Skip to content

Commit

Permalink
docs: Update documentation copied from Beats (elastic#3793)
Browse files Browse the repository at this point in the history
# Conflicts:
#	docs/copied-from-beats/docs/loggingconfig.asciidoc
  • Loading branch information
bmorelli25 committed May 14, 2020
1 parent fa08ad1 commit 00c6bd9
Show file tree
Hide file tree
Showing 11 changed files with 306 additions and 16 deletions.
64 changes: 64 additions & 0 deletions _meta/beat.yml
Original file line number Diff line number Diff line change
Expand Up @@ -672,6 +672,28 @@ output.elasticsearch:
# never, once, and freely. Default is never.
#ssl.renegotiation: never

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

# Authentication type to use with Kerberos. Available options: keytab, password.
#kerberos.auth_type: password

# Path to the keytab file. It is used when auth_type is set to keytab.
#kerberos.keytab: /etc/elastic.keytab

# Path to the Kerberos configuration.
#kerberos.config_path: /etc/krb5.conf

# Name of the Kerberos user.
#kerberos.username: elastic

# Password of the Kerberos user. It is used when auth_type is set to password.
#kerberos.password: changeme

# Kerberos realm.
#kerberos.realm: ELASTIC


#----------------------------- Console output -----------------------------
#output.console:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -926,6 +948,27 @@ output.elasticsearch:
# never, once, and freely. Default is never.
#ssl.renegotiation: never

# Authentication type to use with Kerberos. Available options: keytab, password.
#kerberos.auth_type: password

# Path to the keytab file. It is used when auth_type is set to keytab.
#kerberos.keytab: /etc/krb5kdc/kafka.keytab

# Path to the Kerberos configuration.
#kerberos.config_path: /etc/path/config

# The service principal name.
#kerberos.service_name: HTTP/my-service@realm

# Name of the Kerberos user. It is used when auth_type is set to password.
#kerberos.username: elastic

# Password of the Kerberos user. It is used when auth_type is set to password.
#kerberos.password: changeme

# Kerberos realm.
#kerberos.realm: ELASTIC

#================================= Paths ==================================

# The home path for the apm-server installation. This is the default base path
Expand Down Expand Up @@ -1136,5 +1179,26 @@ output.elasticsearch:
# never, once, and freely. Default is never.
#ssl.renegotiation: never

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

# Authentication type to use with Kerberos. Available options: keytab, password.
#kerberos.auth_type: password

# Path to the keytab file. It is used when auth_type is set to keytab.
#kerberos.keytab: /etc/elastic.keytab

# Path to the Kerberos configuration.
#kerberos.config_path: /etc/krb5.conf

# Name of the Kerberos user.
#kerberos.username: elastic

# Password of the Kerberos user. It is used when auth_type is set to password.
#kerberos.password: changeme

# Kerberos realm.
#kerberos.realm: ELASTIC

#metrics.period: 10s
#state.period: 1m
64 changes: 64 additions & 0 deletions apm-server.docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -672,6 +672,28 @@ output.elasticsearch:
# never, once, and freely. Default is never.
#ssl.renegotiation: never

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

# Authentication type to use with Kerberos. Available options: keytab, password.
#kerberos.auth_type: password

# Path to the keytab file. It is used when auth_type is set to keytab.
#kerberos.keytab: /etc/elastic.keytab

# Path to the Kerberos configuration.
#kerberos.config_path: /etc/krb5.conf

# Name of the Kerberos user.
#kerberos.username: elastic

# Password of the Kerberos user. It is used when auth_type is set to password.
#kerberos.password: changeme

# Kerberos realm.
#kerberos.realm: ELASTIC


#----------------------------- Console output -----------------------------
#output.console:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -926,6 +948,27 @@ output.elasticsearch:
# never, once, and freely. Default is never.
#ssl.renegotiation: never

# Authentication type to use with Kerberos. Available options: keytab, password.
#kerberos.auth_type: password

# Path to the keytab file. It is used when auth_type is set to keytab.
#kerberos.keytab: /etc/krb5kdc/kafka.keytab

# Path to the Kerberos configuration.
#kerberos.config_path: /etc/path/config

# The service principal name.
#kerberos.service_name: HTTP/my-service@realm

# Name of the Kerberos user. It is used when auth_type is set to password.
#kerberos.username: elastic

# Password of the Kerberos user. It is used when auth_type is set to password.
#kerberos.password: changeme

# Kerberos realm.
#kerberos.realm: ELASTIC

#================================= Paths ==================================

# The home path for the apm-server installation. This is the default base path
Expand Down Expand Up @@ -1136,5 +1179,26 @@ output.elasticsearch:
# never, once, and freely. Default is never.
#ssl.renegotiation: never

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

# Authentication type to use with Kerberos. Available options: keytab, password.
#kerberos.auth_type: password

# Path to the keytab file. It is used when auth_type is set to keytab.
#kerberos.keytab: /etc/elastic.keytab

# Path to the Kerberos configuration.
#kerberos.config_path: /etc/krb5.conf

# Name of the Kerberos user.
#kerberos.username: elastic

# Password of the Kerberos user. It is used when auth_type is set to password.
#kerberos.password: changeme

# Kerberos realm.
#kerberos.realm: ELASTIC

#metrics.period: 10s
#state.period: 1m
64 changes: 64 additions & 0 deletions apm-server.yml
Original file line number Diff line number Diff line change
Expand Up @@ -672,6 +672,28 @@ output.elasticsearch:
# never, once, and freely. Default is never.
#ssl.renegotiation: never

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

# Authentication type to use with Kerberos. Available options: keytab, password.
#kerberos.auth_type: password

# Path to the keytab file. It is used when auth_type is set to keytab.
#kerberos.keytab: /etc/elastic.keytab

# Path to the Kerberos configuration.
#kerberos.config_path: /etc/krb5.conf

# Name of the Kerberos user.
#kerberos.username: elastic

# Password of the Kerberos user. It is used when auth_type is set to password.
#kerberos.password: changeme

# Kerberos realm.
#kerberos.realm: ELASTIC


#----------------------------- Console output -----------------------------
#output.console:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -926,6 +948,27 @@ output.elasticsearch:
# never, once, and freely. Default is never.
#ssl.renegotiation: never

# Authentication type to use with Kerberos. Available options: keytab, password.
#kerberos.auth_type: password

# Path to the keytab file. It is used when auth_type is set to keytab.
#kerberos.keytab: /etc/krb5kdc/kafka.keytab

# Path to the Kerberos configuration.
#kerberos.config_path: /etc/path/config

# The service principal name.
#kerberos.service_name: HTTP/my-service@realm

# Name of the Kerberos user. It is used when auth_type is set to password.
#kerberos.username: elastic

# Password of the Kerberos user. It is used when auth_type is set to password.
#kerberos.password: changeme

# Kerberos realm.
#kerberos.realm: ELASTIC

#================================= Paths ==================================

# The home path for the apm-server installation. This is the default base path
Expand Down Expand Up @@ -1136,5 +1179,26 @@ output.elasticsearch:
# never, once, and freely. Default is never.
#ssl.renegotiation: never

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

# Authentication type to use with Kerberos. Available options: keytab, password.
#kerberos.auth_type: password

# Path to the keytab file. It is used when auth_type is set to keytab.
#kerberos.keytab: /etc/elastic.keytab

# Path to the Kerberos configuration.
#kerberos.config_path: /etc/krb5.conf

# Name of the Kerberos user.
#kerberos.username: elastic

# Password of the Kerberos user. It is used when auth_type is set to password.
#kerberos.password: changeme

# Kerberos realm.
#kerberos.realm: ELASTIC

#metrics.period: 10s
#state.period: 1m
2 changes: 1 addition & 1 deletion docs/copied-from-beats/docs/loggingconfig.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -238,7 +238,7 @@ When true, logs messages in JSON format. The default is false.
[float]
==== `logging.ecs`

When true, logs messages with the minimum required {ecs-ref}/ecs-reference.html[Elastic Common Schema (ECS)]
When true, logs messages with minimal required Elastic Common Schema (ECS)
information.

ifndef::serverless[]
Expand Down
85 changes: 85 additions & 0 deletions docs/copied-from-beats/docs/shared-kerberos-config.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
[[configuration-kerberos]]
== Configure Kerberos

You can specify Kerberos options with any output or input that supports Kerberos, like {es} and Kafka.

The following encryption types are supported:

* aes128-cts-hmac-sha1-96
* aes128-cts-hmac-sha256-128
* aes256-cts-hmac-sha1-96
* aes256-cts-hmac-sha384-192
* des3-cbc-sha1-kd
* rc4-hmac

Example output config with Kerberos password based authentication:

[source,yaml]
----
output.elasticsearch.hosts: ["http://my-elasticsearch.elastic.co:9200"]
output.elasticsearch.kerberos.auth_type: password
output.elasticsearch.kerberos.username: "elastic"
output.elasticsearch.kerberos.password: "changeme"
output.elasticsearch.kerberos.config_path: "/etc/krb5.conf"
output.elasticsearch.kerberos.realm: "ELASTIC.CO"
----

The service principal name for the Elasticsearch instance is contructed from these options. Based on this configuration
it is going to be `HTTP/my-elasticsearch.elastic.co@ELASTIC.CO`.

[float]
=== Configuration options

You can specify the following options in the `kerberos` section of the +{beatname_lc}.yml+ config file:

[float]
==== `enabled`

The `enabled` setting can be used to enable the kerberos configuration by setting
it to `false`. The default value is `true`.

NOTE: Kerberos settings are disabled if either `enabled` is set to `false` or the
`kerberos` section is missing.

[float]
==== `auth_type`

There are two options to authenticate with Kerberos KDC: `password` and `keytab`.

`password` expects the principal name and its password. When choosing `keytab`, you
have to specify a princial name and a path to a keytab. The keytab must contain
the keys of the selected principal. Otherwise, authentication will fail.

[float]
==== `config_path`

You need to set the path to the `krb5.conf`, so +{beatname_lc} can find the Kerberos KDC to
retrieve a ticket.

[float]
==== `username`

Name of the principal used to connect to the output.

[float]
==== `password`

If you configured `password` for `auth_type`, you have to provide a password
for the selected principal.

[float]
==== `keytab`

If you configured `keytab` for `auth_type`, you have to provide the path to the
keytab of the selected principal.

[float]
==== `service_name`

This option can only be configured for Kafka. It is the name of the Kafka service, usually `kafka`.

[float]
==== `realm`

Name of the realm where the output resides.

5 changes: 2 additions & 3 deletions docs/copied-from-beats/docs/shared-ssl-config.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -239,12 +239,11 @@ are `never`, `once`, and `freely`. The default value is never.
[float]
==== `ca_sha256`

This configure a certificate pin can that ca be used to ensure that a specific certificate is used
to as part of the verified chain.
This configures a certificate pin that you can use to ensure that a specific certificate is part of the verified chain.

The pin is a base64 encoded string of the SHA-256 of the certificate.

NOTE: This check is not a replacement for the normal SSL validation but it add additional validation.
NOTE: This check is not a replacement for the normal SSL validation, but it adds additional validation.
If this option is used with `verification_mode` set to `none`, the check will always fail because
it will not receive any verified chains.

Expand Down
Loading

0 comments on commit 00c6bd9

Please sign in to comment.