The content of this page has been automatically translated by AI. If you encounter any problems while reading, you can view the corresponding content in Chinese.
ES clusters are deployed in logically isolated VPCs, providing a wide variety of capabilities to ensure the security of your cloud resources, including:
Set Kibana and Cerebro public network access IP allowlist or restrict Kibana and Cerebro to intranet access only.
Control over public network access to ES clusters and IP allowlist
Role-based access control (RBAC)
Setting ES Cluster Access Password
When creating a Tencent Cloud ES cluster, users are required to set a default password for the user elastic. This account and password are used to log in to the Kibana page. If the cluster has enabled ES cluster user login authentication, then this username and password will also be used for ES cluster login authentication, providing further security protection. Details are as follows:
Resetting ES Cluster Access Password
To adjust the ES cluster access password, you can reset the password for the ES cluster's elastic account through the cluster details page's password reset feature. The operation page is as follows:
Setting Kibana Public Network Access IP Allowlist
As the Kibana page is by default accessible via public network, in addition to password authentication, ES provides an IP blocklist/allowlist feature for Kibana access, further ensuring the security of user clusters.
The default allowlist for Kibana public network access is 127.0.0.1, which means all IPv4 and IPv6 addresses are denied access. When you click the Kibana access entry, a pop-up window will guide you to set up the allowlist as shown in the image.
In the cluster's Visual Configuration interface, you can set the Kibana public network access IP blocklist/allowlist:
Configuration rule: supports multiple IPs separated by commas in the format of 192.168.0.1, 192.168.0.0/24, up to 50 are supported.
Blocklist/Allowlist settings: You can set either of them. If both blocklist and allowlist are configured, the allowlist shall prevail.
Search for the required CAM policy as needed, and click to complete policy association.
Enabling Only Private Network Access to Kibana
If you have concerns over the security of public network access, you can disable external access and enable only intranet access.
Enable public network access for the ES Cluster
For the sake of security, access to ES clusters over the public network is disabled by default. For clusters having ES Cluster user login authentication enabled, users can enable external access for convenience, but the IP allowlist must be set for security protection.
Role-Based Access Control (RBAC)
For clusters having ES Cluster user login authentication enabled, users will gain more security management features. The platinum version further supports fine-grained access control based on documents and field levels. For more details, please refer to the Elastic official documentation on Role-Based Access Control.
Role Management
Users can create, modify, and delete roles with different permission combinations in Kibana under Management > Security > Roles. Details are as follows:
User Management
Users can create, modify (e.g., information modification, password change), and delete users with multiple roles in Kibana under Management > Security > Users. Details are as follows:
Note
The password for the built-in user 'elastic' in ES can only be reset in the official console.
Search for the required CAM policy as needed, and click to complete policy association.
For more information on how to use relevant security features, please see the following:
