Using shield to protect Elasticsearch platform--and privilege control

Using shield to protect Elk platform--and privilege control

Elk System By default does not contain user authentication function, basically anyone can read and write Elasticsearch API and get data, then how to do the Elk system protection work?

Goal

After reading this tutorial, you can learn to:

• Block unauthorized user access to the Elk platform
• Allow different users to access different index

Method

Here we use elastic Company's shield to do the job.

What is Shield?

Shield is a security plugin developed by elastic Company for Elasticsearch. After installing this plugin, shield will intercept all requests for elasticsearch and add authentication and encryption to ensure the security of elasticsearch and related systems.
It supports the following features:

User authentication

Using shield, you can define a series of known users and use them to authenticate user requests. These users exist in an abstract "domain" . A domain may be of the following types:

• LDAP Service
• Active Directory Services
• Local esusers configuration file (similar to/etc/passwd)

Permission control

The Shield permissions control contains the following elements:

• Protected resource secured Resource: The object to which the permission applies, such as a index,cluster, etc.
• Privilege Priviliege: One or more actions that a role can perform on an object, such as read , and write so on. It can also be an operation that is indicies:/data/read/perlocate unique to an object.
• License permissions: One or more privileges that are owned by a protected resource, such as read on the "products" index .
• Character role: A named collection of permissions
• User users: User entities, which can be assigned to 0, 1 or more roles , can perform various privileges on the protected resource for the appropriate role .

Cluster node authentication and channel encryption

Shield uses SSL/TLS to encrypt the appropriate port (9300) to prevent the cluster from being monitored or interfered by an unauthorized machine.

IP filtering

Shield supports IP-based access control.

Audit

Shield can output the details of each authentication operation in the Elasticsearch log, including the user name, operation, whether the operation is allowed, and so on.

Installation Shield Prerequisites

• You have installed Java7 or later
• You have installed Elasticsearch 1.5.0+ decompression on this machine. If you install using apt or yum, the default installation directory may be in the /usr/share/elasticsearch .

Start installation

2. Enter the Elasticsearch installation directory:cd /usr/share/elasticsearch

4. To install the Elasticsearch license plugin:bin/plugin -i elasticsearch/license/latest

   Shield is a commercial plug-in that requires a Elasticsearch commercial license. The first time the license is installed, 30 days of free trial access is provided. After 30 days, the shield will be masked, and cluster health cluster stats index stats These APIs, the rest of the features are unaffected.

6. Install the Shield plugin below:bin/plugin -i elasticsearch/shield/latest

8. Move or link the Shield configuration file to /etc/elasticsearch/shield the directory: ln -s /usr/share/elasticsearch/config/shield /etc/elasticsearch/shield .

   The reason for this is that the Elasticsearch service will /etc/elasticsearch/shield look for shield configuration files in the directory at startup, which will appear in the installation Shield /usr/share/elasticsearch/config/shield .

10. Restart the Elasticsearch service:service elasticsearch restart

12. Create a new Elasticsearch administrator account, where you will be asked to fill in the new password:bin/shield/esusers useradd es_admin -r admin
14. Now try to access Elasticsearch with the RESTful API, which should be rejected:curl -XGET ‘http://localhost:9200/‘
16. Add a user name and password to the request: curl -u es_admin -XGET ‘http://localhost:9200/‘
    

    If authentication fails, you may want to /etc/elasticsearch/elasticsearch.yml include the following in:

shield:    authc:    realms:      default:        type: esusers        order: 0        enabled: true        files:          users: "/etc/elasticsearch/shield/users"          users_roles: "/etc/elasticsearch/shield/users_roles"

Here, shield basic functions have been installed. Configure the rest of the software configuration Logstash

1. On the Elasticsearch server, use Esusers to create the Logstash User:/usr/share/elasticsearch/bin/shield/esusers useradd logstashserver -r logstash
2. On the Logstash server, modify the configuration file for the output module, for example:

Output{Elasticsearch{host =>  "192.168.6.144" protocol =>  "http" index => " logstash-%{type}-%{+yyyy. MM.DD} "user => " Logstashserver " #在这里加上Shield中role为Logstash的用户名 password  =>  "Woshimima"  #别忘了密码 Span class= "token punctuation" >}# stdout {codec = Rubydebug}}               

You can then restart the Logstash service.

Configure Kibana Basic Configuration

1. On the Elasticsearch server, use Esusers to create a user belonging to Kibana4_server:/usr/share/elasticsearch/bin/shield/esusers useradd kibanaserver -r kibana4_server
2. On the Kibana server, edit /opt/kibana/config/kibana.yml , locate and modify the following section:

# If your Elasticsearch is protected with basic auth, this is the user credentials# used by the Kibana server to perform maintence on the kibana_index at statup. Your Kibana# users will still need to authenticate with Elasticsearch (which is proxied thorugh# the Kibana server)kibana_elasticsearch_username: kibanaserver  #Kibana服务将用这个用户名访问ElasticSearch服务器。  kibana_elasticsearch_password: woshimima     #密码  

You can then restart the Kibana service. You may need to use the previous es_admin account to log in to the Kibana Web page.

Permission control

In the actual production environment, often need to allow different roles to access different index, such as the Nginx administrator can only see Nginx-related logs, mail administrators only see mail-related users, this time need to use the rights control function. &NBSP
First we edit the Elasticsearch server's /etc/elasticsearch/shield/roles.yml , comment out kibana4.indicies.* The section, which removes the user's permission to read all index. as follows:

# The required permissions for kibana 4 users.kibana4:    cluster:      - cluster:monitor/nodes/info      - cluster:monitor/health  indices:#    ‘*‘:#      - indices:admin/mappings/fields/get#      - indices:admin/validate/query#      - indices:data/read/search#      - indices:data/read/msearch#      - indices:admin/get    ‘.kibana‘:      - indices:admin/exists      - indices:admin/mapping/put      - indices:admin/mappings/fields/get      - indices:admin/refresh      - indices:admin/validate/query      - indices:data/read/get      - indices:data/read/mget      - indices:data/read/search      - indices:data/write/delete      - indices:data/write/index      - indices:data/write/update      - indices:admin/create

After roles.yml that, add the appropriate user's permission configuration:

nginx_user: #nginx_user 角色定义    indices:  #index部分    ‘logstash-nginx*‘: read  #指定nginx_user可以读取所有匹配‘logstash-nginx*‘的索引。mail_user:  #mail_user 角色定义，用法同上    indices:    ‘logstash-mail*‘: read

Now we are using a esuser new two user, which is divided into two groups

/usr/share/elasticsearch/bin/shield/esusers useradd demo_nginx -r nginx_user/usr/share/elasticsearch/bin/shield/esusers useradd demo_mail -r mail_user

and add them to the group at the same time kibana4 :

/usr/share/elasticsearch/bin/shield/esusers roles demo_nginx -a kibana4/usr/share/elasticsearch/bin/shield/esusers roles demo_mail -a kibana4

At this time again with a different user login Kibana interface, you can see different content.

Using shield to protect Elasticsearch platform--and privilege control