elastic · tvernum · Nov 6, 2018 · Apr 30, 2018 · Apr 30, 2018 · May 1, 2018
diff --git a/docs/reference/migration/migrate_7_0/settings.asciidoc b/docs/reference/migration/migrate_7_0/settings.asciidoc
@@ -66,3 +66,32 @@ used.  Therefore, these settings have been renamed from `search.remote.*` to
 in the cluster state, or set on dynamic settings updates, we will automatically
 upgrade the setting from `search.remote.*` to `cluster.remote.*`. The fallback
 settings will be removed in 8.0.0.
+
+[[include-realm-type-in-setting]]
+==== Security realms settings
+
+The settings for all security realms must now include the realm type as part
+of the setting name, and the explicit `type` setting has been removed.
+
+A realm that was previous configured as:
+[source,yaml]
+--------------------------------------------------
+xpack.security.authc.realms:
+  ldap1:
+    type: ldap
+    order: 1
+    url: "ldaps://ldap.example.com/"
+--------------------------------------------------
+
+Must be migrated to: 
+[source,yaml]
+--------------------------------------------------
+xpack.security.authc.realms:
+  ldap.ldap1:
+    order: 1
+    url: "ldaps://ldap.example.com/"
+--------------------------------------------------
+
+Any realm specific secure settings that have been stored in the elasticsearch
+keystore (such as ldap bind passwords, or passwords for ssl keys) must be updated
+in a similar way.
diff --git a/docs/reference/security/securing-communications/tls-ad.asciidoc b/docs/reference/security/securing-communications/tls-ad.asciidoc
@@ -32,12 +32,12 @@ xpack:
     authc:
       realms:
         active_directory:
-          type: active_directory
-          order: 0
-          domain_name: ad.example.com
-          url: ldaps://ad.example.com:636
-          ssl:
-            certificate_authorities: [ "ES_PATH_CONF/cacert.pem" ]
+          ad_realm:
+            order: 0
+            domain_name: ad.example.com
+            url: ldaps://ad.example.com:636
+            ssl:
+              certificate_authorities: [ "ES_PATH_CONF/cacert.pem" ]
 --------------------------------------------------
 
 The CA cert must be a PEM encoded certificate.

diff --git a/docs/reference/security/securing-communications/tls-ldap.asciidoc b/docs/reference/security/securing-communications/tls-ldap.asciidoc
@@ -24,12 +24,12 @@ xpack:
   security:
     authc:
       realms:
-        ldap1:
-          type: ldap
-          order: 0
-          url: "ldaps://ldap.example.com:636"
-          ssl:
-            certificate_authorities: [ "ES_PATH_CONF/cacert.pem" ]
+        ldap:
+          ldap1:
+            order: 0
+            url: "ldaps://ldap.example.com:636"
+            ssl:
+              certificate_authorities: [ "ES_PATH_CONF/cacert.pem" ]
 --------------------------------------------------
 
 The CA certificate must be a PEM encoded.
@@ -52,4 +52,4 @@ NOTE: By default, when you configure {security} to connect to an LDAP server
       configuration do not match, {security} does not allow a connection to the
       LDAP server. This is done to protect against man-in-the-middle attacks. If
       necessary, you can disable this behavior by setting the
-      `ssl.verification_mode` property to `certificate`.
+      `ssl.verification_mode` property to `certificate`.
diff --git a/docs/reference/settings/security-settings.asciidoc b/docs/reference/settings/security-settings.asciidoc
@@ -42,9 +42,10 @@ recommend that you explicitly add this setting to avoid confusion.
 A comma-separated list of settings that are omitted from the results of the
 <<cluster-nodes-info,cluster nodes info API>>. You can use wildcards to include
 multiple settings in the list.  For example, the following value hides all the
-settings for the ad1 realm: `xpack.security.authc.realms.ad1.*`. The API already
-omits all `ssl` settings, `bind_dn`, and `bind_password` due to the
-sensitive nature of the information.
+settings for the ad1 active_directory realm:
+`xpack.security.authc.realms.active_directory.ad1.*`.
+The API already omits all `ssl` settings, `bind_dn`, and `bind_password` due to
+the sensitive nature of the information.
 
 `xpack.security.fips_mode.enabled`::
 Enables fips mode of operation. Set this to `true` if you run this {es} instance in a FIPS 140-2 enabled JVM.  For more information, see <<fips-140-compliance>>. Defaults to `false`.
@@ -149,18 +150,15 @@ namespace in `elasticsearch.yml`. For example:
 ----------------------------------------
 xpack.security.authc.realms:
 
-    realm1:
-        type: native
+    native.realm1:
         order: 0
         ...
 
-    realm2:
-        type: ldap
+    ldap.realm2:
         order: 1
         ...
 
-    realm3:
-        type: active_directory
+    active_directory.realm3:
         order: 2
         ...
     ...

diff --git a/x-pack/docs/en/security/authentication/configuring-active-directory-realm.asciidoc b/x-pack/docs/en/security/authentication/configuring-active-directory-realm.asciidoc
@@ -11,9 +11,9 @@ For more information about Active Directory realms, see
 {xpack-ref}/active-directory-realm.html[Active Directory User Authentication].
 
 . Add a realm configuration of type `active_directory` to `elasticsearch.yml`
-under the `xpack.security.authc.realms` namespace. At a minimum, you must set 
-the realm `type` to `active_directory` and specify the Active Directory 
-`domain_name`. If you are configuring multiple realms, you should also 
+under the `xpack.security.authc.realms.active_directory` namespace.
+At a minimum, you must specify the Active Directory `domain_name`.
+If you are configuring multiple realms, you should also 
 explicitly set the `order` attribute to control the order in which the realms 
 are consulted during authentication. 
 +
@@ -35,10 +35,10 @@ xpack:
     authc:
       realms:
         active_directory:
-          type: active_directory
-          order: 0 <1>
-          domain_name: ad.example.com
-          url: ldaps://ad.example.com:636 <2>
+          my_ad:
+            order: 0 <1>
+            domain_name: ad.example.com
+            url: ldaps://ad.example.com:636 <2>
 ------------------------------------------------------------
 <1> The realm order controls the order in which the configured realms are checked
     when authenticating a user.
@@ -71,12 +71,12 @@ xpack:
     authc:
       realms:
         active_directory:
-          type: active_directory
-          order: 0
-          domain_name: example.com <1>
-          url: ldaps://dc1.ad.example.com:3269, ldaps://dc2.ad.example.com:3269 <2>
-          load_balance:
-            type: "round_robin" <3>
+          my_ad:
+            order: 0
+            domain_name: example.com <1>
+            url: ldaps://dc1.ad.example.com:3269, ldaps://dc2.ad.example.com:3269 <2>
+            load_balance:
+              type: "round_robin" <3>
 ------------------------------------------------------------
 <1> The `domain_name` is set to the name of the root domain in the forest.
 <2> The `url` value used in this example has URLs for two different Domain Controllers,
@@ -135,11 +135,11 @@ xpack:
     authc:
       realms:
         active_directory:
-          type: active_directory
-          order: 0
-          domain_name: ad.example.com
-          url: ldaps://ad.example.com:636
-          bind_dn: [email protected] <1>
+          my_ad:
+            order: 0
+            domain_name: ad.example.com
+            url: ldaps://ad.example.com:636
+            bind_dn: [email protected] <1>
 ------------------------------------------------------------
 <1> This is the user that all Active Directory search requests are executed as.
     Without a bind user configured, all requests run as the user that is authenticating
@@ -152,7 +152,7 @@ the following command adds the password for the example realm above:
 [source, shell]
 ------------------------------------------------------------
 bin/elasticsearch-keystore add  \
-xpack.security.authc.realms.active_directory.secure_bind_password
+xpack.security.authc.realms.active_directory.my_ad.secure_bind_password
 ------------------------------------------------------------
 
 When a bind user is configured, connection pooling is enabled by default.

diff --git a/x-pack/docs/en/security/authentication/configuring-file-realm.asciidoc b/x-pack/docs/en/security/authentication/configuring-file-realm.asciidoc
@@ -25,10 +25,9 @@ explicitly configure a `file` realm.
 For more information about file realms, see 
 {xpack-ref}/file-realm.html[File-based user authentication].
 
-. (Optional) Add a realm configuration of type `file` to `elasticsearch.yml` 
-under the `xpack.security.authc.realms` namespace. At a minimum, you must set 
-the realm `type` to `file`. If you are configuring multiple realms, you should 
-also explicitly set the `order` attribute. 
+. (Optional) Add a realm configuration to `elasticsearch.yml` under the
+`xpack.security.authc.realms.file` namespace. At a minimum, you must set 
+the realm's `order` attribute.
 +
 --
 //See <<ref-users-settings>> for all of the options you can set for a `file` realm.
@@ -42,9 +41,9 @@ xpack:
   security:
     authc:
       realms:
-        file1:
-          type: file
-          order: 0
+        file:
+          file1:
+            order: 0
 ------------------------------------------------------------
 --
 

diff --git a/x-pack/docs/en/security/authentication/configuring-kerberos-realm.asciidoc b/x-pack/docs/en/security/authentication/configuring-kerberos-realm.asciidoc
@@ -113,15 +113,14 @@ NOTE: You can configure only one Kerberos realm on {es} nodes.
 
 To configure a Kerberos realm, there are a few mandatory realm settings and
 other optional settings that you need to configure in the `elasticsearch.yml`
-configuration file. Add a realm of type `kerberos` under the 
-`xpack.security.authc.realms` namespace.
+configuration file. Add a realm configuration under the 
+`xpack.security.authc.realms.kerberos` namespace.
 
 The most common configuration for a Kerberos realm is as follows:
 
 [source, yaml]
 ------------------------------------------------------------
-xpack.security.authc.realms.kerb1:
-  type: kerberos
+xpack.security.authc.realms.kerberos.kerb1:
   order: 3
   keytab.path: es.keytab
   remove_realm_name: false

diff --git a/x-pack/docs/en/security/authentication/configuring-ldap-realm.asciidoc b/x-pack/docs/en/security/authentication/configuring-ldap-realm.asciidoc
@@ -27,12 +27,12 @@ However, multiple bind operations might be needed to find the correct user DN.
 
 . To configure an `ldap` realm with user search:
 
-.. Add a realm configuration of type `ldap` to `elasticsearch.yml` under the
-`xpack.security.authc.realms` namespace. At a minimum, you must set the realm 
-`type` to `ldap`, specify the `url` of the LDAP server, and set 
-`user_search.base_dn` to the container DN where the users are searched for. If 
-you are configuring multiple realms, you should also explicitly set the `order` 
-attribute to control the order in which the realms are consulted during 
+.. Add a realm configuration of to `elasticsearch.yml` under the
+`xpack.security.authc.realms.ldap` namespace. At a minimum, you must specify
+the `url` of the LDAP server, and set `user_search.base_dn` to the container DN
+where the users are searched for.
+If you are configuring multiple realms, you should also explicitly set the
+`order` attribute to control the order in which the realms are consulted during 
 authentication. See <<ref-ldap-settings>> for all of the options you can set for 
 an `ldap` realm.
 +
@@ -45,19 +45,19 @@ xpack:
   security:
     authc:
       realms:
-        ldap1:
-          type: ldap
-          order: 0
-          url: "ldaps://ldap.example.com:636"
-          bind_dn: "cn=ldapuser, ou=users, o=services, dc=example, dc=com"
-          user_search:
-            base_dn: "dc=example,dc=com"
-            attribute: cn
-          group_search:
-            base_dn: "dc=example,dc=com"
-          files:
-            role_mapping: "ES_PATH_CONF/role_mapping.yml"
-          unmapped_groups_as_roles: false
+        ldap:
+          ldap1:
+            order: 0
+            url: "ldaps://ldap.example.com:636"
+            bind_dn: "cn=ldapuser, ou=users, o=services, dc=example, dc=com"
+            user_search:
+              base_dn: "dc=example,dc=com"
+              attribute: cn
+            group_search:
+              base_dn: "dc=example,dc=com"
+            files:
+              role_mapping: "ES_PATH_CONF/role_mapping.yml"
+            unmapped_groups_as_roles: false
 ------------------------------------------------------------
 
 The password for the `bind_dn` user should be configured by adding the appropriate
@@ -67,7 +67,7 @@ For example, the following command adds the password for the example realm above
 [source, shell]
 ------------------------------------------------------------
 bin/elasticsearch-keystore add \
-xpack.security.authc.realms.ldap1.secure_bind_password
+xpack.security.authc.realms.ldap.ldap1.secure_bind_password
 ------------------------------------------------------------
 
 IMPORTANT: When you configure realms in `elasticsearch.yml`, only the
@@ -78,13 +78,13 @@ realms you specify are used for authentication. If you also want to use the
 
 . To configure an `ldap` realm with user DN templates:
 
-.. Add a realm configuration of type `ldap` to `elasticsearch.yml` in the
-`xpack.security.authc.realms` namespace. At a minimum, you must set the realm 
-`type` to `ldap`, specify the `url` of the LDAP server, and specify at least one 
-template with the `user_dn_templates` option. If you are configuring multiple 
-realms, you should also explicitly set the `order` attribute to control the 
-order in which the realms are consulted during authentication. See 
-<<ref-ldap-settings>> for all of the options you can set for an `ldap` realm.
+.. Add a realm configuration to `elasticsearch.yml` in the
+`xpack.security.authc.realms.ldap` namespace. At a minimum, you must specify
+the `url` of the LDAP server, and specify at least one template with the
+`user_dn_templates` option. If you are configuring multiple realms, you should
+also explicitly set the `order` attribute to control the order in which the
+realms are consulted during authentication.
+See <<ref-ldap-settings>> for all of the options you can set for an `ldap` realm.
 +
 --
 For example, the following snippet shows an LDAP realm configured with user DN 
@@ -96,18 +96,18 @@ xpack:
   security:
     authc:
       realms:
-        ldap1:
-          type: ldap
-          order: 0
-          url: "ldaps://ldap.example.com:636"
-          user_dn_templates:
-            - "cn={0}, ou=users, o=marketing, dc=example, dc=com"
-            - "cn={0}, ou=users, o=engineering, dc=example, dc=com"
-          group_search:
-            base_dn: "dc=example,dc=com"
-          files:
-            role_mapping: "/mnt/elasticsearch/group_to_role_mapping.yml"
-          unmapped_groups_as_roles: false
+        ldap:
+          ldap1:
+            order: 0
+            url: "ldaps://ldap.example.com:636"
+            user_dn_templates:
+              - "cn={0}, ou=users, o=marketing, dc=example, dc=com"
+              - "cn={0}, ou=users, o=engineering, dc=example, dc=com"
+            group_search:
+              base_dn: "dc=example,dc=com"
+            files:
+              role_mapping: "/mnt/elasticsearch/group_to_role_mapping.yml"
+            unmapped_groups_as_roles: false
 ------------------------------------------------------------
 
 IMPORTANT: The `bind_dn` setting is not used in template mode.
@@ -212,8 +212,8 @@ xpack:
   security:
     authc:
       realms:
-        ldap1:
-          type: ldap
-          metadata: cn
+        ldap:
+          ldap1:
+            metadata: cn
 --------------------------------------------------
 --
diff --git a/x-pack/docs/en/security/authentication/configuring-native-realm.asciidoc b/x-pack/docs/en/security/authentication/configuring-native-realm.asciidoc
@@ -9,15 +9,15 @@ The native realm is available by default when no other realms are
 configured. If other realm settings have been configured in `elasticsearch.yml`, 
 you must add the native realm to the realm chain.
 
-You can configure options for the `native` realm in the 
-`xpack.security.authc.realms` namespace in `elasticsearch.yml`. Explicitly
-configuring a native realm enables you to set the order in which it appears in
-the realm chain, temporarily disable the realm, and control its cache options.
-
-. Add a realm configuration of type `native` to `elasticsearch.yml` under the
-`xpack.security.authc.realms` namespace. At a minimum, you must set the realm
-`type` to `native`. If you are configuring multiple realms, you should also
-explicitly set the `order` attribute. 
+You can configure a `native` realm in the `xpack.security.authc.realms.native`
+namespace in `elasticsearch.yml`.
+Explicitly configuring a native realm enables you to set the order in which it
+appears in the realm chain, temporarily disable the realm, and control its
+cache options.
+
+. Add a realm configuration to `elasticsearch.yml` under the
+`xpack.security.authc.realms.native` namespace. It is recommended that you
+explicitly set the `order` attribute for the realm. 
 +
 --
 See <<ref-native-settings>> for all of the options you can set for the `native` realm.
@@ -30,9 +30,9 @@ xpack:
   security:
     authc:
       realms:
-        native1:
-          type: native
-          order: 0
+        native:
+          native1:
+            order: 0
 ------------------------------------------------------------
 
 NOTE: To limit exposure to credential theft and mitigate credential compromise,