- \n
- https:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/current\/security-api.html#security-role-apis<\/li>\n
- https:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/current\/certutil.html<\/li>\n
- https:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/current\/security-api-put-user.html<\/li>\n<\/ul>\n
[elastic@samarthya ~]$ .\/elasticsearch\/bin\/elasticsearch -V \nfuture versions of Elasticsearch will require Java 11; your Java version from [\/usr\/lib\/jvm\/java-1.8.0-openjdk-1.8.0.201.b09-2.el7_6.x86_64\/jre] does not meet this requirement \nVersion: 7.3.1, Build: default\/tar\/4749ba6\/2019-08-19T20:19:25.651794Z, JVM: 1.8.0_201<\/pre>\n
Step 1<\/h2>\n
xpack.security.enabled: true<\/code><\/p>\nYou need to open ‘config\/elasticsearch.yml’ file and add the line shown above. In the console you can look at<\/p>\n
[2020-03-25T07:24:21,280][INFO ][o.e.x.s.s.SecurityStatusChangeListener] [node1] Active license is now [BASIC]; Security is enabled \n\n<\/pre>\n
CURL – _cat\/nodes?pretty<\/h3>\n
Issuing a basic curl command to get the nodes you can see the following output.<\/p>\n
[elastic@samarthya ~]$ curl 'myserver:9200\/_cat\/nodes?pretty' \n{ \n\"error\" : { \n\"root_cause\" : [ \n{ \n\"type\" : \"security_exception\", \n\"reason\" : \"missing authentication credentials for REST request [\/_cat\/nodes?pretty]\", \n\"header\" : { \n\"WWW-Authenticate\" : \"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" \n} \n} \n], \n\"type\" : \"security_exception\", \n\"reason\" : \"missing authentication credentials for REST request [\/_cat\/nodes?pretty]\", \n\"header\" : { \n\"WWW-Authenticate\" : \"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" \n} \n}, \n\"status\" : 401 \n}<\/pre>\nStep 2 – Internal password<\/h2>\n
`elasticsearch-setup-passwords` allows you to set password.<\/p>\n
Commands \n-------- \nauto - Uses randomly generated passwords \ninteractive - Uses passwords entered by a user \n\nNon-option arguments: \ncommand \n\nOption Description \n------ ----------- \n-h, --help show help \n-s, --silent show minimal output \n-v, --verbose show verbose output<\/pre>\n
\u00a0<\/p>\n
[elastic@samarthya ~]$ .\/elasticsearch\/bin\/elasticsearch-setup-passwords interactive \nfuture versions of Elasticsearch will require Java 11; your Java version from [\/usr\/lib\/jvm\/java-1.8.0-openjdk-1.8.0.201.b09-2.el7_6.x86_64\/jre] does not meet this requirement \nInitiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user. \nYou will be prompted to enter passwords as the process progresses. \nPlease confirm that you would like to continue [y\/N]y \n \n \nEnter password for [elastic]: \nReenter password for [elastic]: \nEnter password for [apm_system]: \nReenter password for [apm_system]: \nEnter password for [kibana]: \nReenter password for [kibana]: \nEnter password for [logstash_system]: \nReenter password for [logstash_system]: \nEnter password for [beats_system]: \nReenter password for [beats_system]: \nEnter password for [remote_monitoring_user]: \nReenter password for [remote_monitoring_user]: \nPasswords do not match. \nTry again. \nEnter password for [remote_monitoring_user]: \nReenter password for [remote_monitoring_user]: \nPasswords do not match. \nTry again. \nEnter password for [remote_monitoring_user]: \nReenter password for [remote_monitoring_user]: \nPasswords do not match. \nTry again. \nEnter password for [remote_monitoring_user]: \nReenter password for [remote_monitoring_user]: \nPasswords do not match. \nTry again. \nEnter password for [remote_monitoring_user]: \nReenter password for [remote_monitoring_user]: \nChanged password for user [apm_system] \nChanged password for user [kibana] \nChanged password for user [logstash_system] \nChanged password for user [beats_system] \nChanged password for user [remote_monitoring_user] \nChanged password for user [elastic]<\/pre>\n
Check the CURL again<\/h3>\n
This time we will specify the user elastic for which we set the password above<\/p>\n
[elastic@server1 ~]$ curl -u elastic 'myserver:9200\/_cat\/nodes?pretty' \nEnter host password for user 'elastic': \n100.10.10.200 26 25 1 0.00 0.03 0.06 dim * node1<\/pre>\n
\u00a0<\/p>\n
Step – 3 Setup Kibana security<\/h2>\n
When you start Kibana without configuring the security, you will get an error like below.<\/p>\n
\u00a0\u00a0log\u00a0\u00a0<\/span>\u00a0[07:36:28.860]\u00a0[warning<\/span>][task_manager] PollError [security_exception] missing authentication credentials for REST request [\/_template\/.kibana_task_manager?filter_path=*.version], with { header={ WWW-Authenticate=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } }<\/pre>\nkibana-keystore<\/h3>\n
We will be using the Keystore to create information placeholders to keep the value safe and not accessible to everyone except the intended process.<\/p>\n
HELP<\/h4>\n
[elastic@samarthya ~]$ .\/kibana\/bin\/kibana-keystore --help \nUsage: bin\/kibana-keystore [options] [command] \n\nA tool for managing settings stored in the Kibana keystore \n\nOptions: \n-V, --version output the version number \n-h, --help output usage information \n\nCommands: \ncreate [options] Creates a new Kibana keystore \nlist [options] List entries in the keystore \nadd [options] <key> Add a string setting to the keystore \nremove [options] <key> Remove a setting from the keystore<\/pre>\n
Add Username and Password to the keystore<\/h4>\n
[elastic@samarthya ~]$ .\/kibana\/bin\/kibana-keystore create \nCreated Kibana keystore in \/home\/elastic\/kibana\/data\/kibana.keystore \n[elastic@samarthya ~]$ .\/kibana\/bin\/kibana-keystore add elasticsearch.username \nEnter value for elasticsearch.username: ****** \n[elastic@samarthya ~]$ .\/kibana\/bin\/kibana-keystore add elasticsearch.password \nEnter value for elasticsearch.password: ********<\/pre>\n
Now when we restart Kibana and launch the URL to access the app you will be prompted for password.<\/p>\n
![\"\"](\"https:\/\/www.samarthya.me\/wps\/wp-content\/uploads\/2020\/03\/Screenshot-2020-03-25-at-1.15.07-PM-294x300.png\")
<\/p>\n\u00a0<\/p>\n
Kibana<\/h2>\n
Once we specify the user elastic for which we set the password and go to the management we can see the Users and roles section.<\/p>\n
![\"\"](\"https:\/\/www.samarthya.me\/wps\/wp-content\/uploads\/2020\/03\/Screenshot-2020-03-25-at-1.16.22-PM-284x300.png\")
<\/p>\n\u00a0<\/p>\n
Users<\/h3>\n
You can look at the users available for default.<\/p>\n
![\"\"](\"https:\/\/www.samarthya.me\/wps\/wp-content\/uploads\/2020\/03\/Screenshot-2020-03-25-at-1.18.28-PM-300x119.png\")
<\/p>\nRole<\/h2>\n
Creating a new role is as simple as invoking an API as under<\/p>\n
POST _security\/role\/read_only_role_a
{
\"cluster\": [],
\"indices\": [{
\"names\": [ \"profile_record\" ],
\"privileges\": [\"read\", \"view_index_metadata\"]
}]
}<\/pre>\nIt should return a response like below<\/p>\n
{
\"role\" : {
\"created\" : true
}
}<\/pre>\nUser<\/h2>\n
Creating a new user and assign the role<\/p>\n
POST \/_security\/user\/samarthya
{
\"password\" : \"password\",
\"roles\" : [ \"read_only_role_a\" ],
\"full_name\" : \"Samarthya Saurabh\",
\"email\" : \"saurabh@samarthya.com\",
\"metadata\" : {
\"intelligence\" : 21,
\"country\": \"India\"
}
}<\/pre>\nIf the payload is all formatted it should return a response as under<\/p>\n
{
\"created\" : true
}<\/pre>\nEvery node that wants to join a secured cluster needs a certificate from the established CA. In the process below I will lay out the required steps to establish the same.<\/p>\n
Certificate Authority<\/h2>\n
Time to use certificates to secure the communication<\/p>\n
elasticsearch-certutil<\/h3>\n
We will be using the builtin certutil to generate the certificate<\/p>\n
Commands
--------
csr - generate certificate signing requests
cert - generate X.509 certificates and keys
ca - generate a new local certificate authority
Non-option arguments:
command
Option Description
------ -----------
-h, --help show help
-s, --silent show minimal output
-v, --verbose show verbose output
Will stick to the default name<\/pre>\n[elastic@samarthya ~]$ .\/elasticsearch\/bin\/elasticsearch-certutil ca --pem
future versions of Elasticsearch will require Java 11; your Java version from [\/usr\/lib\/jvm\/java-1.8.0-openjdk-1.8.0.201.b09-2.el7_6.x86_64\/jre] does not meet this requirement
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL\/TLS in the Elastic stack.
The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority
By default the 'ca' mode produces a single PKCS#12 output file which holds:
* The CA certificate
* The CA's private key
If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key
Please enter the desired output file [elastic-stack-ca.zip]: <\/pre>\nUnzipping the elastic-stack-ca.zip will give you two files<\/p>\n
[elastic@samarthya ca]$ ls
ca.crt ca.key<\/pre>\n\n\nThe CA key and certificate are now available to generate node certificates.<\/p>\n\n\n\n
.\/elasticsearch\/bin\/elasticsearch-certutil cert --ca-cert \/mycacertificate\/ca\/ca.crt --ca-key \/mycacertificate\/ca\/ca.key<\/code><\/pre>\n\n\n\nThis command has to be used on each node, to generate the certificate. It will prompt for a password which you SHOULD REMEMBER as it will be utilised in subsequent steps.<\/p>\n\n\n\n
Truststore and Keystore<\/h3>\n\n\n\n