Introduction to AAA (I) of Elasticsearch)

Introduction to AAA (I) of Elasticsearch)

0x00 Preface

Elasticsearch (Elasticsearch) has been widely used by more and more companies, and its own security problems have also attracted much attention. Recently, many security problems have emerged, for example, vulnerabilities that affect a lot include CVE-2014-3120 and CVE-2015-1427.

These vulnerabilities have a lot to do with the lack of authentication and authorization mechanisms for elasticsearch. At the same time, many internal businesses in the company use the same elasticsearch cluster, how to manage authentication and authorization is particularly prominent.

The official website uses the Security Module Shield as the charging module, so the penetration rate is not high. Find other solutions in the spirit of saving the company money. Some detours were taken during the implementation process, and records were recorded to facilitate other colleagues who encountered these problems.

0x01 requirements

With the popularity of es, more and more security needs are required, such:

Account authentication solves the problem of es anonymous access. Authorization management: assigns access permissions (mainly indexes) to different accounts according to different dimensions. Read-Only permission. This requirement comes from the fact that a Dashboard wants to share the permission with others, but does not want others to have the permission to modify it. Unified authentication and single-point logon. 0x02 solution Selection

The requirements have been determined and the following options have been found. ,

Elasticsearch-http-basic: Advantages: This solution is easy to deploy and fast. It can solve the problem from scratch and implement account authentication and ip whitelist authentication. Disadvantages: single function, only the #1 requirement is solved. Kibana-authentication-proxy: advantage: This solution is for authentication implemented by kibana, and the advantage is that it supports "Google oau2, BasicAuth (multiple users supported) and CAS Authentication "solves the requirement # single-point login in 4. In combination with solution # The ip whitelist in 1 can basically meet the requirements #1 and #4. disadvantage: currently, only kibana3 is supported. Shield: Advantages: powerful functions and rich documentation. Disadvantage: billing. Search-guard: advantage: a free-of-charge module with rich functions, which can solve all problems in demand (except Single Sign-On in #4 ). Disadvantages: Deployment and configuration are slightly complicated, with fewer documents and a high threshold.

You should be able to guess the final choice, that is, solution #4.

0x03 installation and configuration Preparations

Currently, es1.5 and 1.6 are supported by the official team. The installation methods for these two versions are different,

Es 1, 1.5:

Directly use the plug-in for installation,

 bin/plugin -i com.floragunn/search-guard/0.5

Es1.6:

First install maven,

#!bashwget http://mirror.bit.edu.cn/apache/maven/maven-3/3.3.3/binaries/apache-maven-3.3.3-bin.tar.gz

Decompress the package and add the bin directory to the environment variable PATH.

Download compilation Dependencies

Git clone-B es1.6 https://github.com/floragunncom/search-guard.git cd search-guard mvn package-DskipTests bin/plugin-u file:./target/search-guard-16-0.6-SNAPSHOT.jar-I search-guard

Configuration

The Search guard configuration is divided into two parts: elasticsearch. yml and logging. yml. The other part is stored in es.

Elasticsearch. yml includes some search guard switches, ssl-supported configurations, authentication methods, and permission-controlled filters. Next we will complete a minimal configuration: directly paste the content of searchguard_config_template.yml in git to elasticsearch. yml, and then open

Searchguard. allow_all_from_loopback: true

To facilitate local debugging. In addition, you need to pay attention to the following options:

Searchguard. key_path:/path/key

The path of the searchguard_node.key file. The basic authentication is enabled by default,

Searchguard. authentication. authentication_backend.impl: com. floragunn. searchguard. authentication. backend. simple. settingsBasedAuthenticationBackend searchguard. authentication. authorizer. impl: com. floragunn. searchguard. authorization. simple. settingsBasedAuthorizator searchguard. authentication. http_authenticator.impl: com. floragunn. searchguard. authentication. http. basic. HTTPBasicAuthenticator

Set user name and password

Searchguard. authentication. settingsdb. user. : Password searchguard. authentication. settingsdb. user. admin: adminpass searchguard. authentication. settingsdb. user. user: userpass

Assign a role to the user. Set admin to super administrator, root to role, and read-only user to orange.

Searchguard. authentication. authorization. settingsdb. roles. : Searchguard. authentication. authorization. settingsdb. roles. admin: ["root"] searchguard. authentication. authorization. settingsdb. roles. user: ["readonly"]

Set filter. I set two permissions: readonly and deny. the read-only filter only allows read operations and the two operations required by kibana. Write operations are prohibited.

Searchguard. actionrequestfilter. names: ["readonly", "deny"] searchguard. actionrequestfilter. readonly. allowed_actions: ["indices: data/read/"," Indices: admin/exists "," indices: admin/mappings/"] Searchguard. actionrequestfilter. readonly. forbidden_actions: [" indices: data/write/* "]

Deny filter disables all operations.

Searchguard. actionrequestfilter. deny. allowed_actions: [] searchguard. actionrequestfilter. deny. forbidden_actions: ["cluster:"," Indices:"]

Logging. yml last added

Logger.com. floragunn: DEBUG

Enable the debug level of search guard to facilitate debugging. Now the file configuration is complete. Set the ACL below to associate the configured roles, filters, and indices.

Curl-XPUT 'HTTP: // localhost: 9200/searchguard/ac? Pretty '-d' {"acl ":[{"Comment":" This is the DEFAULT rule, which must be available. The DEFAULT permission is readonly "," filters_bypass ": []," filters_execute ": [" actionrequestfilter. readonly "]}, {"Comment":" Root accounts can bypass all filters "," roles ": [" root "]," filters_bypass ":[""]," Filters_execute ": []}, {"Comment":" Readonly role for logstash"," Roles ": [" readonly "]," indices ": [" logstash * "]," filters_bypass ": []," filters_execute ": ["actionrequestfilter. deny "]}, {"Comment":" Readonly role for logs and. the kibana index has the read-only permission "," roles ": [" readonly "]," indices ": [" logs ",". kibana "]," filters_bypass ": [" "]," filters_execute ": [" actionrequestfilter. readonly "]}

]}'

JSON format looks like this for convenience

{"Acl": [{"Comment": "This is a DEFAULT rule, which must be available. The DEFAULT permission is readonly", "filters_bypass": [], "filters_execute ": ["actionrequestfilter. readonly "] },{" Comment ":" the root account can bypass all filters. "," roles ": [" root "]," filters_bypass ": [""], "filters_execute": []}, {"Comment": "The readonly role has no permission to access logstash indexes.", "roles": ["readonly"], "indices": ["logstash *"], "filters_bypass": [], "filters_execute": ["actionrequestfilter. deny "]}, {" Comment ":" readonly role for logs and. the kibana index has the read-only permission "," roles ": [" readonly "]," indices ": [" logs ",". kibana "]," filters_bypass ": [" "]," filters_execute ": [" actionrequestfilter. readonly "]}

In this way, the key data index logstash * is only accessible to the admin user, and the user account can perform read-only operations on logs and kibana. You can test it on your own. This solves the problem that kibana does not have permission control. For dashborad to show and share to user users, you don't have to worry that they will misoperate the icon settings and affect other users.

0x04 Summary

In fact, the search guard function is far more than described above, for example, to refine the ACL at the field or document level; data is synchronized between nodes through SSL; if you use the functions such as ladp or AD account for verification, we hope you can introduce them later.

I hope this article will serve as an example.