Using shield to protect Elk platform--and privilege control
Elk System By default does not contain user authentication function, basically anyone can read and write Elasticsearch API and get data, then how to do the Elk system protection work?
Goal
After reading this tutorial, you can learn to:
- Block unauthorized user access to the Elk platform
- Allow different users to access different index
Method
Here we use elastic Company's shield to do the job.
What is Shield?
Shield is a security plugin developed by elastic Company for Elasticsearch. After installing this plugin, shield will intercept all requests for elasticsearch and add authentication and encryption to ensure the security of elasticsearch and related systems.
It supports the following features:
User authentication
Using shield, you can define a series of known users and use them to authenticate user requests. These users exist in an abstract "domain" . A domain may be of the following types:
- LDAP Service
- Active Directory Services
- Local esusers configuration file (similar to/etc/passwd)
Permission control
The Shield permissions control contains the following elements:
- Protected resource secured Resource: The object to which the permission applies, such as a index,cluster, etc.
- Privilege Priviliege: One or more actions that a role can perform on an object, such as
read
, and write
so on. It can also be an operation that is indicies:/data/read/perlocate
unique to an object.
- License permissions: One or more privileges that are owned by a protected resource, such as
read on the "products" index
.
- Character role: A named collection of permissions
- User users: User entities, which can be assigned to 0, 1 or more roles , can perform various privileges on the protected resource for the appropriate role .
Cluster node authentication and channel encryption
Shield uses SSL/TLS to encrypt the appropriate port (9300) to prevent the cluster from being monitored or interfered by an unauthorized machine.
IP filtering
Shield supports IP-based access control.
Audit
Shield can output the details of each authentication operation in the Elasticsearch log, including the user name, operation, whether the operation is allowed, and so on.
Installation Shield Prerequisites
- You have installed Java7 or later
- You have installed Elasticsearch 1.5.0+ decompression on this machine. If you install using apt or yum, the default installation directory may be in the
/usr/share/elasticsearch
.
Start installation
- Enter the Elasticsearch installation directory:
cd /usr/share/elasticsearch
To install the Elasticsearch license plugin:bin/plugin -i elasticsearch/license/latest
Shield is a commercial plug-in that requires a Elasticsearch commercial license. The first time the license is installed, 30 days of free trial access is provided. After 30 days, the shield will be masked, and cluster health
cluster stats
index stats
These APIs, the rest of the features are unaffected.
Install the Shield plugin below:bin/plugin -i elasticsearch/shield/latest
Move or link the Shield configuration file to /etc/elasticsearch/shield
the directory: ln -s /usr/share/elasticsearch/config/shield /etc/elasticsearch/shield
.
The reason for this is that the Elasticsearch service will /etc/elasticsearch/shield
look for shield configuration files in the directory at startup, which will appear in the installation Shield /usr/share/elasticsearch/config/shield
.
Restart the Elasticsearch service:service elasticsearch restart
- Create a new Elasticsearch administrator account, where you will be asked to fill in the new password:
bin/shield/esusers useradd es_admin -r admin
- Now try to access Elasticsearch with the RESTful API, which should be rejected:
curl -XGET ‘http://localhost:9200/‘
- Add a user name and password to the request:
curl -u es_admin -XGET ‘http://localhost:9200/‘
If authentication fails, you may want to
/etc/elasticsearch/elasticsearch.yml
include the following in:
shield: authc: realms: default: type: esusers order: 0 enabled: true files: users: "/etc/elasticsearch/shield/users" users_roles: "/etc/elasticsearch/shield/users_roles"
Here, shield basic functions have been installed. Configure the rest of the software configuration Logstash
- On the Elasticsearch server, use Esusers to create the Logstash User:
/usr/share/elasticsearch/bin/shield/esusers useradd logstashserver -r logstash
- On the Logstash server, modify the configuration file for the output module, for example:
Output{Elasticsearch{host => "192.168.6.144" protocol => "http" index => " logstash-%{type}-%{+yyyy. MM.DD} "user => " Logstashserver " #在这里加上Shield中role为Logstash的用户名 password => "Woshimima" #别忘了密码 Span class= "token punctuation" >}# stdout {codec = Rubydebug}}
You can then restart the Logstash service.
Configure Kibana Basic Configuration
- On the Elasticsearch server, use Esusers to create a user belonging to Kibana4_server:
/usr/share/elasticsearch/bin/shield/esusers useradd kibanaserver -r kibana4_server
- On the Kibana server, edit
/opt/kibana/config/kibana.yml
, locate and modify the following section:
# If your Elasticsearch is protected with basic auth, this is the user credentials# used by the Kibana server to perform maintence on the kibana_index at statup. Your Kibana# users will still need to authenticate with Elasticsearch (which is proxied thorugh# the Kibana server)kibana_elasticsearch_username: kibanaserver #Kibana服务将用这个用户名访问ElasticSearch服务器。 kibana_elasticsearch_password: woshimima #密码
You can then restart the Kibana service. You may need to use the previous es_admin
account to log in to the Kibana Web page.
Permission control
In the actual production environment, often need to allow different roles to access different index, such as the Nginx administrator can only see Nginx-related logs, mail administrators only see mail-related users, this time need to use the rights control function. &NBSP
First we edit the Elasticsearch server's /etc/elasticsearch/shield/roles.yml
, comment out kibana4.indicies.* The
section, which removes the user's permission to read all index. as follows:
# The required permissions for kibana 4 users.kibana4: cluster: - cluster:monitor/nodes/info - cluster:monitor/health indices:# ‘*‘:# - indices:admin/mappings/fields/get# - indices:admin/validate/query# - indices:data/read/search# - indices:data/read/msearch# - indices:admin/get ‘.kibana‘: - indices:admin/exists - indices:admin/mapping/put - indices:admin/mappings/fields/get - indices:admin/refresh - indices:admin/validate/query - indices:data/read/get - indices:data/read/mget - indices:data/read/search - indices:data/write/delete - indices:data/write/index - indices:data/write/update - indices:admin/create
After roles.yml
that, add the appropriate user's permission configuration:
nginx_user: #nginx_user 角色定义 indices: #index部分 ‘logstash-nginx*‘: read #指定nginx_user可以读取所有匹配‘logstash-nginx*‘的索引。mail_user: #mail_user 角色定义,用法同上 indices: ‘logstash-mail*‘: read
Now we are using a esuser
new two user, which is divided into two groups
/usr/share/elasticsearch/bin/shield/esusers useradd demo_nginx -r nginx_user/usr/share/elasticsearch/bin/shield/esusers useradd demo_mail -r mail_user
and add them to the group at the same time kibana4
:
/usr/share/elasticsearch/bin/shield/esusers roles demo_nginx -a kibana4/usr/share/elasticsearch/bin/shield/esusers roles demo_mail -a kibana4
At this time again with a different user login Kibana interface, you can see different content.
Using shield to protect Elasticsearch platform--and privilege control