Security Privileges (XPACK)<\/a><\/p><\/blockquote>\n\n\n\n The nodes that form the cluster, Kibana instances, Beats agents and clients all together form a cluster.<\/p>\n\n\n\n In basic licensing (default), elastic comes with minimal security and it is accessible to all who know the URL or the machine location. To prevent this unauthorized access to your elastic cluster you need to authenticate user.<\/p>\n\n\n\n The Elasticsearch security features enable you to authorize users, assign access privileges to roles, and assign those roles to users.<\/p><\/blockquote>\n\n\n\n Elasticsearch uses TLS to perform encryption of the messages and the authentication of different nodes.<\/p>\n\n\n\n You can generate your own certificates using a tool called <\/p>\n\n\n\n Using roles and users you can enable security in elastic cluster.<\/p>\n\n\n\n Elastic offers security (dedicated) api’s to <\/p>\n\n\n\n More details available here<\/a>.<\/p>\n\n\n\n To create a user via API simply use<\/p>\n\n\n\n Returns<\/p>\n\n\n\n To check the details of the created user<\/p>\n\n\n\n It should return the details we furnished while creating it.<\/p>\n\n\n\n When done deleting this user is as simple as issuing a command<\/p>\n\n\n\n Authentication in the Elastic Stack security features is handled by one or more authentication services called Realms can be roughly two categories Internal & External.<\/p>\n\n\n\n Requires no communication with external parties, completely internal to Elasticsearch. There can be maximum one configured internal realm type.<\/p>\n\n\n\n Built in users are stored in The changes to any user (disabled, password change) are reflected across cluster automatically<\/p><\/blockquote>\n\n\n\n This is the default superuser and have full access to cluster. Avoid using it for regular operations; create a user for daily use.<\/p>\n\n\n\n Realms that require external (third party) interaction. There can be as many external realms as required.<\/p>\n\n\n\n The default basic authentication – realm where the users are stored inside a dedicated index ( Security is integral to every and all the tasks in a shared environment. In ELK if you have setup a cluster which is accessible to all; anyone can make modifications which may or may not impact the other users. Security Privileges (XPACK) Elastic cluster The nodes that form the cluster, Kibana instances, Beats agents and […]<\/p>\n","protected":false},"author":2,"featured_media":321,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"categories":[1,34],"tags":[32,16],"class_list":["post-304","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-others","category-technical","tag-elastic","tag-security"],"_links":{"self":[{"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/posts\/304","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/comments?post=304"}],"version-history":[{"count":0,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/posts\/304\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/media\/321"}],"wp:attachment":[{"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/media?parent=304"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/categories?post=304"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/tags?post=304"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Elastic cluster<\/h2>\n\n\n\n
Why secure it?<\/h2>\n\n\n\n
Useful links<\/h2>\n\n\n\n
Securing the cluster<\/h2>\n\n\n\n
TLS for communication<\/h3>\n\n\n\n
elasticsearch-certutil<\/code> which takes care of generating a CA and signing certificate with it.<\/p>\n\n\n\nExample Cluster<\/h2>\n\n\n\n
GET _cluster\/health\n\n\n{\n \"cluster_name\" : \"saurabh\",\n \"status\" : \"green\",\n \"timed_out\" : false,\n \"number_of_nodes\" : 3,\n \"number_of_data_nodes\" : 3,\n \"active_primary_shards\" : 7,\n \"active_shards\" : 14,\n \"relocating_shards\" : 0,\n \"initializing_shards\" : 0,\n \"unassigned_shards\" : 0,\n \"delayed_unassigned_shards\" : 0,\n \"number_of_pending_tasks\" : 0,\n \"number_of_in_flight_fetch\" : 0,\n \"task_max_waiting_in_queue_millis\" : 0,\n \"active_shards_percent_as_number\" : 100.0\n }<\/pre>\n\n\n\nRBAC : Role-Based Access Control<\/h2>\n\n\n\n
Terms<\/h3>\n\n\n\n
User: Authenticated user\nRole: Named set of permissions\nPermission: Set of one or more privileges against the secured resource. E.g. read, delete, manage\nPrivilege: Named group of one or more actions that a user may execute.\nSecured resource: A limited access resource. E.g Indices, Aliases, documents, fields, users and the cluster itself.<\/pre>\n\n\n\n
Security APIs<\/h2>\n\n\n\n
API – Example<\/h3>\n\n\n\n
POST _security\/user\/test\n {\n \"password\" : \"testpassword\",\n \"roles\" : [ \"kibana_dashboard_only_user\"],\n \"full_name\" : \"API User\",\n \"email\" : \"test@test.com\",\n \"metadata\" : {\n \"hometown\" : \"Springfield\",\n \"age\": 40,\n \"description\": \"stop at nothing.\"\n }\n }<\/pre>\n\n\n\n{\n \"created\" : true\n }<\/pre>\n\n\n\nGET _security\/user\/test<\/pre>\n\n\n\n
{\n \"test\" : {\n \"username\" : \"test\",\n \"roles\" : [\n \"kibana_dashboard_only_user\"\n ],\n \"full_name\" : \"API User\",\n \"email\" : \"test@test.com\",\n \"metadata\" : {\n \"hometown\" : \"Springfield\",\n \"description\" : \"stop at nothing.\",\n \"age\" : 40\n },\n \"enabled\" : true\n }\n }<\/pre>\n\n\n\nDELETE _security\/user\/test<\/pre>\n\n\n\n
Realms<\/h2>\n\n\n\n
realms<\/code><\/em>. A realm<\/code><\/em> is used to resolve and authenticate users based on authentication tokens. <\/p>\n\n\n\nInternal<\/h3>\n\n\n\n
E.g. NATIVE and FILE<\/pre>\n\n\n\n
Index .security <\/h2>\n\n\n\n
.security<\/code> index (inside Native realm; details above). These users (mentioned below) have fixed set of roles, and their passwords needs to be setup before they can be used. This index is internally maintained by Elasticsearch.<\/p>\n\n\n\n![\"\"](\"https:\/\/www.samarthya.me\/wps\/wp-content\/uploads\/2020\/01\/Screenshot-2020-01-23-at-4.18.26-PM-2.png\")
<\/figure>\n\n\n\nBasic details<\/h3>\n\n\n\n
elastic<\/strong><\/code> A built-in superuser<\/em>. See Built-in roles<\/a>. <\/p>\n\n\n\nkibana<\/strong><\/code> The user Kibana uses to connect and communicate with Elasticsearch. <\/p>\n\n\n\nlogstash_system<\/strong><\/code> The user Logstash uses when storing monitoring information in Elasticsearch. <\/p>\n\n\n\nbeats_system<\/strong><\/code> The user the Beats use when storing monitoring information in Elasticsearch. <\/p>\n\n\n\napm_system<\/strong><\/code> The user the APM server uses when storing monitoring information in Elasticsearch. <\/p>\n\n\n\nremote_monitoring_user<\/strong><\/code> The user Metricbeat uses when collecting and storing monitoring information in Elasticsearch. It has the remote_monitoring_agent<\/strong><\/code> and remote_monitoring_collector<\/strong><\/code> built-in roles. <\/p>\n<\/div><\/div>\n\n\n\nUser – elastic<\/h3>\n\n\n\n
Roles<\/h3>\n\n\n\n
![\"\"](\"https:\/\/www.samarthya.me\/wps\/wp-content\/uploads\/2020\/01\/Screenshot-2020-01-23-at-4.16.43-PM.png\")
<\/figure>\n<\/div><\/div>\n\n\n\nExternal<\/h3>\n\n\n\n
E.g. saml, kerberos, pki etc.<\/pre>\n\n\n\n
Native Realm<\/a><\/h4>\n\n\n\n
.security<\/code>). You can use the REST APIs or Kibana to add and remove users, assign user roles, and manage user passwords. The realm configurations are all done in elastic.yml<\/code><\/p>\n\n\n\nOther Realms<\/h4>\n\n\n\n
ldap\nactive_directory\npki\nfile\nsaml\nkerberos\noidc<\/pre>\n\n\n\n
— THE – END — <\/h2>\n","protected":false},"excerpt":{"rendered":"