Elasticsearch Security Strategy
0 likes129 views
1. The document outlines a security strategy for an Elasticsearch cluster using X-Pack to implement role-based access control (RBAC). 2. It creates new roles ("filebeat_admin" and "logstash_admin") and users ("charan" and "vasu") with curl commands to restrict access to specific indices. 3. The results show that the new roles and users have the appropriate access levels to their designated indices while being restricted from other indices, demonstrating the implementation of the desired security state.
![4 | P a g e
Desired State of Elasticsearch Cluster Security
Proof of Concept - cURL Commands
To grant DivyaCharan TejaMulagaleti full accesstoall indicesthatmatchthe pattern filebeat-*and enable himto
create visualizationsanddashboardsforthose indicesinKibana,we shall create an filebeat_admin role andassign
the role to a new charan user.
$ curl -XPOST -u elastic 'localhost:9200/_xpack/security/role/filebeat_admin' -H "Content-Type:
application/json" -d '{
"indices" : [
{
"names" : [ "filebeat-*" ],
"privileges" : [ "all" ]
},
{
"names" : [ ".kibana*" ],
"privileges" : [ "manage", "read", "index" ]
}
]
}'
{"role":{"created":true}}
$ curl -XPOST -u elastic 'localhost:9200/_xpack/security/user/charan' -H "Content-Type: application/json" -d
'{
"password" : "sagarsoft",
"full_name" : "Divya Charan Teja Mulagaleti",
"email" : "divyacharan.mulagaleti@sagarsoft.in",
"roles" : [ "filebeat_admin" ]
}'
{"user":{"created":true}}](https://image.slidesharecdn.com/elasticsearchsecuritystrategy-190923050507/85/Elasticsearch-Security-Strategy-4-320.jpg)
![5 | P a g e
To grant VasudevaReddyGangasani full accesstoall indicesthatmatchthe pattern logstash-*andenable himto
create visualizationsanddashboardsforthose indicesinKibana,we shall create an logstash_admin role andassign
the role to a new vasu user.
$ curl -XPOST -u elastic 'localhost:9200/_xpack/security/role/logstash_admin' -H "Content-Type:
application/json" -d '{
"indices" : [
{
"names" : [ "logstash-*" ],
"privileges" : [ "all" ]
},
{
"names" : [ ".kibana*" ],
"privileges" : [ "manage", "read", "index" ]
}
]
}'
{"role":{"created":true}}
$ curl -XPOST -u elastic 'localhost:9200/_xpack/security/user/vasu' -H "Content-Type: application/json" -d '{
"password" : "sagarsoft",
"full_name" : "Vasudeva Reddy Gangasani",
"email" : "vasudeva.gangasani@sagarsoft.in",
"roles" : [ "logstash_admin" ]
}'
{"user":{"created":true}}](https://image.slidesharecdn.com/elasticsearchsecuritystrategy-190923050507/85/Elasticsearch-Security-Strategy-5-320.jpg)
![[AzureCamp 24 Juin 2014] Cache Distribué par Thomas Conté](https://cdn.slidesharecdn.com/ss_thumbnails/1430cachedistributconte-140716110848-phpapp02-thumbnail.jpg?width=560&fit=bounds)
Ad
More Related Content
What's hot (20)
Similar to Elasticsearch Security Strategy (20)
Ad
More from Nag Arvind Gudiseva (12)
Ad
Recently uploaded (20)
Elasticsearch Security Strategy
- 1. 1 | P a g e Elasticsearch Security Strategy Table of Contents Existing State of Elasticsearch Cluster Security........................................................................................................ 2 X-Pack..................................................................................................................................................................2 Installation........................................................................................................................................................... 2 Implementation.................................................................................................................................................... 3 Desired State of Elasticsearch Cluster Security........................................................................................................ 4 Proof of Concept - cURL Commands................................................................................................................... 4 Anonymous User trying to access Elasticsearch Cluster....................................................................................... 6 Super-User "elastic" accessing Elasticsearch Cluster............................................................................................ 6 User "charan" with role "filebeat_admin" trying to view all the indices................................................................ 7 User "charan" with role "filebeat_admin" accessing "filebeat-*" index.................................................................8 User "charan" with role "filebeat_admin" accessing "logstash-*" index................................................................ 9 User "vasu" with role "logstash_admin" trying to access "filebeat-*" index.......................................................... 9 User "vasu" with role "logstash_admin" accessing "logstash-*" index................................................................ 10 Super-User "elastic" accessing Kibana.............................................................................................................. 11 User "charan" with role "filebeat_admin" accessing Kibana............................................................................... 12 Auditing............................................................................................................................................................. 12
- 2. 2 | P a g e Existing State of Elasticsearch Cluster Security Market IntelligenceandInvestmentServices Teamsare usingElasticsearch. Boththe teamscan view all the indices available inElasticsearch. Also,eachof these teamscansearchthe contentsof the indicesthatare not relatedor ownedbythem. Thiscan cause a potential securitybreach. X-Pack X-Packisan ElasticStack extensionthatimplementsfeatureslike security,alerting,monitoring,reportingandgraph representationinone package.Itiseasyto install andthese componentscanbe easilyenabledordisabled. X-PackprovidesSecurityModule. The featuresof thismoduleare asfollows: Role BasedAccessControl (RBAC) o Elasticsearchistreatedasa NoSql Database. Accesstoindex isprovidedasperthe roles. Privileges/Permissions o Figuringoutthe actionsand accessesonthe index. Roles o Groupingprivileges/permissionsintoroles. Users o Addinguserstoroles. Installation X-Packisinstalledoneachandeverynode inthe Cluster. Bydefault,basicauthenticationshall be enabled. We mustspecifya username andpassword. X-PackSecurityprovidesabuilt-inelasticsuperuserthatcanbe usedtoset upthe securityinthe Cluster.
- 3. 3 | P a g e The default user is elastic and password is changeme. "elastic" user hasfull accessto the cluster,includingall the indicesanddata. Implementation 1. Install X-PackplugininElasticsearch,KibanaandLogstash 2. Modify elasticsearch.ymlfile: a. xpack.security.enabled: true 3. Modify kibana.ymlfile: a. xpack.security.enabled: true b. elasticsearch.username: "kibana" c. elasticsearch.password: "kibanapassword" 4. RestartElasticsearchandKibanaservices. 5. Change the passwordsof the built-inelastic,kibana,andlogstash_system users. $ curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/elastic/_password' -H "Content-Type: application/json" -d '{ "password" : "elasticpassword" }' $ curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/kibana/_password' -H "Content-Type: application/json" -d '{ "password" : "kibanapassword" }' $ curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/logstash_system/_password' -H "Content-Type: application/json" -d '{ "password" : "logstashpassword" }' 6. We needtosetup rolesandusersto control access to ElasticsearchandKibana
- 4. 4 | P a g e Desired State of Elasticsearch Cluster Security Proof of Concept - cURL Commands To grant DivyaCharan TejaMulagaleti full accesstoall indicesthatmatchthe pattern filebeat-*and enable himto create visualizationsanddashboardsforthose indicesinKibana,we shall create an filebeat_admin role andassign the role to a new charan user. $ curl -XPOST -u elastic 'localhost:9200/_xpack/security/role/filebeat_admin' -H "Content-Type: application/json" -d '{ "indices" : [ { "names" : [ "filebeat-*" ], "privileges" : [ "all" ] }, { "names" : [ ".kibana*" ], "privileges" : [ "manage", "read", "index" ] } ] }' {"role":{"created":true}} $ curl -XPOST -u elastic 'localhost:9200/_xpack/security/user/charan' -H "Content-Type: application/json" -d '{ "password" : "sagarsoft", "full_name" : "Divya Charan Teja Mulagaleti", "email" : "[email protected]", "roles" : [ "filebeat_admin" ] }' {"user":{"created":true}}
- 5. 5 | P a g e To grant VasudevaReddyGangasani full accesstoall indicesthatmatchthe pattern logstash-*andenable himto create visualizationsanddashboardsforthose indicesinKibana,we shall create an logstash_admin role andassign the role to a new vasu user. $ curl -XPOST -u elastic 'localhost:9200/_xpack/security/role/logstash_admin' -H "Content-Type: application/json" -d '{ "indices" : [ { "names" : [ "logstash-*" ], "privileges" : [ "all" ] }, { "names" : [ ".kibana*" ], "privileges" : [ "manage", "read", "index" ] } ] }' {"role":{"created":true}} $ curl -XPOST -u elastic 'localhost:9200/_xpack/security/user/vasu' -H "Content-Type: application/json" -d '{ "password" : "sagarsoft", "full_name" : "Vasudeva Reddy Gangasani", "email" : "[email protected]", "roles" : [ "logstash_admin" ] }' {"user":{"created":true}}
- 6. 6 | P a g e AnonymousUser trying to access Elasticsearch Cluster HTTP status code: 401 Unauthorized error Super-User "elastic" accessing Elasticsearch Cluster "elastic" user can access all the indices
- 7. 7 | P a g e User "charan"with role "filebeat_admin"trying to view all the indices HTTP status code: 403 Forbidden error
- 8. 8 | P a g e User "charan"with role "filebeat_admin"accessing "filebeat-*" index Elasticsearch serves the request with JSON response
- 9. 9 | P a g e User "charan"with role "filebeat_admin" accessing "logstash-*" index HTTP status code: 403 Forbidden error User "vasu" with role"logstash_admin" trying to access "filebeat-*" index HTTP status code: 403 Forbidden error
- 10. 10 | P a g e User "vasu" with role"logstash_admin" accessing "logstash-*" index Elasticsearch serves the request with JSON response
- 11. 11 | P a g e Super-User "elastic" accessing Kibana "elastic" user can access all the indices
- 12. 12 | P a g e User "charan"with role "filebeat_admin"accessing Kibana "logstash-*" index is not accessible Only "filebeat-*" index is accessible Auditing Auditlogsare disabledbydefault.Toenable thisfunctionality,setthe followingin elasticsearch.yml: xpack.security.audit.enabled: true X-PackSecurityprovidesaudittrail functionalityforall nodesinthe cluster.We can configure the auditlevel,which accounts forthe type of eventsthatare logged.These eventsinclude failedauthenticationattempts,useraccess denied,node connectiondenied,andmore.