神刀安全网

Multiuser, Authenticated ELK (ElasticSearch+Logstash+Kibana) for Free

Multiuser, Authenticated ELK (ElasticSearch+Logstash+Kibana) for Free Multiuser, Authenticated ELK (ElasticSearch+Logstash+Kibana) for Free Multiuser, Authenticated ELK (ElasticSearch+Logstash+Kibana) for Free

Readonly REST Elasticsearch Plugin

Expose the high performance HTTP server embedded in Elasticsearch directly to the public, safely blocking any attempt to delete or modify your data.

In other words… no more proxies! Yay Ponies! Multiuser, Authenticated ELK (ElasticSearch+Logstash+Kibana) for Free

Getting started

1. Install the plugin

Replace the ES version with the one you have:

bin/plugin install https://github.com/sscarduzio/elasticsearch-readonlyrest-plugin/blob/master/download/elasticsearch-readonlyrest-v1.9.2_es-v2.3.2.zip?raw=true

2. Configuration

Append either of these snippets to conf/elasticsearch.yml

USE CASE 1: Full access from localhost + RO Access just to catalogue-* indices

readonlyrest:     enable: true     response_if_req_forbidden: Sorry, your request is forbidden.     access_control_rules:      - name: Accept all requests from localhost       type: allow       hosts: [127.0.0.1]      - name: Just certain indices, and read only       type: allow       actions: [cluster:*, indices:data/read/*]       indices: ["<no-index>", "product_catalogue-*"] # index aliases are taken in account!

USE CASE 2: Multiuser Kibana + Authenticated Logstash (various permission levels)

http.cors.enabled: true http.cors.allow-origin: /https?:////localhost(:[0-9]+)?/  readonlyrest:     enable: true     response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin     access_control_rules:      - name: "Logstash can write and create its own indices"       auth_key: logstash:logstash       type: allow       actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]       indices: ["logstash-*", "<no_index>"]      - name: Kibana Server (we trust this server side component, full access granted via HTTP authentication)       auth_key: admin:passwd3       type: allow      - name: Developer (reads only logstash indices, but can create new charts/dashboards)       auth_key: dev:dev       type: allow       kibana_access: ro+       indices: ["<no-index>", ".kibana*", "logstash*", "default"]

Now activate authentication in Kibana server: let the Kibana daemon connect to ElasticSearch in privileged mode.

  • edit the kibana configuration file: kibana.yml and add the following:
elasticsearch.username: "admin" elasticsearch.password: "passwd3"

The users connecting from their browsers will be asked to login separately anyways.

Now activate authenticatoin in Logstash: (follow the docs, it’s very similar to Kibana!)

4. restart elastic search

For other use cases and finer access controlhave a look at the full list of supported rules

Changelog

2016-04-26 Multiuser, Authenticated ELK (ElasticSearch+Logstash+Kibana) for Free v1.9.3: Tighter Kibana access rule + Indices rule supports (for cluster commands, etc) useful for restricting Kibana rules to certain indices only (see example 2)

2016-04-26 Multiuser, Authenticated ELK (ElasticSearch+Logstash+Kibana) for Free v1.9.2: bugfix release

2016-02-21 Multiuser, Authenticated ELK (ElasticSearch+Logstash+Kibana) for Free v1.9.1:

  • kibana_access support access control for Kibana dashboards in "ro|rw|ro+" modes.
  • kibana_indices if you customize the kibana.index property in kibana.yml let us know so kibana_access works as it should.
  • actions rule lets you control what kind of actions are allowed/forbidden. I.e. [cluster:*, indices:data:*]
  • indices rule now supports wildcards i.e. the word logstash-* will match itself, but also logstash-2016-04-02

2016-02-21 Multiuser, Authenticated ELK (ElasticSearch+Logstash+Kibana) for Free v1.8: indices rule now resolves index aliases.

2016-02-21 Multiuser, Authenticated ELK (ElasticSearch+Logstash+Kibana) for Free v1.7: real (multi)index isolation is now possible through indices rule (supersedes uri_re ).

2016-02-20 Multiuser, Authenticated ELK (ElasticSearch+Logstash+Kibana) for Free v1.6: show login prompt in browsers if auth_key is configured.

2015-12-19 Multiuser, Authenticated ELK (ElasticSearch+Logstash+Kibana) for Free v1.5: support for X-Forwarded-For , HTTP Basic Authentication, and X-API-Key .

Download the latest build

Releases for earlier versions of Elasticsearch (may not include all the features) are available in thedownload folder.

If you need a build for a specific ES version, just open an issue!

Features

Lightweight security Multiuser, Authenticated ELK (ElasticSearch+Logstash+Kibana) for Free

Other security plugins are replacing the high performance, Netty based, embedded REST API of Elasticsearch with Tomcat, Jetty or other cumbersome XML based JEE madness.

This plugin instead is just a lightweight filtering layer.

Less moving parts

Some suggest to spin up a new HTTP proxy (Varnish, NGNix, HAProxy) between ES and clients to prevent malicious access. This is a bad idea for two reasons:

  • You’re introducing more complexity in your architecture.
  • Reasoning about security at HTTP level is risky, flaky and less granular than controlling access at the internal ElasticSearch protocol level.

The only clean way to do the access control is AFTER ElasticSearch has parsed the queries.

Just set a few rules with this plugin and confidently open it up to the external world.

An easy, flexible access control list

Build your ACL from simple building blocks (rules) i.e.:

IP level Rules

  • hosts a list of origin IP addresses or subnets

HTTP level rules

  • api_keys a list of api keys passed in via header X-Api-Key
  • methods a list of HTTP methods
  • accept_x-forwarded-for_header interpret the X-Forwarded-For header as origin host (useful for AWS ELB and other reverse proxies)
  • auth_key HTTP Basic auth.

ElasticSearch internal protocol level rules

  • indices indices (aliases and wildcards work)
  • actions list of ESactions (e.g. "cluster: " , "indices:data/write/ ", "indices:data/read*")

ElasticSearh level macro-rules

  • kibana_access captures the read-only, read-only + new visualizations/dashboards, read-write use cases of Kibana.

All the available rules in detail

History

This project was incepted in this StackOverflow thread .

Credits

Thanks Ivan Brusic for publishing this guide

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » Multiuser, Authenticated ELK (ElasticSearch+Logstash+Kibana) for Free

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址