Authentication in Elasticsearch

Question

How do I define security access in Elasticsearch? I have the elasticsearch-head plugin but your access doesn't require any security.

Answer 1

Starting from Elastic version 6.8, Some security features became free (read: https://www.elastic.co/blog/security-for-elasticsearch-is-now-free)

Some basic steps for basic authentication

1. The most basic config param to set is: "xpack.security.enabled=true".

For example, if you are using docker-compose.yml file, add the line under environment:

elasticsearch:
    image: elastic:6.8.0
    environment:
      - "xpack.security.enabled=true"

2. Next, You'll have to specify elasic which password the default user (which is called "elastic") should accept to authenticate. You do that with ELASTIC_PASSWORD environment variable. In our example:

elasticsearch:
    image: elastic:6.8.0
    environment:
      - "xpack.security.enabled=true"
      - "ELASTIC_PASSWORD=123456"

Now, you are set to go. When you run elastic:

docker run --rm --name elastic -p 9200:9200 -v ELASTIC_PASSWORD=123456 -v xpack.security.enabled=true elastic:6.8.0

And do: curl localhost:9200, You'll get an error:

{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}

Which is exactly what you want (no username and password give, so no access is allowed)

Very important to keep in mind:

1. When Elastic starts, it preforms Bootstrap checks (https://www.elastic.co/guide/en/elasticsearch/reference/6.8/bootstrap-checks.html).

2. There is a difference in Elastic between "development" and "production" mode when preforming those checks.

3. If elastic runs in production mode, those configs aren't sufficient (Bootstrap check will fail and DB will not work). You also must add ssl encryption configs between nodes. Read more: https://www.elastic.co/guide/en/elasticsearch/reference/6.8/security-settings.html

Answer 2

The only preferable way to enable security in Elasticsearch is through the plugin X-Pack.

https://www.elastic.co/guide/en/x-pack/current/xpack-introduction.html

This is a multipurpose plugin and will fit well for the security purposes, as you can also use monitoring and configure the alerts and notifications as per your needs.

As it is already highly recognized, I'm sure Elasticsearch will continue with this for login.

Answer 3

I am very novice in ElasticSearch, yet I feel that X-Pack plugin should appear here as an answer: https://www.elastic.co/guide/en/x-pack/current/index.html

It is my understanding that X-Pack is now the de-facto standard for securing ElasticSearch (and much more), including authentication.

Answer 4

Update: This work pretty well and is (for the moste features) free and open source: https://github.com/floragunncom/search-guard

NOTE: The plugin mentioned in this article is no longer being maintained

---

Maybe this helps: https://github.com/salyh/elasticsearch-security-plugin

This plugin adds http/rest security functionality to Elasticsearch in kind of separate modules. Instead of Netty a embedded Tomcat 7 is used to process http/rest requests.

Currently for user based authentication and authorization Kerberos and NTLM are supported through 3rd party library waffle (only on windows servers). For UNIX servers Kerberos is supported through 3rd party library tomcatspnegoad (Works with any kerberos implementation. For authorization either Active Directory and generic LDAP is supported).

You can use this plugin also without Kerberos/NTLM but then only host based authentication is available.

Answer 5

The plugin mentioned in this answer is no longer being actively supported.

---

There is no built-in access control in elasticsearch. So, you would need to setup a reverse proxy (here is a blog post how to setup nginx), use one of the 3rd party elasticsearch plugins such as https://github.com/Asquera/elasticsearch-http-basic or use the official security plugin Shield.

Answer 6

<shamelessPlug>

Sorry but I have serious doubts about all these plugins and proxies that only try to capture queries with sloppy regex's at HTTP level.

Will you regex all the possible ES syntax that may perform a write? How do you filter by index? How about index aliases? Multi-index queries?

The only clean way to do the access control is AFTER ElasticSearch has parsed the queries. This is exactly what Shield does after all!

I wrote a MIT licensed plugin (readonly-rest-plugin) that does exactly this.

You can match request by:

• ✔️ Host name, IP and IP with Netmask

• ✔️ Indices (wildcards supported) and index aliases are resolved

• ✔️ HTTP Basic Auth

It has also first class support for Kibana authentication :)

</shamelessPlug>

Answer 7

As ElasticSearch is kinda of a database service, you probably wouldn't want it to be exposed publicly anyway.

I don't trust plugins to do that for me, so I did with a nginx proxy.

This tutorial is very very helpful:

http://www.minvolai.com/blog/2014/08/Setting-up-a-Secure-Single-Node-Elasticsearch-server-behind-Nginx/Setting-up-a-Secure-Single-Node-Elasticsearch-server-behind-Nginx/

Answer 8

Try Shield. It has Authentication and Authorization. For now it needs a license. Won't be too long before people create similar open source plugins.

Answer 9

Elasticsearch now have security plugin http://www.elasticsearch.org/blog/shield-know-security-coming-soon/

Answer 10

Regarding a specific solution to this problem, I ran across the following that is a simple implementation of a reverse proxy approach as mentioned in other answers:

https://gist.github.com/jpluscplusm/9227777

As a caveat, it seems at least some at Elasticsearch proper don't consider nginx to be the optimal solution, but I think that depends on the specifics of your authentication requirements (RBAC, user count, number of indexes, frequency of access list modifications). For some users (including myself) the first example is sufficient.

http://www.elasticsearch.org/blog/restricting-users-kibana-filtered-aliases/

If you find that your requirement specifics arent met by nginx, something like this might work: https://github.com/lukas-vlcek/node.es

Answer 11

If you want to use the basic authentication with Kibana3, here is my solution:

https://github.com/fangli/kibana-authentication-proxy

Support not only basicAuth ES backend, but also GoogleOAuth and BasicAuth for the client. Please give a star if it works for you, thanks.