Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: Update documentation copied from Beats #3793

Merged
merged 3 commits into from
May 14, 2020
+311 −15
Merged

docs: Update documentation copied from Beats #3793

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fb8ed57
docs: general beats updates
bmorelli25 May 13, 2020
898b090
docs: add kerberos documentation
bmorelli25 May 13, 2020
1cb76a6
docs: propose kerberos yml changes
bmorelli25 May 13, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 64 additions & 0 deletions _meta/beat.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -672,6 +672,28 @@ output.elasticsearch:
# never, once, and freely. Default is never.
#ssl.renegotiation: never

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

# Authentication type to use with Kerberos. Available options: keytab, password.
#kerberos.auth_type: password

# Path to the keytab file. It is used when auth_type is set to keytab.
#kerberos.keytab: /etc/elastic.keytab

# Path to the Kerberos configuration.
#kerberos.config_path: /etc/krb5.conf

# Name of the Kerberos user.
#kerberos.username: elastic

# Password of the Kerberos user. It is used when auth_type is set to password.
#kerberos.password: changeme

# Kerberos realm.
#kerberos.realm: ELASTIC


#----------------------------- Console output -----------------------------
#output.console:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -926,6 +948,27 @@ output.elasticsearch:
# never, once, and freely. Default is never.
#ssl.renegotiation: never

# Authentication type to use with Kerberos. Available options: keytab, password.
#kerberos.auth_type: password

# Path to the keytab file. It is used when auth_type is set to keytab.
#kerberos.keytab: /etc/krb5kdc/kafka.keytab

# Path to the Kerberos configuration.
#kerberos.config_path: /etc/path/config

# The service principal name.
#kerberos.service_name: HTTP/my-service@realm

# Name of the Kerberos user. It is used when auth_type is set to password.
#kerberos.username: elastic

# Password of the Kerberos user. It is used when auth_type is set to password.
#kerberos.password: changeme

# Kerberos realm.
#kerberos.realm: ELASTIC

#================================= Paths ==================================

# The home path for the apm-server installation. This is the default base path
Expand Down Expand Up @@ -1130,5 +1173,26 @@ output.elasticsearch:
# never, once, and freely. Default is never.
#ssl.renegotiation: never

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

# Authentication type to use with Kerberos. Available options: keytab, password.
#kerberos.auth_type: password

# Path to the keytab file. It is used when auth_type is set to keytab.
#kerberos.keytab: /etc/elastic.keytab

# Path to the Kerberos configuration.
#kerberos.config_path: /etc/krb5.conf

# Name of the Kerberos user.
#kerberos.username: elastic

# Password of the Kerberos user. It is used when auth_type is set to password.
#kerberos.password: changeme

# Kerberos realm.
#kerberos.realm: ELASTIC

#metrics.period: 10s
#state.period: 1m
64 changes: 64 additions & 0 deletions apm-server.docker.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -672,6 +672,28 @@ output.elasticsearch:
# never, once, and freely. Default is never.
#ssl.renegotiation: never

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

# Authentication type to use with Kerberos. Available options: keytab, password.
#kerberos.auth_type: password

# Path to the keytab file. It is used when auth_type is set to keytab.
#kerberos.keytab: /etc/elastic.keytab

# Path to the Kerberos configuration.
#kerberos.config_path: /etc/krb5.conf

# Name of the Kerberos user.
#kerberos.username: elastic

# Password of the Kerberos user. It is used when auth_type is set to password.
#kerberos.password: changeme

# Kerberos realm.
#kerberos.realm: ELASTIC


#----------------------------- Console output -----------------------------
#output.console:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -926,6 +948,27 @@ output.elasticsearch:
# never, once, and freely. Default is never.
#ssl.renegotiation: never

# Authentication type to use with Kerberos. Available options: keytab, password.
#kerberos.auth_type: password

# Path to the keytab file. It is used when auth_type is set to keytab.
#kerberos.keytab: /etc/krb5kdc/kafka.keytab

# Path to the Kerberos configuration.
#kerberos.config_path: /etc/path/config

# The service principal name.
#kerberos.service_name: HTTP/my-service@realm

# Name of the Kerberos user. It is used when auth_type is set to password.
#kerberos.username: elastic

# Password of the Kerberos user. It is used when auth_type is set to password.
#kerberos.password: changeme

# Kerberos realm.
#kerberos.realm: ELASTIC

#================================= Paths ==================================

# The home path for the apm-server installation. This is the default base path
Expand Down Expand Up @@ -1130,5 +1173,26 @@ output.elasticsearch:
# never, once, and freely. Default is never.
#ssl.renegotiation: never

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

# Authentication type to use with Kerberos. Available options: keytab, password.
#kerberos.auth_type: password

# Path to the keytab file. It is used when auth_type is set to keytab.
#kerberos.keytab: /etc/elastic.keytab

# Path to the Kerberos configuration.
#kerberos.config_path: /etc/krb5.conf

# Name of the Kerberos user.
#kerberos.username: elastic

# Password of the Kerberos user. It is used when auth_type is set to password.
#kerberos.password: changeme

# Kerberos realm.
#kerberos.realm: ELASTIC

#metrics.period: 10s
#state.period: 1m
64 changes: 64 additions & 0 deletions apm-server.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -672,6 +672,28 @@ output.elasticsearch:
# never, once, and freely. Default is never.
#ssl.renegotiation: never

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

# Authentication type to use with Kerberos. Available options: keytab, password.
#kerberos.auth_type: password

# Path to the keytab file. It is used when auth_type is set to keytab.
#kerberos.keytab: /etc/elastic.keytab

# Path to the Kerberos configuration.
#kerberos.config_path: /etc/krb5.conf

# Name of the Kerberos user.
#kerberos.username: elastic

# Password of the Kerberos user. It is used when auth_type is set to password.
#kerberos.password: changeme

# Kerberos realm.
#kerberos.realm: ELASTIC


#----------------------------- Console output -----------------------------
#output.console:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -926,6 +948,27 @@ output.elasticsearch:
# never, once, and freely. Default is never.
#ssl.renegotiation: never

# Authentication type to use with Kerberos. Available options: keytab, password.
#kerberos.auth_type: password

# Path to the keytab file. It is used when auth_type is set to keytab.
#kerberos.keytab: /etc/krb5kdc/kafka.keytab

# Path to the Kerberos configuration.
#kerberos.config_path: /etc/path/config

# The service principal name.
#kerberos.service_name: HTTP/my-service@realm

# Name of the Kerberos user. It is used when auth_type is set to password.
#kerberos.username: elastic

# Password of the Kerberos user. It is used when auth_type is set to password.
#kerberos.password: changeme

# Kerberos realm.
#kerberos.realm: ELASTIC

#================================= Paths ==================================

# The home path for the apm-server installation. This is the default base path
Expand Down Expand Up @@ -1130,5 +1173,26 @@ output.elasticsearch:
# never, once, and freely. Default is never.
#ssl.renegotiation: never

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

# Authentication type to use with Kerberos. Available options: keytab, password.
#kerberos.auth_type: password

# Path to the keytab file. It is used when auth_type is set to keytab.
#kerberos.keytab: /etc/elastic.keytab

# Path to the Kerberos configuration.
#kerberos.config_path: /etc/krb5.conf

# Name of the Kerberos user.
#kerberos.username: elastic

# Password of the Kerberos user. It is used when auth_type is set to password.
#kerberos.password: changeme

# Kerberos realm.
#kerberos.realm: ELASTIC

#metrics.period: 10s
#state.period: 1m
6 changes: 6 additions & 0 deletions docs/copied-from-beats/docs/loggingconfig.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -235,6 +235,12 @@ true.

When true, logs messages in JSON format. The default is false.

[float]
==== `logging.ecs`

When true, logs messages with minimal required Elastic Common Schema (ECS)
information.

Comment on lines +238 to +243
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#3749 was merged into 7.x, not master. Is this ok to have in master?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm pretty certain it is. @simitt?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes it is, sorry I forgot to follow up with it in master.

ifndef::serverless[]
[float]
==== `logging.files.redirect_stderr` experimental[]
Expand Down
85 changes: 85 additions & 0 deletions docs/copied-from-beats/docs/shared-kerberos-config.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
[[configuration-kerberos]]
== Configure Kerberos

You can specify Kerberos options with any output or input that supports Kerberos, like {es} and Kafka.

The following encryption types are supported:

* aes128-cts-hmac-sha1-96
* aes128-cts-hmac-sha256-128
* aes256-cts-hmac-sha1-96
* aes256-cts-hmac-sha384-192
* des3-cbc-sha1-kd
* rc4-hmac

Example output config with Kerberos password based authentication:

[source,yaml]
----
output.elasticsearch.hosts: ["http://my-elasticsearch.elastic.co:9200"]
output.elasticsearch.kerberos.auth_type: password
output.elasticsearch.kerberos.username: "elastic"
output.elasticsearch.kerberos.password: "changeme"
output.elasticsearch.kerberos.config_path: "/etc/krb5.conf"
output.elasticsearch.kerberos.realm: "ELASTIC.CO"
----

The service principal name for the Elasticsearch instance is contructed from these options. Based on this configuration
it is going to be `HTTP/[email protected]`.

[float]
=== Configuration options

You can specify the following options in the `kerberos` section of the +{beatname_lc}.yml+ config file:

[float]
==== `enabled`

The `enabled` setting can be used to enable the kerberos configuration by setting
it to `false`. The default value is `true`.

NOTE: Kerberos settings are disabled if either `enabled` is set to `false` or the
`kerberos` section is missing.

[float]
==== `auth_type`

There are two options to authenticate with Kerberos KDC: `password` and `keytab`.

`password` expects the principal name and its password. When choosing `keytab`, you
have to specify a princial name and a path to a keytab. The keytab must contain
the keys of the selected principal. Otherwise, authentication will fail.

[float]
==== `config_path`

You need to set the path to the `krb5.conf`, so +{beatname_lc} can find the Kerberos KDC to
retrieve a ticket.

[float]
==== `username`

Name of the principal used to connect to the output.

[float]
==== `password`

If you configured `password` for `auth_type`, you have to provide a password
for the selected principal.

[float]
==== `keytab`

If you configured `keytab` for `auth_type`, you have to provide the path to the
keytab of the selected principal.

[float]
==== `service_name`

This option can only be configured for Kafka. It is the name of the Kafka service, usually `kafka`.

[float]
==== `realm`

Name of the realm where the output resides.

5 changes: 2 additions & 3 deletions docs/copied-from-beats/docs/shared-ssl-config.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -239,12 +239,11 @@ are `never`, `once`, and `freely`. The default value is never.
[float]
==== `ca_sha256`

This configure a certificate pin can that ca be used to ensure that a specific certificate is used
to as part of the verified chain.
This configures a certificate pin that you can use to ensure that a specific certificate is part of the verified chain.

The pin is a base64 encoded string of the SHA-256 of the certificate.

NOTE: This check is not a replacement for the normal SSL validation but it add additional validation.
NOTE: This check is not a replacement for the normal SSL validation, but it adds additional validation.
If this option is used with `verification_mode` set to `none`, the check will always fail because
it will not receive any verified chains.

Expand Down
Loading