Configure AD user authentication for an Alibaba Cloud Elasticsearch cluster - Elasticsearch

Alibaba Cloud Elasticsearch allows you to configure Active Directory (AD) user authentication for your Elasticsearch cluster. This way, users in an AD realm that are assigned Elasticsearch roles can be used to access the cluster. This topic describes how to configure AD user authentication for an Alibaba Cloud Elasticsearch cluster.

Prerequisites

An Alibaba Cloud Elasticsearch cluster is created.
For more information, see Create an Alibaba Cloud Elasticsearch cluster. In this example, an Elasticsearch V7.10 cluster is created.
An AD realm is created and configured on an Elastic Compute Service (ECS) instance that runs the Windows operating system and resides in the same virtual private cloud (VPC) as the Elasticsearch cluster. In this example, the Windows Server 2012 operating system is used. In addition, data is prepared.
In this example, the ccy1 user and the ccy.com root realm are used.

Limits

The network architecture of Alibaba Cloud Elasticsearch in different regions has been adjusted since October 2020. The adjustment has the following impacts on clusters:

If you want to connect a cluster that is deployed in the original network architecture to the Internet, you can use an ECS instance for which SNAT is enabled or use an NGINX proxy to forward requests.
In the new network architecture, the AD user authentication feature is limited. You can use the PrivateLink service to establish private connections between VPCs. For more information, see Configure a private connection for an Elasticsearch cluster. If you want to connect a cluster that is deployed in the new network architecture to the Internet, configure an NGINX proxy to forward requests.
In the original network architecture, only single-zone Elasticsearch clusters support AD user authentication.

Note

For more information about the network architecture, see [Notice] Network architecture adjustment.

Procedure

Step 1: (Optional) Obtain the domain name of an endpoint
Step 2: Configure AD user authentication
Step 3: Map the user to a role
Step 4: Verify the result

Step 1: (Optional) Obtain the domain name of an endpoint

Elasticsearch clusters created in October 2020 or later are deployed in the new network architecture. These Elasticsearch clusters reside in the VPC of the Elasticsearch service account. If your Elasticsearch cluster is deployed in the new network architecture, you need to use the PrivateLink service to establish a private connection between the VPC and your VPC. Then, obtain the domain name of the related endpoint for future use. To obtain the domain name of an endpoint, perform the following steps:

Create a Classic Load Balancer (CLB) instance that supports the PrivateLink service and resides in the same VPC as the created Elasticsearch cluster.
For more information, see Step 1: Create and configure an SLB instance.
Configure the CLB instance.
During the configuration, you must specify the Lightweight Directory Access Protocol (LDAP) server as the backend server and port 389 as the listening port.
For more information, see Configure a private connection for an Elasticsearch cluster.
Create an endpoint service.
For more information, see Step 2: Create an endpoint service.
Configure a private connection to the Elasticsearch cluster.
For more information, see Step 3: Configure a private connection for the Elasticsearch cluster.
Obtain the domain name of the endpoint that is used to access the endpoint service.
For more information, see Configure a private connection for an Elasticsearch cluster.
Note Record the obtained domain name, which will be used in subsequent configurations.

Step 2: Configure AD user authentication

An Elasticsearch cluster uses its security features to communicate with the AD realm and authenticate users. The security features communicate with the AD realm based on LDAP. An AD realm is similar to an LDAP realm. Like an LDAP directory, an AD realm stores users and groups in a hierarchical manner. An AD realm authenticates a user by sending an LDAP bind request. After the user passes the authentication, the AD realm searches for the entry of the user in the AD realm. After the AD realm finds the entry, the AD realm retrieves the group membership of the user from the tokenGroups attribute of the entry. For more information, see Configuring an Active Directory realm.

Elasticsearch clusters of V6.X, V7.X, or V8.X
Add the following configurations to the YML configuration file of your cluster to configure AD user authentication. For more information, see Configure the YML file.
Elasticsearch clusters of other versions
Add the following configurations to the YML configuration file of your cluster. If the YML configuration file cannot be modified and the cluster cannot be restarted, you can submit a ticket to technical support personnel to help you configure the configuration.

xpack.security.authc.realms.active_directory.my_ad.order: 2
xpack.security.authc.realms.active_directory.my_ad.domain_name: ccy.com
xpack.security.authc.realms.active_directory.my_ad.url: ldap://ep-bp1i321219*********-cn-hangzhou-h.epsrv-bp15571d5ps*********.cn-hangzhou.privatelink.aliyuncs.com:389
xpack.security.authc.realms.active_directory.my_ad.bind_dn: cc**@ccy.com
xpack.security.authc.realms.active_directory.my_ad.secure_bind_password: your_password

Parameter	Description
order	The priority of the AD realm. The priority determines the sequence in which the AD realm is checked during user authentication. Note For Elasticsearch V8.X clusters, the value of this parameter must be unique among different requests. We recommend that you set this parameter to 2.
domain_name	The name of the root realm.
url	The URL and port number that are used to establish a private network connection between the AD realm and the ECS instance. For more information, see Configuring an Active Directory realm. Important If your cluster is deployed in the new network architecture, you must set this parameter to a value that is in the format of `ldap://<Domain name of the related endpoint>:<Port number>`. In this example, ldap://ep-bp1i321219*******-cn-hangzhou-h.epsrv-bp15571d5ps*******.cn-hangzhou.privatelink.aliyuncs.com:389 is used.
bind_dn	The distinguished number (DN) of the user that is used to perform searches.
secure_bind_password	The password that is used to authenticate the user.

Step 3: Map the user to a role

Log on to the Kibana console of the Elasticsearch cluster.
For more information, see Log on to the Kibana console.
Note
In this example, an Elasticsearch V7.10.0 cluster is used. Operations on clusters of other versions may differ. The actual operations in the console prevail.
Go to the homepage of the Kibana console as prompted and click Dev tools in the upper-right corner.

On the Console tab, run the following command to map the ccy1 user in the AD realm to the administrator role:

PUT /_security/role_mapping/basic_users
{
  "roles": [ "superuser" ],
  "enabled": true,
  "rules": {
    "any": [
      {
        "field": {
          "groups": "cn=ali,dc=ccy,dc=com"
        }
      },
      {
        "field": {
          "dn": "cn=ccy1,cn=ali,dc=ccy,dc=com"
        }
      }
    ]
  }
}

Step 4: Verify the result

Use the ccy1 user to log on to the Kibana console of the Elasticsearch cluster.
Go to the homepage of the Kibana console as prompted and click Dev tools in the upper-right corner.
On the Console tab, run the following command to check whether the ccy1 user has permissions to perform the related operation:
```
GET _cat/indices
```
If permissions are granted to the ccy1 user, the result shown in the following figure is returned.