Shield: Protect your Elasticsearch Data


What is shield?

Shield allows you to easily protect Elasticsearch cluster from unintentional modification or unauthorized access with a username and password.
Shield also gives security features like encryption, role-based access control, IP filtering, and auditing are also available when you need them.

In this article, we will explore how to create basic and role-based access control authorization with shield.

Installation :

Shield installs as a plugin on every node in the  Elasticsearch cluster. If you are using multiple nodes in  cluster, you must stop all of the nodes, install Shield, and restart the nodes.  Follow the steps below to install shield in single node:

1) Run bin/plugin install from ES_HOME to install the license plugin.

   $ bin/plugin install license

2) Run bin/plugin install to install the Shield plugin.

  $ bin/plugin install shield

 

Basic Authentication

This is the first layer of security for your Elasticsearch cluster.

Add a user called es_admin and assign the admin role from following command. Enter a password for the new user when prompted.

$ bin/shield/esusers useradd es_admin -r admin

Now you’re ready to secure your cluster. Submit the curl to the Elasticsearch with newly created user.

$ curl -u es_admin -XGET 'http://localhost:9200/'

Role Based Access Control

In this we are going to associate users with some roles that define a set of actions that are allowed for those users. Roles are defined in the role definition file roles.yml located in CONFIG_DIR/shield. This is a YAML file where each entry defines the unique role name and the cluster and indices permissions associated with it.

For example, we have two indices in a cluster: student and scholarship.
University requires more privileges than college over these indices. So, the cluster and indices privileges associated with them are followings:

# University can access both indices: student and scholarship
university:
  indices:
       'student,scholarship': read

# College can only access the student index
  indices:
    'student': read

Let’s add two users for each role.

$ elasticsearch/bin/shield/esusers useradd Blake -r university
$ elasticsearch/bin/shield/esusers useradd Martina -r college

Now, users of Elasticsearch cluster have different access according to organizational role.

Advertisements
This entry was posted in Scala and tagged , . Bookmark the permalink.

2 Responses to Shield: Protect your Elasticsearch Data

  1. Pingback: Shield: Protect your Elasticsearch Data | dotnetask

  2. Sachin Mehra says:

    Crisp and to-the-point. Wonderful!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s