What is shield?
Shield allows you to easily protect Elasticsearch cluster from unintentional modification or unauthorized access with a username and password.
Shield also gives security features like encryption, role-based access control, IP filtering, and auditing are also available when you need them.
In this article, we will explore how to create basic and role-based access control authorization with shield.
Shield installs as a plugin on every node in the Elasticsearch cluster. If you are using multiple nodes in cluster, you must stop all of the nodes, install Shield, and restart the nodes. Follow the steps below to install shield in single node:
1) Run bin/plugin install from ES_HOME to install the license plugin.
$ bin/plugin install license
2) Run bin/plugin install to install the Shield plugin.
$ bin/plugin install shield
This is the first layer of security for your Elasticsearch cluster.
Add a user called es_admin and assign the
admin role from following command. Enter a password for the new user when prompted.
$ bin/shield/esusers useradd es_admin -r admin
Now you’re ready to secure your cluster. Submit the curl to the Elasticsearch with newly created user.
$ curl -u es_admin -XGET 'http://localhost:9200/'
Role Based Access Control
In this we are going to associate users with some roles that define a set of actions that are allowed for those users. Roles are defined in the role definition file
roles.yml located in
CONFIG_DIR/shield. This is a YAML file where each entry defines the unique role name and the cluster and indices permissions associated with it.
For example, we have two indices in a cluster: student and scholarship.
University requires more privileges than college over these indices. So, the cluster and indices privileges associated with them are followings:
# University can access both indices: student and scholarship university: indices: 'student,scholarship': read # College can only access the student index indices: 'student': read
Let’s add two users for each role.
$ elasticsearch/bin/shield/esusers useradd Blake -r university $ elasticsearch/bin/shield/esusers useradd Martina -r college
Now, users of Elasticsearch cluster have different access according to organizational role.