Using shield to protect Elasticsearch platform--and privilege control

Elk System By default does not contain user authentication function, basically anyone can read and write Elasticsearch API and get data, then how to do the Elk system protection work. Target

After reading this tutorial, you can learn to block unauthorized users from accessing the Elk platform to allow different users to access different index methods

Here we use elastic Company's shield to complete this job shield what is

Shield is a security plugin developed by elastic Company for Elasticsearch. After installing this plugin, shield will intercept all requests for elasticsearch and add authentication and encryption to ensure the security of elasticsearch and related systems.
It supports the following features: user authentication

Using shield, you can define a series of known users and use them to authenticate user requests. These users exist in an abstract "domain". A domain may be of the following types: LDAP Service Active directory service local esusers configuration file (similar to/etc/passwd) permission control

The Shield control includes the following elements: The protected resource secured Resource: The object to which the permission applies, such as a index,cluster, and so on, one or more actions that the role can perform on an object, such as read, Write, and so on. It can also be an operation specific to an object such as Indicies:/data/read/perlocate. License permissions: One or more privileges on the protected resource, such as read on the ' Products ' index. Role roles: Named Collection users with permissions: User entities, which can be assigned to 0, 1 or more roles, can perform various privileges on the protected resource for the appropriate role. cluster node authentication and channel encryption

Shield uses SSL/TLS to encrypt the appropriate port (9300) to prevent the cluster from being monitored or interfered by an unauthorized machine. IP Filtering

Shield supports IP-based access control. Audits

Shield can output the details of each authentication operation in the Elasticsearch log, including the user name, operation, whether the operation is allowed, and so on. Installing Shield Prerequisites You have installed Java7 or later you have Elasticsearch 1.5.0+ decompression installed on this machine. If you install using apt or yum, the default installation directory may be/usr/share/elasticsearch. start the installation into the Elasticsearch installation directory: Cd/usr/share/elasticsearch

Install the Elasticsearch License plugin: bin/plugin-i elasticsearch/license/latest

Shield is a commercial plug-in that requires a Elasticsearch commercial license. The first time the license is installed, 30 days of free trial access is provided. After 30 days, shield will block cluster health, cluster stats, index stats These APIs, the rest of the functionality is unaffected.

Install the Shield plugin below: Bin/plugin-i elasticsearch/shield/latest

Move or link the Shield configuration file to the/etc/elasticsearch/shield directory: Ln-s/usr/share/elasticsearch/config/shield/etc/elasticsearch/ Shield

The reason for this is that the Elasticsearch service will look for shield configuration files in the/etc/elasticsearch/shield directory at startup, and these profiles will appear in/usr/share/when the shield is installed The Elasticsearch/config/shield.

Restart Elasticsearch Services: Service elasticsearch Restart create a new Elasticsearch administrator account, where you will be asked to fill in the new password: bin/shield/esusers useradd es_ Admin-r admin now tries to try the RESTful API to access Elasticsearch and should be rejected: Curl-xget ' http://localhost:9200/' adds a username and password to the request: Curl-u es_admin -xget ' Http://localhost:9200/'
If authentication fails, you may want to include the following in/ETC/ELASTICSEARCH/ELASTICSEARCH.YML:

Shield:  
  authc:
    Realms:
      default:
        type:esusers
        order:0
        enabled:true
        files:
          users : "/etc/elasticsearch/shield/users"
          users_roles: "/etc/elasticsearch/shield/users_roles"

Here, shield basic functions have been installed. Configure the rest of the software Configure LogstashOn the Elasticsearch server, create a Logstash user with esusers:/usr/share/elasticsearch/bin/shield/esusers useradd logstashserver-r Logstash on the Logstash server, modify the configuration file for the output module, for example:

Output {  
  Elasticsearch {
   host = ' 192.168.6.144 '
   protocol = ' http '
   index ' = ' Logstash-%{type }-%{+yyyy. MM.DD} "
   user =" Logstashserver "#在这里加上Shield中role为Logstash的用户名
   password =" Woshimima "#别忘了密码
  }
#  stdout {codec = rubydebug}
}

You can then restart the Logstash service. Configure Kibana Basic Configuration on the Elasticsearch server, use Esusers to create a user belonging to Kibana4_server:/usr/share/elasticsearch/bin/shield/esusers Useradd kibanaserver-r kibana4_server on the Kibana server, edit/opt/kibana/config/kibana.yml, find this section and modify:

# If your Elasticsearch is protected with basic auth, this is the user credentials
# used by the Kibana server to perf ORM Maintence on the Kibana_index at Statup. Your Kibana
# Users would still need to authenticate with Elasticsearch (which is proxied thorugh
# the Kibana serv ER)
kibana_elasticsearch_username:kibanaserver  #Kibana服务将用这个用户名访问ElasticSearch服务器.  
Kibana_elasticsearch_password:woshimima     #密码  

You can then restart the Kibana service. You may need to log in to the Kibana Web page using the previous Es_admin account. Permission Control

In the actual production environment, often need to allow different roles to access different index, such as the Nginx administrator can only see Nginx-related logs, mail administrators only see mail-related users, this time need to use the rights control function.
First we edit the/etc/elasticsearch/shield/roles.yml of the Elasticsearch server, commenting out the kibana4.indicies.* section, which removes the user's permission to read all of the index. As follows:

# The required permissions for Kibana 4 users.
KIBANA4:  
  cluster:
      -cluster:monitor/nodes/info
      -cluster:monitor/health
  indices:
#    ' * ':
#      -indices:admin/mappings/fields/get
#      -indices:admin/validate/query
#      -Indices: Data/read/search
#      -Indices:data/read/msearch
#      -Indices:admin/get
    '. Kibana ':
      - Indices:admin/exists
      -Indices:admin/mapping/put
      -indices:admin/mappings/fields/get
      -Indices: Admin/refresh
      -indices:admin/validate/query
      -indices:data/read/get
      -Indices:data/read/mget
      -Indices:data/read/search
      -indices:data/write/delete
      -Indices:data/write/index
      -Indices: Data/write/update
      -Indices:admin/create

Then add the user's permission configuration to the end of the ROLES.YML:

Nginx_user: #nginx_user Role Definition  
  indices:  #index部分
    ' logstash-nginx* ': Read  #指定nginx_ User can read all indexes that match ' logstash-nginx* '.

mail_user:  #mail_user role Definition, usage ibid.  
  Indices:
    ' logstash-mail* ': Read

Now we use Esuser to create two new users, in two groups

/usr/share/elasticsearch/bin/shield/esusers useradd demo_nginx-r nginx_user
/usr/share/elasticsearch/bin/ Shield/esusers Useradd demo_mail-r Mail_user

And then add them to the KIBANA4 group:

/usr/share/elasticsearch/bin/shield/esusers roles demo_nginx-a Kibana4
/usr/share/elasticsearch/bin/shield/ Esusers Roles Demo_mail-a Kibana4

At this time again with a different user login Kibana interface, you can see different content.