can use them, you must set their passwords:

Expand Down
6 changes: 3 additions & 3 deletions docs/en/stack/security/get-started-security.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -50,9 +50,9 @@ include::get-started-builtin-users.asciidoc[]
You need these built-in users in subsequent steps, so choose passwords that you
can remember!

NOTE: This tutorial does not use the built-in `logstash_system` and
`beats_system` users, which are typically associated with monitoring. For more
information, see
NOTE: This tutorial does not use the built-in `apm_system`, `logstash_system`,
and `beats_system` users, which are typically associated with monitoring. For
more information, see
{logstash-ref}/ls-security.html#ls-monitoring-user[Configuring credentials for {ls} monitoring]
and {metricbeat-ref}/monitoring.html[Monitoring {metricbeat}].

Expand Down