Readonly REST Elasticsearch Plugin
Expose the high performance HTTP server embedded in Elasticsearch directly to the public, safely blocking any attempt to delete or modify your data.
In other words… no more proxies! Yay Ponies!
1. Install the plugin
Replace the ES version with the one you have:
bin/plugin install https://github.com/sscarduzio/elasticsearch-readonlyrest-plugin/blob/master/download/elasticsearch-readonlyrest-v1.9.2_es-v2.3.2.zip?raw=true
Append either of these snippets to
USE CASE 1: Full access from localhost + RO Access just to catalogue-* indices
readonlyrest: enable: true response_if_req_forbidden: Sorry, your request is forbidden. access_control_rules: - name: Accept all requests from localhost type: allow hosts: [127.0.0.1] - name: Just certain indices, and read only type: allow actions: [cluster:*, indices:data/read/*] indices: ["<no-index>", "product_catalogue-*"] # index aliases are taken in account!
USE CASE 2: Multiuser Kibana + Authenticated Logstash (various permission levels)
http.cors.enabled: true http.cors.allow-origin: /https?:////localhost(:[0-9]+)?/ readonlyrest: enable: true response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin access_control_rules: - name: "Logstash can write and create its own indices" auth_key: logstash:logstash type: allow actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"] indices: ["logstash-*", "<no_index>"] - name: Kibana Server (we trust this server side component, full access granted via HTTP authentication) auth_key: admin:passwd3 type: allow - name: Developer (reads only logstash indices, but can create new charts/dashboards) auth_key: dev:dev type: allow kibana_access: ro+ indices: ["<no-index>", ".kibana*", "logstash*", "default"]
Now activate authentication in Kibana server: let the Kibana daemon connect to ElasticSearch in privileged mode.
- edit the kibana configuration file:
kibana.ymland add the following:
elasticsearch.username: "admin" elasticsearch.password: "passwd3"
The users connecting from their browsers will be asked to login separately anyways.
Now activate authenticatoin in Logstash: (follow the docs, it’s very similar to Kibana!)
4. restart elastic search
For other use cases and finer access controlhave a look at the full list of supported rules
2016-04-26 v1.9.3: Tighter Kibana access rule + Indices rule supports (for cluster commands, etc) useful for restricting Kibana rules to certain indices only (see example 2)
2016-04-26 v1.9.2: bugfix release
kibana_accesssupport access control for Kibana dashboards in "ro|rw|ro+" modes.
kibana_indicesif you customize the
kibana.ymllet us know so
kibana_accessworks as it should.
actionsrule lets you control what kind of actions are allowed/forbidden. I.e.
indicesrule now supports wildcards i.e. the word
logstash-*will match itself, but also
indices rule now resolves index aliases.
2016-02-21 v1.7: real (multi)index isolation is now possible through
indices rule (supersedes
2016-02-20 v1.6: show login prompt in browsers if
auth_key is configured.
2015-12-19 v1.5: support for
X-Forwarded-For , HTTP Basic Authentication, and
Download the latest build
- v1.9.3 for Elasticsearch 2.3.2 elasticsearch-readonlyrest-v1.9.3_es-v2.3.2.zip
Releases for earlier versions of Elasticsearch (may not include all the features) are available in thedownload folder.
If you need a build for a specific ES version, just open an issue!
Other security plugins are replacing the high performance, Netty based, embedded REST API of Elasticsearch with Tomcat, Jetty or other cumbersome XML based JEE madness.
This plugin instead is just a lightweight filtering layer.
Less moving parts
Some suggest to spin up a new HTTP proxy (Varnish, NGNix, HAProxy) between ES and clients to prevent malicious access. This is a bad idea for two reasons:
- You’re introducing more complexity in your architecture.
- Reasoning about security at HTTP level is risky, flaky and less granular than controlling access at the internal ElasticSearch protocol level.
The only clean way to do the access control is AFTER ElasticSearch has parsed the queries.
Just set a few rules with this plugin and confidently open it up to the external world.
An easy, flexible access control list
Build your ACL from simple building blocks (rules) i.e.:
IP level Rules
hostsa list of origin IP addresses or subnets
HTTP level rules
api_keysa list of api keys passed in via header
methodsa list of HTTP methods
X-Forwarded-Forheader as origin host (useful for AWS ELB and other reverse proxies)
auth_keyHTTP Basic auth.
ElasticSearch internal protocol level rules
indicesindices (aliases and wildcards work)
actionslist of ESactions (e.g. "cluster: " , "indices:data/write/ ", "indices:data/read*")
ElasticSearh level macro-rules
kibana_accesscaptures the read-only, read-only + new visualizations/dashboards, read-write use cases of Kibana.
All the available rules in detail
This project was incepted in this StackOverflow thread .
Thanks Ivan Brusic for publishing this guide
转载本站任何文章请注明：转载至神刀安全网，谢谢神刀安全网 » Multiuser, Authenticated ELK (ElasticSearch+Logstash+Kibana) for Free