Alibaba Cloud Elasticsearch allows you to configure Active Directory (AD) user authentication for your Elasticsearch cluster. This way, users in an AD domain that are assigned Elasticsearch roles can be used to access the cluster. This topic describes how to configure AD user authentication for an Alibaba Cloud Elasticsearch cluster.

Prerequisites

  • An Alibaba Cloud Elasticsearch cluster is created.

    For more information, see Create an Alibaba Cloud Elasticsearch cluster. In this example, an Elasticsearch V7.10 cluster is created.

  • If your Elasticsearch cluster is created in October 2020 or later, the cluster is deployed in the new network architecture, and the following operations must be performed:
    1. Configure a Classic Load Balancer (CLB) instance. For more information, see Step 2: Configure the CLB instance.
  • An AD domain is created and configured on an Elastic Compute Service (ECS) instance that runs the Windows operating system and resides in the same virtual private cloud (VPC) as the Elasticsearch cluster. In this example, the Windows Server 2012 operating system is used. In addition, data is prepared.

    In this example, the ccy1 user and the ccy.com root domain are used.

Limits

The network architecture of Alibaba Cloud Elasticsearch in different regions has been adjusted since October 2020. The adjustment has the following impacts on clusters:

  • Clusters that are created before October 2020 are deployed in the original network architecture. In this architecture, clusters are deployed in the VPCs that are created by users. If you want a cluster that is deployed in this architecture to access the Internet, you can use an ECS instance for which SNAT is enabled or use an NGINX proxy to forward requests.
  • Elasticsearch clusters that are created in October 2020 or later are deployed in the new network architecture. If you want to use AD user authentication for such a cluster, you must first use the PrivateLink service to establish private connections between VPCs. For more information, see Configure a private connection for an Elasticsearch cluster. If you want to connect such a cluster to the Internet, configure an NGINX proxy to forward requests.
  • For Elasticsearch clusters that are deployed in the original network architecture, only single-zone clusters support AD user authentication. For Elasticsearch clusters that are deployed in the new network architecture, both single-zone clusters and multi-zone clusters support AD user authentication.

Procedure

  1. Step 1: Configure AD user authentication
  2. Step 2: Map the user to a role
  3. Step 3: Verify the result

Step 1: Configure AD user authentication

An Elasticsearch cluster uses its security features to communicate with the AD domain and authenticate users. The security features communicate with the AD domain based on Lightweight Directory Access Protocol (LDAP). An AD domain is similar to an LDAP domain. Like an LDAP directory, an AD domain stores users and groups in a hierarchical manner. An AD domain authenticates a user by sending an LDAP bind request. After the user passes the authentication, the AD domain searches for the entry of the user in the AD domain. After the AD domain finds the entry, the AD domain retrieves the group membership of the user from the tokenGroups attribute of the entry. For more information, see Configuring an Active Directory realm.

If the version of your Elasticsearch cluster is V6.X, add the following configurations to the YML configuration file of your cluster to configure AD user authentication. For more information, see Configure the YML file. If the version of your Elasticsearch cluster is V7.X, submit a ticket to contact Alibaba Cloud technical support to configure related settings for your cluster.
xpack.security.authc.realms.active_directory.my_ad.order: 0
xpack.security.authc.realms.active_directory.my_ad.domain_name: ccy.com
xpack.security.authc.realms.active_directory.my_ad.url: ldap://ep-bp1i321219*********-cn-hangzhou-h.epsrv-bp15571d5ps*********.cn-hangzhou.privatelink.aliyuncs.com:389
xpack.security.authc.realms.active_directory.my_ad.bind_dn: ccy1@ccy.com
xpack.security.authc.realms.active_directory.my_ad.secure_bind_password: your_password
Parameter Description
order The priority of the AD domain. The priority determines the sequence in which the AD domain is checked during user authentication.
domain_name The name of the root domain.
url The URL and port number that are used to establish a private network connection between the AD domain and the ECS instance. For more information, see Configuring an Active Directory realm.
Notice If your Elasticsearch cluster is deployed in the new network architecture, you must set this parameter to a value that is in the format of ldap://<Domain name of the related endpoint>:<Port number>. In this example, ldap://ep-bp1i321219*********-cn-hangzhou-h.epsrv-bp15571d5ps*********.cn-hangzhou.privatelink.aliyuncs.com:389 is used.
bind_dn The distinguished number (DN) of the user that is used to perform searches.
secure_bind_password The password that is used to authenticate the user.

Step 2: Map the user to a role

  1. Log on to the Kibana console of the Elasticsearch cluster.
    For more information, see Log on to the Kibana console.
    Note In this example, an Elasticsearch V7.10.0 cluster is used. Operations on clusters of other versions may differ. The actual operations in the console prevail.
  2. Go to the homepage of the Kibana console and click Dev tools in the upper-right corner.
  3. On the Console tab, run the following command to map the ccy1 user in the AD domain to the administrator role:
    PUT /_security/role_mapping/basic_users
    {
      "roles": [ "superuser" ],
      "enabled": true,
      "rules": {
        "any": [
          {
            "field": {
              "groups": "cn=ali,dc=ccy,dc=com"
            }
          },
          {
            "field": {
              "dn": "cn=ccy1,cn=ali,dc=ccy,dc=com"
            }
          }
        ]
      }
    }

Step 3: Verify the result

  1. Use the ccy1 user to log on to the Kibana console of the Elasticsearch cluster.
  2. Go to the homepage of the Kibana console and click Dev tools in the upper-right corner.
  3. On the Console tab, run the following command to check whether the ccy1 user has permissions to perform the related operation:
    GET _cat/indices
    If permissions are granted to the ccy1 user, the result shown in the following figure is returned. Verify the AD user authentication result