After installing and before running Insight, you may set the following configurations.
Where to find the system configurations?
You can configure all your system settings using the system.yaml
file located in the $JFROG_HOME/insight/var/etc
folder. For more information, see Insight YAML Configuration.
If you don't have a System YAML file in your folder, copy the template available in the folder and name it system.yaml
.
For the Helm charts, the system.yaml
file is managed in the chart’s values.yaml.
Artifactory Connection Details
Insight requires a working Artifactory server and a suitable license. The Insight connection to Artifactory requires 2 parameters:
jfrogUrl - URL to the machine where JFrog Artifactory is deployed, or the load balancer pointing to it. We recommend that you use DNS names rather than direct IPs. For example, http://jfrog.acme.com
instead of http://10.20.30.40:8082
.
Set it in the Shared Configurations section of the $JFROG_HOME/insight/etc/system.yaml
file.
join.key - This is the "secret" key required by Artifactory for registering and authenticating the Insight server.
You can fetch the Artifactory joinKey
(join Key) from the JPD UI in the Administration module | User Management | Settings | Join Key.
Set the join.key
used by your Artifactory server in the Shared Configurations section of the $JFROG_HOME/insight/etc/system.yaml
file.
Change PostgreSQL Database Credentials
Insight comes bundled with a PostgreSQL Database out-of-the-box, which comes pre-configured with default credentials.
Note
These commands are indicative and assume some familiarity with PostgreSQL. Do not copy and paste them. For docker-compose, you need to ssh into the PostgreSQL container before you run them.
To change the default credentials:
# Access PostgreSQL as the insight user adding the optional -W flag to invoke the password prompt
$ psql -d insight -U insight -W
# Securely change the password for user "mission_control". Enter and then retype the password at the prompt.
\password insight
# Verify the update was successful by logging in with the new credentials
$ psql -d insight -U insight -W
Change Elasticsearch Credentials
Search Guard tool is used to manage authentication. To change password for the default user, Search Guard accepts a hash password to be provided in the configuration.
Obtain the username used to access Elasticsearch from $JFROG_HOME/insight/var/etc/system.yaml available at elasticsearch.username
.
Generate the hash password by providing the password(in text format) as input
$ELASTICSEARCH_HOME/plugins/search-guard-<major_version_number>/tools/hash.sh -p <password_in_text_format>
Update the configuration of the default user with the output from the previous step.
vi $ELASTICSEARCH_HOME/plugins/search-guard-<major_version_number>/sgconfig/sg_internal_users.yml
#Scroll in the file to find an entry for the username of the default user
#Update the value for "hash" with the hash content obtained from previous step
<default_username>:
hash: <hash_output_from_previous_step>
Run the command to initialise Search Guard.
Add certificates to connect to external Elasticsearch over SSL
To use an external Elasticsearch over an SSL connection, you must copy the certificate files to the trusted folder in the Insight installation ($JFROG_HOME/insight/var/etc/security/keys/trusted
) and restart Insight services.
Set your PostgreSQL and Elasticsearch connection details in the Shared Configurations section of the $JFROG_HOME/insight/var/etc/system.yaml
file.
Load a custom certificate to Elasticsearch Search Guard
If you prefer to use the custom certificates when Search Guard enabled with tls in Elasticsearch, you can use the search-guard-tlstool
to generate Search Guard certificates.
The tool to generate Search Guard certificates is available at $JFROG_HOME/app/third-party/elasticsearch/search-guard-tlstool-1.6.tar.gz
. For more information about generating certificates, see Search Guard TLS Tool.
Run the tool to generate the certificates.
tar -xvf $JFROG_HOME/app/third-party/elasticsearch/search-guard-tlstool-1.6.tar.gz
cp $JFROG_HOME/app/third-party/elasticsearch/config/tlsconfig.yml $JFROG_HOME/app/third-party/elasticsearch/search-guard-tlstool-1.8/config
cd $JFROG_HOME/app/third-party/elasticsearch/search-guard-tlstool-1.8/tools
./sgtlstool.sh -c ../config/tlsconfig.yml -ca -crt # folder named "out" will be created with all the required certificates,
cd out
Copy the generated certificates (localhost.key
, localhost.pem
, root-ca.pem
, sgadmin.key
, sgadmin.pem
) to the target location based on the installer type.
Native
cp localhost.key localhost.pem root-ca.pem sgadmin.key sgadmin.pem /etc/elasticsearch/certs/
Configure a custom Elasticsearch role
The Search Guard tool is used to manage authentication. By default, an admin user is required to authenticate Elasticsearch. As an alternative to this, you can configure a new user to authenticate Elasticsearch by assigning a custom role with permissions for the application to work.
Add the following snippet to define a new role with custom permissions in $ELASTICSEARCH_HOME/plugins/search-guard-<major_version_number>/sgconfig/sg_roles.yml
.
<role_name>:
cluster_permissions:
- cluster:monitor/health
- cluster:monitor/main
- cluster:monitor/state
- "indices:admin/template/get"
- "indices:admin/template/delete"
- "indices:admin/template/put"
- "indices:admin/aliases"
- "indices:admin/create"
index_permissions:
- index_patterns:
- "active_*"
allowed_actions:
- "indices:monitor/health"
- "indices:monitor/stats"
- "indices:monitor/settings/get"
- "indices:admin/aliases/get"
- "indices:admin/get"
- "indices:admin/aliases"
- "indices:admin/create"
- "indices:admin/delete"
- "indices:admin/rollover"
- SGS_CRUD
Add the following snippet to add a new user in $ELASTICSEARCH_HOME/plugins/search-guard-<major_version_number>/sgconfig/sg_roles.yml/sg_internal_users.yml
.
<user_name>:
hash: <Hash_password>
backend_roles:
- "<role_name>" //role_name defined in previous step
description: "<description>"
Run the following command to generate a hash password.
$ELASTICSEARCH_HOME/plugins/search-guard-<major_version_number>/tools/hash.sh -p <clear_text_password>
Add the following snippet to map the new username to the role defined in the previous step in $ELASTICSEARCH_HOME/plugins/search-guard-<major_version_number>/sgconfig/sg_roles.yml/sg_roles_mapping.yml
<role_name>:
users:
- "<user_name>"
Initialize Search Guard to upload the changes made in the configuration.
Set the new credentials in $JFROG_HOME/insight/etc/system.yam
l file:
shared:
elasticsearch:
username: <user_name>
password: <clear_text_password>
Restart Insight services.