Elasticsearch user authentication plugin with http basic auth and IP ACL
This plugin provides user authentication APIs and a User management web console.
bin/plugin install https://raw.githubusercontent.com/elasticfence/elasticsearch-http-user-auth/5.1.2/jar/elasticfence-5.1.2-SNAPSHOT.zip
mvn package clean bin/plugin install file:///path/to/repo/jar/elasticfence-5.1.2-SNAPSHOT.zip
elasticfence.disabled: false
To disable the plugin set elasticfence.disabled
to true
elasticfence.root.password: rootpassword
To set the root password on each start use elasticfence.root.password
Only the root user can access ES's root APIs (like /_cat, /_cluster) and all indices. Other users can access URLs under their own indices that are specified with this plugin's API.
elasticfence.number_of_shards: 1 elasticfence.number_of_replicas: 3
Omit these config options to use the Elasticsearch defaults (currently 5 and 1 respectively), otherwise set them according to desired level of redundancy and cluster scheme.
IPs contained in whitelist array will bypass authentication, blacklisted IPs will be blocked. All other IPs will show an authentication window.
elasticfence.whitelist: ["127.0.0.1", "10.0.0.1"] elasticfence.blacklist: ["127.0.0.2", "10.0.0.99"]
To block all IPs that are not in the whitelist, use the following option for elasticfence.blacklist
elasticfence.blacklist: ["*"]
Add index filter "/.kibana" to a your_custom_username which you created on Elasticfence and set it in kibana.yml:
elasticsearch.username: your_custom_username elasticsearch.password: your_custom_password
Add permissions to your kibana users using regex filters:
/index.*,/_.*,/.kibana,/
To facilitate users and improve security, the optional Kibana Auth plugin can be deployed alongside Elastifence:
bin/kibana plugin --install kibana-auth-plugin -u https://github.com/elasticfence/kibana-auth-elasticfence/releases/download/snapshot/kauth-latest.tar.gz
The authentication method of this plugin is Basic Authentication. Therefore, you should add your username and password on URL string. For example:
http://root:[email protected]:9200/
curl -u root:rootpassword http://your.elasticsearch.hostname:9200/
{
"status" : 200,
"name" : "Piranha",
"cluster_name" : "elastic1",
"version" : {
"number" : "1.7.3",
"build_hash" : "05d4530971ef0ea46d0f4fa6ee64dbc8df659682",
"build_timestamp" : "2015-10-15T09:14:17Z",
"build_snapshot" : false,
"lucene_version" : "4.10.4"
},
"tagline" : "You Know, for Search"
}
Plugins using ES's REST API also have to be set root password in their configurations.
The ways of configuring Marvel and Kibana 4 are below:
elasticsearch.yml:
marvel.agent.exporter.es.hosts: ["root:[email protected]:9200"]
This plugin provides a web API to manage users and permissions.
http://your.elasticsearch.hostname:9200/_httpuserauth?mode=adduser&username=admin&password=somepass
http://your.elasticsearch.hostname:9200/_httpuserauth?mode=addindex&username=admin&index=index*
http://your.elasticsearch.hostname:9200/_httpuserauth?mode=updateindex&username=admin&index=index-*
http://your.elasticsearch.hostname:9200/_httpuserauth?mode=deleteuser&username=admin
http://your.elasticsearch.hostname:9200/_httpuserauth?mode=list
[{
"username":"admin",
"password":"7080bfe27990021c562398e79823h920e9a38aa5d3b10c5ff5d8c498305",
"indices":["/_*"],
"created":"2015-11-06T21:57:21+0100"
}]