More Information
Security risk warning on Elasticsearch (Part 2)
Posted Date 1/15/2017
Turn off HTTP access
Enter “config” directory, modify the “elasticsearch.yml” configuration file with the following parameters:
1. http.enabled: false
2. Whether to use HTTP protocol to provide services. The default value is true, which is yes.
User Authorization
• Shield Plug-in
Shield is one security plug-in of Elasticsearch developed by Elastic Company. After installation, Shield could intercept all the requests for Elasticsearch, with authorization and encryption, to guarantee the security of Elasticsearch and related system.
Shield is a commercial plug-in, which need Elasticsearch commercial license. For the first installation, which could offer 30 day free trial, after then, Shield will block clusterhealth, clusterstats, index stats API and other components will not be effected.
With Shield could define several existing users to authorize user's requests. These users could be in 'Domain', and each domain could have several types:
• LDAP Service
• ActiveDirectory Service
• Local esusers configuration files ( such as /etc/passwd)
Permission Control
Shield permission has several items: SecuredResource: the targeted object, such as Index, Cluster and etc. Privilege: executable operations: such as Read, Write. Permissions: one or several privileges for secured resource, such as Read on the "products" index. Role: A collection of names consisting of permissions. User Entity, could be assigned to 0, 1 or more roles, they can be secured resource to perform the corresponding role of the various privileges.
Shield Installation:
Installation Env:
• Preinstall Java 7 or later version
• Decompress Elasticsearch 1.5.0+ to local machine. If you installed with APT or YUM, the default installation path will be /usr/share/elasticsearch
1. Enter Elasticsearch installation directory:cd /usr/share/elasticsearch
2. Install Elasticsearch license plug-in:bin/plugin -i elasticsearch/license/latest
3. Install Shield plug-in:bin/plugin -i elasticsearch/shield/latest
4. Move Shield configuration file or link to /etc/elasticsearch/shield directory: ln -s /usr/share/elasticsearch/config/shield /etc/elasticsearch/shield
5. Restart Elasticsearch service:service elasticsearch restart
6. Create new an Elasticsearch administrator account, which needs to input new password: bin/shield/esusers useradd es_admin -r admin
7. Access Elasticsearch with RESTFUL API would be rejected: curl -XGET 'http://localhost:9200/'
8. Add user name and password for the request:curl -u es_admin -XGET 'http://localhost:9200/'
Enable Log Function
Elasticsearch config folder has two configuration files: 'elasticsearch.yml' and 'logging.yml', the first one is basic configuration file, and the second one is log configuration file, Elasticsearch could trace log with log4j, so just open log4j in 'logging.yml' is fine.
Enable log function needs to modify 'elasticsearch.yml' file
1. path.logs: /path/to/logs
2. Set log file path, the default path is the logs folder under Elasticsearch root directory
Patch updates
Install Elasticsearch patches on a regular basis. New users please use the latest version of Elasticsearch.
Enter “config” directory, modify the “elasticsearch.yml” configuration file with the following parameters:
1. http.enabled: false
2. Whether to use HTTP protocol to provide services. The default value is true, which is yes.
User Authorization
• Shield Plug-in
Shield is one security plug-in of Elasticsearch developed by Elastic Company. After installation, Shield could intercept all the requests for Elasticsearch, with authorization and encryption, to guarantee the security of Elasticsearch and related system.
Shield is a commercial plug-in, which need Elasticsearch commercial license. For the first installation, which could offer 30 day free trial, after then, Shield will block clusterhealth, clusterstats, index stats API and other components will not be effected.
With Shield could define several existing users to authorize user's requests. These users could be in 'Domain', and each domain could have several types:
• LDAP Service
• ActiveDirectory Service
• Local esusers configuration files ( such as /etc/passwd)
Permission Control
Shield permission has several items: SecuredResource: the targeted object, such as Index, Cluster and etc. Privilege: executable operations: such as Read, Write. Permissions: one or several privileges for secured resource, such as Read on the "products" index. Role: A collection of names consisting of permissions. User Entity, could be assigned to 0, 1 or more roles, they can be secured resource to perform the corresponding role of the various privileges.
Shield Installation:
Installation Env:
• Preinstall Java 7 or later version
• Decompress Elasticsearch 1.5.0+ to local machine. If you installed with APT or YUM, the default installation path will be /usr/share/elasticsearch
1. Enter Elasticsearch installation directory:cd /usr/share/elasticsearch
2. Install Elasticsearch license plug-in:bin/plugin -i elasticsearch/license/latest
3. Install Shield plug-in:bin/plugin -i elasticsearch/shield/latest
4. Move Shield configuration file or link to /etc/elasticsearch/shield directory: ln -s /usr/share/elasticsearch/config/shield /etc/elasticsearch/shield
5. Restart Elasticsearch service:service elasticsearch restart
6. Create new an Elasticsearch administrator account, which needs to input new password: bin/shield/esusers useradd es_admin -r admin
7. Access Elasticsearch with RESTFUL API would be rejected: curl -XGET 'http://localhost:9200/'
8. Add user name and password for the request:curl -u es_admin -XGET 'http://localhost:9200/'
Enable Log Function
Elasticsearch config folder has two configuration files: 'elasticsearch.yml' and 'logging.yml', the first one is basic configuration file, and the second one is log configuration file, Elasticsearch could trace log with log4j, so just open log4j in 'logging.yml' is fine.
Enable log function needs to modify 'elasticsearch.yml' file
1. path.logs: /path/to/logs
2. Set log file path, the default path is the logs folder under Elasticsearch root directory
Patch updates
Install Elasticsearch patches on a regular basis. New users please use the latest version of Elasticsearch.