Skip to main content
Security is enabled by default in Elasticsearch 8.0 and later. When you start a new Elasticsearch node for the first time, the security auto-configuration process generates TLS certificates, sets passwords for built-in users, and outputs an enrollment token you can use to connect Kibana.
Do not disable security in production. Setting xpack.security.enabled: false removes authentication and authorization for all clients, including all Kibana instances that connect to the cluster.

General security settings

Set these in elasticsearch.yml.
SettingDefaultDescription
xpack.security.enabledtrueEnables Elasticsearch security features. Must be true to use authentication, authorization, and auditing.
xpack.security.autoconfiguration.enabledtrueEnables security auto-configuration on first start. When false, you must configure security manually.
xpack.security.enrollment.enabledfalseWhen true, the node can generate enrollment tokens for new nodes and Kibana instances. Set automatically by the auto-configuration process.
xpack.security.fips_mode.enabledfalseSet to true when running in a FIPS 140-2 enabled JVM.

Authentication

Built-in users

Elasticsearch ships with several built-in users. These accounts are stored in a special .security index and are available as soon as security is enabled.
UsernamePurpose
elasticSuperuser. Full access to all cluster operations. Use for initial setup only; create dedicated users for day-to-day operations.
kibana_systemUsed by Kibana to connect to Elasticsearch. Do not use for general access.
logstash_systemUsed by Logstash monitoring agents.
beats_systemUsed by Beats monitoring agents.
remote_monitoring_userUsed by Metricbeat for Stack Monitoring.
To reset the elastic user’s password: 
bin/elasticsearch-reset-password -u elastic

Authentication realms

Elasticsearch uses a chain of realms to authenticate users. Realms are evaluated in order from lowest to highest.
The default realm. Users are stored in the .security index and managed via the Elasticsearch API. Suitable for most deployments.
xpack.security.authc.realms:
  native.realm1:
    order: 0
Manage users with the Users API or Kibana’s user management UI.

API keys

API keys provide a way to grant long-lived or short-lived programmatic access without sharing user credentials.

Creating an API key

POST /_security/api_key
{
  "name": "my-ingest-key",
  "expiration": "30d",
  "role_descriptors": {
    "ingest_role": {
      "cluster": ["monitor"],
      "indices": [
        {
          "names": ["logs-*"],
          "privileges": ["write", "create_index"]
        }
      ]
    }
  }
}
The response includes id and api_key. Store api_key securely — it is shown only once. 
{
  "id": "VuaCfGcBCdbkQm-e5aOx",
  "name": "my-ingest-key",
  "api_key": "ui2lp2axTNmsyakw9tvNnw",
  "encoded": "VnVhQ2ZHY0JDZGJrUW0tZTVhT3g6dWkybHAyYXhUTm1zeWFrdzl0dk5udw=="
}

Using an API key in requests

Encode the key as base64(id:api_key) and pass it in the Authorization header: 
curl -H "Authorization: ApiKey VnVhQ2ZHY0JDZGJrUW0tZTVhT3g6dWkybHAyYXhUTm1zeWFrdzl0dk5udw==" \
  https://localhost:9200/_cluster/health
Or use the pre-encoded encoded field from the create response directly.

API key settings

SettingDefaultDescription
xpack.security.authc.api_key.enabledtrueEnables the API key service.
xpack.security.authc.api_key.cache.ttl1dHow long to cache API key credentials in memory.
xpack.security.authc.api_key.cache.max_keys10000Maximum number of API keys held in the cache.
xpack.security.authc.api_key.delete.retention_period7dHow long invalidated or expired keys are retained before deletion. Dynamic.

Role-based access control (RBAC)

Every authenticated request in Elasticsearch is authorized against one or more roles assigned to the user or API key.

Built-in roles

superuser

Full read/write access to the entire cluster, including cluster administration, index management, and user management.

kibana_admin

Full access to all Kibana features. Does not grant direct Elasticsearch index access.

viewer

Read-only access to all indices and Kibana features. Suitable for dashboards and reporting.

editor

Read and write access to Elasticsearch data and most Kibana features, but cannot manage users or roles.

Custom roles

Create or update a custom role using the role API: 
PUT /_security/role/logs_reader
{
  "cluster": ["monitor"],
  "indices": [
    {
      "names": ["logs-*", "metrics-*"],
      "privileges": ["read", "view_index_metadata"]
    }
  ],
  "applications": [
    {
      "application": "kibana-.kibana",
      "privileges": ["feature_discover.read"],
      "resources": ["space:default"]
    }
  ]
}
Assign the role to a user: 
POST /_security/user/analyst
{
  "password": "changeme123!",
  "roles": ["logs_reader"],
  "full_name": "Data Analyst"
}

Document and field level security

Restrict access to specific documents or fields within an index using role definitions: 
PUT /_security/role/restricted_reader
{
  "indices": [
    {
      "names": ["orders-*"],
      "privileges": ["read"],
      "query": "{\"term\": {\"region\": \"us-east\"}}",
      "field_security": {
        "grant": ["order_id", "amount", "timestamp"],
        "except": ["customer_pii"]
      }
    }
  ]
}
SettingDefaultDescription
xpack.security.dls_fls.enabledtrueEnables document and field level security. Set to false to prevent configuring DLS/FLS.
xpack.security.dls.bitset.cache.size10%Maximum memory for caching DLS BitSet objects. Accepts bytes (200mb) or heap percentage (5%).
xpack.security.dls.bitset.cache.ttl2hTime-to-live for cached DLS BitSet entries.

TLS and transport encryption

Elasticsearch 8+ auto-configures TLS for both the transport (node-to-node) and HTTP (client-to-node) layers during initial setup. Certificates are stored in config/certs/. 
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/http.p12
The keystore password is stored in the Elasticsearch keystore:
bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
TLS is required on the transport layer whenever xpack.security.enabled is true. Disabling transport TLS on a secured cluster will prevent nodes from joining.

Token service

Short-lived tokens provide session-like access for browser-based clients such as Kibana.
SettingDefaultDescription
xpack.security.authc.token.enabledtrueEnables the token service. Automatically false if HTTP SSL is disabled, to prevent token sniffing over plaintext.
xpack.security.authc.token.timeout20mValidity period for issued tokens. Maximum is 1h.

Security domains

Group multiple realms into a single security domain so that users authenticated by any realm in the domain share the same identity for audit logging and authorization: 
xpack:
  security:
    authc:
      domains:
        my_domain:
          realms: ['default_native', 'saml1']

Build docs developers (and LLMs) love

Get started for freeTalk to us