Shield: Protect your Elasticsearch Data

What is shield?

Shield allows you to easily protect Elasticsearch cluster from unintentional modification or unauthorized access with a username and password.
Shield also gives security features like encryption, role-based access control, IP filtering, and auditing are also available when you need them.

In this article, we will explore how to create basic and role-based access control authorization with shield.

Installation :

Shield installs as a plugin on every node in the  Elasticsearch cluster. If you are using multiple nodes in  cluster, you must stop all of the nodes, install Shield, and restart the nodes.  Follow the steps below to install shield in single node:

1) Run bin/plugin install from ES_HOME to install the license plugin.

   $ bin/plugin install license

2) Run bin/plugin install to install the Shield plugin.

  $ bin/plugin install shield

 

Basic Authentication

This is the first layer of security for your Elasticsearch cluster.

Add a user called es_admin and assign the admin role from following command. Enter a password for the new user when prompted.

$ bin/shield/esusers useradd es_admin -r admin

Now you’re ready to secure your cluster. Submit the curl to the Elasticsearch with newly created user.

$ curl -u es_admin -XGET 'http://localhost:9200/'

Role Based Access Control

In this we are going to associate users with some roles that define a set of actions that are allowed for those users. Roles are defined in the role definition file roles.yml located in CONFIG_DIR/shield. This is a YAML file where each entry defines the unique role name and the cluster and indices permissions associated with it.

For example, we have two indices in a cluster: student and scholarship.
University requires more privileges than college over these indices. So, the cluster and indices privileges associated with them are followings:

Let’s add two users for each role.

$ elasticsearch/bin/shield/esusers useradd Blake -r university
$ elasticsearch/bin/shield/esusers useradd Martina -r college

Now, users of Elasticsearch cluster have different access according to organizational role.

Written by 

Joseph Ross is a Principal Consultant at Knoldus Inc. having more than 10 years of experience. Joseph has a passion for identifying challenges and give impactful solutions to the clients. He is a football fan and loves to watch TV series. Joseph has a cross-functional business operations and technology consulting experience. Joseph is familiar with programming languages such as Scala, C++, Java, CSS and HTML.

2 thoughts on “Shield: Protect your Elasticsearch Data

Leave a Reply

%d bloggers like this: