Elasticsearch password authentication

Elasticsearch password authentication & SSL Auth

What is elasticsearch:

Elasticsearch is a search engine based on Lucene. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents. Elasticsearch is developed in java and released as opensource under the terms of the Apache license.

Configuring user authentication in elasticsearch

It's very simple to configure elastic search basic authentication. All you need to download the shield package and license in elastic home website and installed it. 

Below I have mentioned how to install shield license and plugins.

Download the package and placed it in where you want to I placed it in /opt location.

then go to the elasticsearch location I have portable elasticsearch with me in /opt. So I move to that directory and install shield plugin.

cd /opt/elasticsearch

ls

It will show us like this. Then

bin/plugins install file:///opt/license.xx.xx.zip

bin/plugins install file:///opt/shield.xx.xx.zip

now we have completed the installation shield plugin. now we all have to do simple step for authentication.

Role Based Access Control

We need to move to shield configuration location to configuring the users and their roles with which we'll be able to execute various of APIs on Elasticsearch

Shield directory location will be /opt/elasticsearch/config/shield.

Go to that directory and check the permissions that which user have which permissions. 

cd /opt/elasticsearch/config.shield

vi roles.yml

Admin role:

The admin role enables full access to the cluster and all it's indices.

Power_user role:

The power_user role enables monitoring only access on the cluster and full access on all it's indices.

User role:

The user role has no cluster wide permissions and only has read access to the data on all it's indices.

For the basic authentication we don't need to change anything from roles.yml file that comes from shield. It's already defines with required default roles listed in above.

User creation per permissions

We already have know the user permissions that have in shield. Now we need to create the user and password and required permissions. 

Now i'm going to create one user with admin role and another with user role. 

For that shield have internal user like root shield have esusers it comes with shield.

cd /opt/elasticsearch

bin/shield/esusers useradd rain -p R@!N@1234 -r admin

in above command 

-p - refereed as password

-r - refereed as roles

admin - refereed as admin role

bin/shield/esusers useradd pearl -p PE@R!@1234 -r user 

now we have completed the user creation and password authentication. 

Verify the shield installation

Once elasticsearch started we can use curl command to check the shield installed correctly or not.

curl --user rain:R@!N@1234 'localhost:9200/_shield'

{
  "status" : "enabled",
  "name" : "rain",
  "cluster_name" : "Test.elasticseach.com",
  "version" : {
    "number" : "2.3.3",
    "build_hash" : "8a3e9756c34e3110c49fd3a81a5ac90a83dc2eaa",
    "build_timestamp" : "2016-05-17T16:35:12Z",
    "build_snapshot" : false
  },
  "tagline" : "You Know, for Security"

}

If result appear like above then your configuration completed successfully.

SSL Auth:

We need to add the ssl file in elastic source place and mention that in the elasticsearch.yml. Follow my lead.

goto elastcisearch directory

cd /opt/elasticsearch

place the ssl file or copy the ssl file

make sure the permission for this in ssl appropriate user

chown test:test test.jks

now wee need to add the location this jks file in elasticsearch.yml.

vi conf/elasticsearc.yml

goto the last line and add the following line

shield.ssl.keystore.path:          /opt/elasticsearch/test.jks
shield.ssl.keystore.password:      test123
shield.transport.ssl: true
shield.http.ssl: true 

now restart the elasticsearch and check it will work perfectly.