Shield | Security Elastic Stack

Shield now provides security for the entire Elastic Stack

Shield是商业插件，需要ElasticSearch的商业许可。第一次安装提供30天的免费试用权限。30天过期后 Shield 将会在降级模式下工作，此模式下对 cluster health、cluster stats 以及 index stats 等接口的访问将被阻止无法使用， 所以要想使用，还是得花钱或者破解，才行

Shield Functions

• Authentication: Protect Elasticsearch with a Username and Password

• Login and Session Management in Kibana

• Role-Based Access Control (细到索引级别的读写控制)

• Field- and Document-Level Security

• Encrypted Communications (信道加密)

• IP Filtering

Getting Started with Shield

Shield 1.3+

安装商业许可与shield

bin/plugin -i elasticsearch/license/latest
bin/plugin -i elasticsearch/shield/latest

Start Elasticsearch.

bin/elasticsearch

Control Access Basic Auth

Add a user called es_admin and assign the admin role.

bin/shield/esusers useradd es_admin -r admin

Submit a request using the newly-created user

curl -u es_admin -XGET 'http://localhost:9200/'

details_info

Custom config@Libin

➜  elasticsearch ./bin/shield/esusers
➜  ./bin/shield/esusers useradd kibanaserver -r kibana4_server

权限控制

在实际的生产环境中，经常需要让不同的角色访问不同的index。

首先我们编辑ElasticSearch服务器的elasticsearch/shield/roles.yml, 注释掉kibana4.indicies.*部分，即去掉用户读取所有index的权限。如下：

# The required permissions for kibana 4 users.
kibana4:  
  cluster:
      - cluster:monitor/nodes/info
      - cluster:monitor/health
  indices:
#    '*':
#      - indices:admin/mappings/fields/get
#      - indices:admin/validate/query
#      - indices:data/read/search
#      - indices:data/read/msearch
#      - indices:admin/get
    '.kibana':
      - indices:admin/exists
      - indices:admin/mapping/put
      - indices:admin/mappings/fields/get
      - indices:admin/refresh
      - indices:admin/validate/query
      - indices:data/read/get
      - indices:data/read/mget
      - indices:data/read/search
      - indices:data/write/delete
      - indices:data/write/index
      - indices:data/write/update
      - indices:admin/create

之后再roles.yml的末尾加上相关用户的权限配置：

## libin add
micro_users:
  indices:
    'micro_*':
     - indices:data/read/get
     - indices:data/read/mget
     - indices:data/read/search
     - indices:data/read/msearch

mega_users:
  indices:
    'mega*':
     - indices:data/read/get
     - indices:data/read/mget
     - indices:data/read/search
     - indices:data/read/msearch

m_users:
  indices:
    'm*':
     - indices:data/read/get
     - indices:data/read/mget
     - indices:data/read/search
     - indices:data/read/msearch

增加用户，指定 role

➜  ./bin/shield/esusers useradd micro_user -r micro_users
➜  ./bin/shield/esusers useradd mega_user -r micro_users
./bin/shield/esusers useradd m_user -r m_users

再把它们同时加入kibana4组中：

./bin/shield/esusers roles micro_user -a kibana4
./bin/shield/esusers roles mega_user -a kibana4
./bin/shield/esusers roles m_user -a kibana4

list 查阅user与roles关系

➜  elasticsearch ./bin/shield/esusers list
micro_user     : kibana4,micro_users
mega_user      : kibana4,mega_users
m_user         : kibana4,m_users
kibanaserver   : kibana4_server
es_admin       : admin
➜  elasticsearch

Kibana

此时操作 kibana， 不同的用户可以 可以访问不同的 indices，权限可以配置，每个用户有自己的dashboard。超级用户可以查看所有

super user 可以使用 head 插件的全部功能。other user 只能使用 head 的复合查询

更改 roles.yml 不需要重启 kibana， 是否需要重启 Elasticsearch 不确定。

Ref articles

auth/shield
shield-on-elasticsearch