SlideShare a Scribd company logo

170309_kek_wataru_takase.rev03.pptx

Download as PPTX, PDF
S
SiliconTech1

Kibana

Internet
1 of 23
A solution for secure use of Kibana and ElasticSearch in multi-user environment Wataru Takase, Tomoaki Nakamura, Yoshiyuki Watase, Takashi Sasaki Computing Research Center, KEK, Japan ISGC 2017 1
Kibana and ElasticSearch • Open-sourced monitoring tools developed by Elastic – ElasticSearch is a lucene based scalable search engine. – Kibana is a visualization tool for ElasticSearch and provides a web interface with variety ways of visualization. – Users: KEK, CERN, Facebook, GitHub, Stack Exchange, … 2 Elastic Search Kibana Visualization tool Search Engine Dashboard Logs Metrics dashboards
Motivation • Kibana + ElasticSearch lack access control feature • Multiple users/groups use single Kibana + ElasticSearch – Any user can access to all ElasticSearch data – Need access control Kibana ElasticSearch User01 dashboard User01 SECRET data ・・・ User02 dashboard ・・・ User01 User02 3 Problem
Example: Solution of CERN Cloud team • Provided cloud utilization dashboard to each cloud user • Developed an ES plugin which provides user specific filter • User only gets own cloud tenants utilization query query Appends tenant_id=“1234567890” condition #userid admin_flag tenant_id user01 0 1234567890 ... Kibana ES ES plugin CERN SSO dashboards Cloud utilizations user-tenant mapping file Httpd username 4 user01
We Provide Alternative Solution • Based on the CERN’s solution • Enables access restriction on ElasticSearch and Kibana dashboard separation. CERN’s solution Our solution SSO integration Shibboleth Kerberos ElasticSearch plugin Homemade SearchGuard ElasticSearch Access restriction User based; Document level User/group based; Index, type, operation, document level Kibana Dashboard separation Per user Per user/group (Created Kibana plugin) 5
What we did 1. Kerberos 5 authentication integration. 2. Development of a Kibana plugin which makes it possible to separate Kibana dashboards based on user/group. 3. User/group based access control on ElasticSearch by SearchGuard. 4. Measurement on performance deterioration from using SearchGuard. 6
1. Kerberos 5 Authentication Integration • Apache mod_auth_kerb module + reverse proxy Only authenticated users can access to ES and Kibana 7
.kibana_user02 • Problem – 1 Kibana instance uses only 1 Kibana index (1 database) – All user’s dashboards are stored in the same index .kibana .kibana_user01 Separate the index for access control 8 2. Development of a Kibana plugin: Motivation
.kibana_group01 Development of a Kibana plugin: Motivation group01 share group dashboards 9 • Group based Kibana index separation is useful • Users can share a Kibana index among a group
Development of a Kibana plugin 10 • Adds multi-tenancy • User can switch Kibana index for personal or group shared use. Developed .kibana_user01 .kibana_group01
Kibana plugin: Own Home • https://github.com/wtakase/kibana-own-home 11
3. User/group based Access control on ElasticSearch • Need ElasticSearch index level access control. • The Kibana plugin separates Kibana index, but still all users can access other’s index. 12 .kibana_user02 user02 user01 .kibana_user01 User01_secret_ index
Investigation of SearchGuard • ElasticSearch plugin –Flexible REST/transport layer access control based on user/group • Index, type, operation, document level restrictions –Node-to-node encryption –Supported by Floragunn • http://floragunn.com/searchguard • https://github.com/floragunncom/search-guard 13
SearchGuard + LDAP Authorization • SearchGuard supports multiple auth back-ends – YAML files based configuration • We use proxy based authentication and LDAP authorization features for user/group based access control. 14 Proxy based authentication LDAP authorization
Development related to SearchGuard: Motivation 15 kibana_user01_index: indices: ‘.kibana_user01’: ‘*’: - ALL kibana_user02_index: indices: ‘.kibana_user02’: ‘*’: - ALL . . . kibana_user01_index: users: user01 kibana_user02_index: users: user02 . . . sg_roles.yml sg_roles_mapping.yml • Each user has a own Kibana index and each index allows access only from the owner. • Admin has to define permissions for every user. • Whenever new user is registered, admin has to add permission. Permission for user01 Permission for user02
Development of a SearchGuard Patch • Enables to set username variable in configuration file and releases the admin from the troublesome task • Has been merged to upstream 16 kibana_own_index: indices: ‘.kibana_${user_name}’: ‘*’: - ALL sg_roles.yml kibana_own_index: users: ‘*’ sg_roles_mapping.yml
Contributions to SearchGuard for more flexible configurations • Support configurable OID – https://github.com/floragunncom/search-guard/pull/168 • Use username variable at indices sections in sg_roles.yml – https://github.com/floragunncom/search-guard/pull/169 • Support and_backendroles – https://github.com/floragunncom/search-guard/pull/247 • Add skip_users option – https://github.com/floragunncom/search-guard- authbackend-ldap/pull/1 17
Overview of Our Solution 18 patch patch Developed patch patch patch
4. Measurement of SearchGuard-ed ElasticSearch Performance by Rally • What is Rally? – Benchmarking tool for ElasticSearch • https://www.elastic.co/blog/announcing-rally- benchmarking-for-elasticsearch • https://github.com/elastic/rally – Measures indexing throughput, query latencies – Provides a few default scenarios and user can define customized one 19
Test Scenario • Used Rally default scenario named “geonames” – Uses geographical dataset • Data source: http://www.geonames.org/ – Indexes 8.6M documents (total 2.8GB) and 5000 docs per bulk request against ElasticSearch • Compared performance between normal ElasticSearch and SearchGuard-ed ElasticSearch 20 Rally Rally vs
Test Environment 21 Normal ElasticSearch SearchGuard-ed ElasticSearch server01 and server02 OS CentOS 7 CPU AMD Opteron 6212 2.6GHz 8 cores RAM 8 GB ElasticSearch 2.3.4 SearchGuard 2.3.4 ElasticSearch Rally 0.3.1
Results 13% degradation 116ms 87ms 82ms • Overhead of each query can be estimated as 80〜120ms by 90% and 99% of queries completion lines. • Kerberos authentication, Reverse proxy, LDAP lookup, Search Guard access control 22 • 99%tile: 99% queries completed in under a given latency • Document indexing throughput • Query latencies • Term matching query • Phrase matching query • “Group by” query
Summary • In multi-user environment, user/group based access restriction and dashboard separation are necessary for secure use of Kibana and ElasticSearch. • We provided alternative solution based on the CERN cloud team’s one. 1. Kerberos 5 authentication integration 2. Kibana plugin separates Kibana dashboards based on user/group 3. SearchGuard enables access control on ElasticSearch and patches for SearchGuard enabling flexible access control have been merged to the upstream 4. We measured performance of SearchGuard-ed ElasticSearch and compared to the normal one: • Overhead of indexing throughput: 13% • Estimated overhead of each query: 80〜120ms 23

Recommended

2021 March Pravega Community Meeting
2021 March Pravega Community Meeting2021 March Pravega Community Meeting
2021 March Pravega Community MeetingDerek Moore
 
Webdistilled API
Webdistilled APIWebdistilled API
Webdistilled APIVieri Emiliani
 
Introduction to Kibana
Introduction to KibanaIntroduction to Kibana
Introduction to KibanaVineet .
 
Elastic Stack Introduction
Elastic Stack IntroductionElastic Stack Introduction
Elastic Stack IntroductionVikram Shinde
 
Apache Eagle: 来自eBay的分布式实时Hadoop数据安全引擎
Apache Eagle: 来自eBay的分布式实时Hadoop数据安全引擎Apache Eagle: 来自eBay的分布式实时Hadoop数据安全引擎
Apache Eagle: 来自eBay的分布式实时Hadoop数据安全引擎Qingwen zhao
 
Developing for the Atlassian Ecosystem
Developing for the Atlassian EcosystemDeveloping for the Atlassian Ecosystem
Developing for the Atlassian EcosystemAlex Henderson
 
Developing XWiki
Developing XWikiDeveloping XWiki
Developing XWikiVincent Massol
 
Search Architecture at Evernote: Presented by Christian Kohlschütter, Evernote
Search Architecture at Evernote: Presented by Christian Kohlschütter, EvernoteSearch Architecture at Evernote: Presented by Christian Kohlschütter, Evernote
Search Architecture at Evernote: Presented by Christian Kohlschütter, EvernoteLucidworks
 

Recommended

2021 March Pravega Community Meeting
2021 March Pravega Community Meeting2021 March Pravega Community Meeting
2021 March Pravega Community MeetingDerek Moore
 
Webdistilled API
Webdistilled APIWebdistilled API
Webdistilled APIVieri Emiliani
 
Introduction to Kibana
Introduction to KibanaIntroduction to Kibana
Introduction to KibanaVineet .
 
Elastic Stack Introduction
Elastic Stack IntroductionElastic Stack Introduction
Elastic Stack IntroductionVikram Shinde
 
Apache Eagle: 来自eBay的分布式实时Hadoop数据安全引擎
Apache Eagle: 来自eBay的分布式实时Hadoop数据安全引擎Apache Eagle: 来自eBay的分布式实时Hadoop数据安全引擎
Apache Eagle: 来自eBay的分布式实时Hadoop数据安全引擎Qingwen zhao
 
Developing for the Atlassian Ecosystem
Developing for the Atlassian EcosystemDeveloping for the Atlassian Ecosystem
Developing for the Atlassian EcosystemAlex Henderson
 
Developing XWiki
Developing XWikiDeveloping XWiki
Developing XWikiVincent Massol
 
Search Architecture at Evernote: Presented by Christian Kohlschütter, Evernote
Search Architecture at Evernote: Presented by Christian Kohlschütter, EvernoteSearch Architecture at Evernote: Presented by Christian Kohlschütter, Evernote
Search Architecture at Evernote: Presented by Christian Kohlschütter, EvernoteLucidworks
 
High Availability PostgreSQL on OpenShift...and more!
High Availability PostgreSQL on OpenShift...and more!High Availability PostgreSQL on OpenShift...and more!
High Availability PostgreSQL on OpenShift...and more!Jonathan Katz
 
2017 jenkins world
2017 jenkins world2017 jenkins world
2017 jenkins worldBrent Laster
 
Webinar: What's new in CDAP 3.5?
Webinar: What's new in CDAP 3.5?Webinar: What's new in CDAP 3.5?
Webinar: What's new in CDAP 3.5?Cask Data
 
ELK Ruminating on Logs (Zendcon 2016)
ELK Ruminating on Logs (Zendcon 2016)ELK Ruminating on Logs (Zendcon 2016)
ELK Ruminating on Logs (Zendcon 2016)Mathew Beane
 
Elastic Migration 2.x to 6.x By Pankaj Gajjar
Elastic Migration 2.x to 6.x By Pankaj GajjarElastic Migration 2.x to 6.x By Pankaj Gajjar
Elastic Migration 2.x to 6.x By Pankaj GajjarPankaj Gajjar
 
Operationalizing Amazon EKS
Operationalizing Amazon EKSOperationalizing Amazon EKS
Operationalizing Amazon EKSJim Bugwadia
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native SecurityKarthik Gaekwad
 
MySQL in oracle_environments(Part 2): MySQL Enterprise Monitor & Oracle Enter...
MySQL in oracle_environments(Part 2): MySQL Enterprise Monitor & Oracle Enter...MySQL in oracle_environments(Part 2): MySQL Enterprise Monitor & Oracle Enter...
MySQL in oracle_environments(Part 2): MySQL Enterprise Monitor & Oracle Enter...OracleMySQL
 
uPortal 3.2 And Beyond
uPortal 3.2 And BeyonduPortal 3.2 And Beyond
uPortal 3.2 And BeyondJennifer Bourey
 
Configuring elasticsearch for performance and scale
Configuring elasticsearch for performance and scaleConfiguring elasticsearch for performance and scale
Configuring elasticsearch for performance and scaleBharvi Dixit
 
ThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptxThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptxGrace Jansen
 
OSMC 2023 | Current State of Icinga by Bernd Erk
OSMC 2023 | Current State of Icinga by Bernd ErkOSMC 2023 | Current State of Icinga by Bernd Erk
OSMC 2023 | Current State of Icinga by Bernd ErkNETWAYS
 
OGCE SC10
OGCE SC10OGCE SC10
OGCE SC10marpierc
 
Apereo OAE - Bootcamp
Apereo OAE - BootcampApereo OAE - Bootcamp
Apereo OAE - BootcampNicolaas Matthijs
 
CouchbasetoHadoop_Matt_Michael_Justin v4
CouchbasetoHadoop_Matt_Michael_Justin v4CouchbasetoHadoop_Matt_Michael_Justin v4
CouchbasetoHadoop_Matt_Michael_Justin v4Michael Kehoe
 
Jenkins Pipeline @ Scale. Building Automation Frameworks for Systems Integration
Jenkins Pipeline @ Scale. Building Automation Frameworks for Systems IntegrationJenkins Pipeline @ Scale. Building Automation Frameworks for Systems Integration
Jenkins Pipeline @ Scale. Building Automation Frameworks for Systems IntegrationOleg Nenashev
 
ELK Solutions Enablement Session - 17th March'2020
ELK Solutions Enablement Session - 17th March'2020ELK Solutions Enablement Session - 17th March'2020
ELK Solutions Enablement Session - 17th March'2020Ashnikbiz
 
From Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With KubernetesFrom Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With KubernetesShikha Srivastava
 
Data Publication and Discovery with Globus
Data Publication and Discovery with GlobusData Publication and Discovery with Globus
Data Publication and Discovery with GlobusGlobus
 
Simplify Your Way To Expert Kubernetes Management
Simplify Your Way To Expert Kubernetes ManagementSimplify Your Way To Expert Kubernetes Management
Simplify Your Way To Expert Kubernetes ManagementDevOps.com
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 

More Related Content

Similar to 170309_kek_wataru_takase.rev03.pptx

High Availability PostgreSQL on OpenShift...and more!
High Availability PostgreSQL on OpenShift...and more!High Availability PostgreSQL on OpenShift...and more!
High Availability PostgreSQL on OpenShift...and more!Jonathan Katz
 
2017 jenkins world
2017 jenkins world2017 jenkins world
2017 jenkins worldBrent Laster
 
Webinar: What's new in CDAP 3.5?
Webinar: What's new in CDAP 3.5?Webinar: What's new in CDAP 3.5?
Webinar: What's new in CDAP 3.5?Cask Data
 
ELK Ruminating on Logs (Zendcon 2016)
ELK Ruminating on Logs (Zendcon 2016)ELK Ruminating on Logs (Zendcon 2016)
ELK Ruminating on Logs (Zendcon 2016)Mathew Beane
 
Elastic Migration 2.x to 6.x By Pankaj Gajjar
Elastic Migration 2.x to 6.x By Pankaj GajjarElastic Migration 2.x to 6.x By Pankaj Gajjar
Elastic Migration 2.x to 6.x By Pankaj GajjarPankaj Gajjar
 
Operationalizing Amazon EKS
Operationalizing Amazon EKSOperationalizing Amazon EKS
Operationalizing Amazon EKSJim Bugwadia
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native SecurityKarthik Gaekwad
 
MySQL in oracle_environments(Part 2): MySQL Enterprise Monitor & Oracle Enter...
MySQL in oracle_environments(Part 2): MySQL Enterprise Monitor & Oracle Enter...MySQL in oracle_environments(Part 2): MySQL Enterprise Monitor & Oracle Enter...
MySQL in oracle_environments(Part 2): MySQL Enterprise Monitor & Oracle Enter...OracleMySQL
 
Configuring elasticsearch for performance and scale
Configuring elasticsearch for performance and scaleConfiguring elasticsearch for performance and scale
Configuring elasticsearch for performance and scaleBharvi Dixit
 
ThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptxThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptxGrace Jansen
 
OSMC 2023 | Current State of Icinga by Bernd Erk
OSMC 2023 | Current State of Icinga by Bernd ErkOSMC 2023 | Current State of Icinga by Bernd Erk
OSMC 2023 | Current State of Icinga by Bernd ErkNETWAYS
 
CouchbasetoHadoop_Matt_Michael_Justin v4
CouchbasetoHadoop_Matt_Michael_Justin v4CouchbasetoHadoop_Matt_Michael_Justin v4
CouchbasetoHadoop_Matt_Michael_Justin v4Michael Kehoe
 
Jenkins Pipeline @ Scale. Building Automation Frameworks for Systems Integration
Jenkins Pipeline @ Scale. Building Automation Frameworks for Systems IntegrationJenkins Pipeline @ Scale. Building Automation Frameworks for Systems Integration
Jenkins Pipeline @ Scale. Building Automation Frameworks for Systems IntegrationOleg Nenashev
 
ELK Solutions Enablement Session - 17th March'2020
ELK Solutions Enablement Session - 17th March'2020ELK Solutions Enablement Session - 17th March'2020
ELK Solutions Enablement Session - 17th March'2020Ashnikbiz
 
From Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With KubernetesFrom Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With KubernetesShikha Srivastava
 
Data Publication and Discovery with Globus
Data Publication and Discovery with GlobusData Publication and Discovery with Globus
Data Publication and Discovery with GlobusGlobus
 
Simplify Your Way To Expert Kubernetes Management
Simplify Your Way To Expert Kubernetes ManagementSimplify Your Way To Expert Kubernetes Management
Simplify Your Way To Expert Kubernetes ManagementDevOps.com
 

Similar to 170309_kek_wataru_takase.rev03.pptx (20)

High Availability PostgreSQL on OpenShift...and more!
High Availability PostgreSQL on OpenShift...and more!High Availability PostgreSQL on OpenShift...and more!
High Availability PostgreSQL on OpenShift...and more!
 
2017 jenkins world
2017 jenkins world2017 jenkins world
2017 jenkins world
 
Webinar: What's new in CDAP 3.5?
Webinar: What's new in CDAP 3.5?Webinar: What's new in CDAP 3.5?
Webinar: What's new in CDAP 3.5?
 
ELK Ruminating on Logs (Zendcon 2016)
ELK Ruminating on Logs (Zendcon 2016)ELK Ruminating on Logs (Zendcon 2016)
ELK Ruminating on Logs (Zendcon 2016)
 
Elastic Migration 2.x to 6.x By Pankaj Gajjar
Elastic Migration 2.x to 6.x By Pankaj GajjarElastic Migration 2.x to 6.x By Pankaj Gajjar
Elastic Migration 2.x to 6.x By Pankaj Gajjar
 
Operationalizing Amazon EKS
Operationalizing Amazon EKSOperationalizing Amazon EKS
Operationalizing Amazon EKS
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native Security
 
MySQL in oracle_environments(Part 2): MySQL Enterprise Monitor & Oracle Enter...
MySQL in oracle_environments(Part 2): MySQL Enterprise Monitor & Oracle Enter...MySQL in oracle_environments(Part 2): MySQL Enterprise Monitor & Oracle Enter...
MySQL in oracle_environments(Part 2): MySQL Enterprise Monitor & Oracle Enter...
 
uPortal 3.2 And Beyond
uPortal 3.2 And BeyonduPortal 3.2 And Beyond
uPortal 3.2 And Beyond
 
Configuring elasticsearch for performance and scale
Configuring elasticsearch for performance and scaleConfiguring elasticsearch for performance and scale
Configuring elasticsearch for performance and scale
 
ThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptxThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptx
 
OSMC 2023 | Current State of Icinga by Bernd Erk
OSMC 2023 | Current State of Icinga by Bernd ErkOSMC 2023 | Current State of Icinga by Bernd Erk
OSMC 2023 | Current State of Icinga by Bernd Erk
 
OGCE SC10
OGCE SC10OGCE SC10
OGCE SC10
 
Apereo OAE - Bootcamp
Apereo OAE - BootcampApereo OAE - Bootcamp
Apereo OAE - Bootcamp
 
CouchbasetoHadoop_Matt_Michael_Justin v4
CouchbasetoHadoop_Matt_Michael_Justin v4CouchbasetoHadoop_Matt_Michael_Justin v4
CouchbasetoHadoop_Matt_Michael_Justin v4
 
Jenkins Pipeline @ Scale. Building Automation Frameworks for Systems Integration
Jenkins Pipeline @ Scale. Building Automation Frameworks for Systems IntegrationJenkins Pipeline @ Scale. Building Automation Frameworks for Systems Integration
Jenkins Pipeline @ Scale. Building Automation Frameworks for Systems Integration
 
ELK Solutions Enablement Session - 17th March'2020
ELK Solutions Enablement Session - 17th March'2020ELK Solutions Enablement Session - 17th March'2020
ELK Solutions Enablement Session - 17th March'2020
 
From Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With KubernetesFrom Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With Kubernetes
 
Data Publication and Discovery with Globus
Data Publication and Discovery with GlobusData Publication and Discovery with Globus
Data Publication and Discovery with Globus
 
Simplify Your Way To Expert Kubernetes Management
Simplify Your Way To Expert Kubernetes ManagementSimplify Your Way To Expert Kubernetes Management
Simplify Your Way To Expert Kubernetes Management
 

Recently uploaded

Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsMonica Sydney
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasDigicorns Technologies
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查ydyuyu
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...gajnagarg
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查ydyuyu
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...meghakumariji156
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoilmeghakumariji156
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsMonica Sydney
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdfMatthew Sinclair
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsMonica Sydney
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Balliameghakumariji156
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 

Recently uploaded (20)

Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 

170309_kek_wataru_takase.rev03.pptx

  • 1. A solution for secure use of Kibana and ElasticSearch in multi-user environment Wataru Takase, Tomoaki Nakamura, Yoshiyuki Watase, Takashi Sasaki Computing Research Center, KEK, Japan ISGC 2017 1
  • 2. Kibana and ElasticSearch • Open-sourced monitoring tools developed by Elastic – ElasticSearch is a lucene based scalable search engine. – Kibana is a visualization tool for ElasticSearch and provides a web interface with variety ways of visualization. – Users: KEK, CERN, Facebook, GitHub, Stack Exchange, … 2 Elastic Search Kibana Visualization tool Search Engine Dashboard Logs Metrics dashboards
  • 3. Motivation • Kibana + ElasticSearch lack access control feature • Multiple users/groups use single Kibana + ElasticSearch – Any user can access to all ElasticSearch data – Need access control Kibana ElasticSearch User01 dashboard User01 SECRET data ・・・ User02 dashboard ・・・ User01 User02 3 Problem
  • 4. Example: Solution of CERN Cloud team • Provided cloud utilization dashboard to each cloud user • Developed an ES plugin which provides user specific filter • User only gets own cloud tenants utilization query query Appends tenant_id=“1234567890” condition #userid admin_flag tenant_id user01 0 1234567890 ... Kibana ES ES plugin CERN SSO dashboards Cloud utilizations user-tenant mapping file Httpd username 4 user01
  • 5. We Provide Alternative Solution • Based on the CERN’s solution • Enables access restriction on ElasticSearch and Kibana dashboard separation. CERN’s solution Our solution SSO integration Shibboleth Kerberos ElasticSearch plugin Homemade SearchGuard ElasticSearch Access restriction User based; Document level User/group based; Index, type, operation, document level Kibana Dashboard separation Per user Per user/group (Created Kibana plugin) 5
  • 6. What we did 1. Kerberos 5 authentication integration. 2. Development of a Kibana plugin which makes it possible to separate Kibana dashboards based on user/group. 3. User/group based access control on ElasticSearch by SearchGuard. 4. Measurement on performance deterioration from using SearchGuard. 6
  • 7. 1. Kerberos 5 Authentication Integration • Apache mod_auth_kerb module + reverse proxy Only authenticated users can access to ES and Kibana 7
  • 8. .kibana_user02 • Problem – 1 Kibana instance uses only 1 Kibana index (1 database) – All user’s dashboards are stored in the same index .kibana .kibana_user01 Separate the index for access control 8 2. Development of a Kibana plugin: Motivation
  • 9. .kibana_group01 Development of a Kibana plugin: Motivation group01 share group dashboards 9 • Group based Kibana index separation is useful • Users can share a Kibana index among a group
  • 10. Development of a Kibana plugin 10 • Adds multi-tenancy • User can switch Kibana index for personal or group shared use. Developed .kibana_user01 .kibana_group01
  • 11. Kibana plugin: Own Home • https://github.com/wtakase/kibana-own-home 11
  • 12. 3. User/group based Access control on ElasticSearch • Need ElasticSearch index level access control. • The Kibana plugin separates Kibana index, but still all users can access other’s index. 12 .kibana_user02 user02 user01 .kibana_user01 User01_secret_ index
  • 13. Investigation of SearchGuard • ElasticSearch plugin –Flexible REST/transport layer access control based on user/group • Index, type, operation, document level restrictions –Node-to-node encryption –Supported by Floragunn • http://floragunn.com/searchguard • https://github.com/floragunncom/search-guard 13
  • 14. SearchGuard + LDAP Authorization • SearchGuard supports multiple auth back-ends – YAML files based configuration • We use proxy based authentication and LDAP authorization features for user/group based access control. 14 Proxy based authentication LDAP authorization
  • 15. Development related to SearchGuard: Motivation 15 kibana_user01_index: indices: ‘.kibana_user01’: ‘*’: - ALL kibana_user02_index: indices: ‘.kibana_user02’: ‘*’: - ALL . . . kibana_user01_index: users: user01 kibana_user02_index: users: user02 . . . sg_roles.yml sg_roles_mapping.yml • Each user has a own Kibana index and each index allows access only from the owner. • Admin has to define permissions for every user. • Whenever new user is registered, admin has to add permission. Permission for user01 Permission for user02
  • 16. Development of a SearchGuard Patch • Enables to set username variable in configuration file and releases the admin from the troublesome task • Has been merged to upstream 16 kibana_own_index: indices: ‘.kibana_${user_name}’: ‘*’: - ALL sg_roles.yml kibana_own_index: users: ‘*’ sg_roles_mapping.yml
  • 17. Contributions to SearchGuard for more flexible configurations • Support configurable OID – https://github.com/floragunncom/search-guard/pull/168 • Use username variable at indices sections in sg_roles.yml – https://github.com/floragunncom/search-guard/pull/169 • Support and_backendroles – https://github.com/floragunncom/search-guard/pull/247 • Add skip_users option – https://github.com/floragunncom/search-guard- authbackend-ldap/pull/1 17
  • 18. Overview of Our Solution 18 patch patch Developed patch patch patch
  • 19. 4. Measurement of SearchGuard-ed ElasticSearch Performance by Rally • What is Rally? – Benchmarking tool for ElasticSearch • https://www.elastic.co/blog/announcing-rally- benchmarking-for-elasticsearch • https://github.com/elastic/rally – Measures indexing throughput, query latencies – Provides a few default scenarios and user can define customized one 19
  • 20. Test Scenario • Used Rally default scenario named “geonames” – Uses geographical dataset • Data source: http://www.geonames.org/ – Indexes 8.6M documents (total 2.8GB) and 5000 docs per bulk request against ElasticSearch • Compared performance between normal ElasticSearch and SearchGuard-ed ElasticSearch 20 Rally Rally vs
  • 21. Test Environment 21 Normal ElasticSearch SearchGuard-ed ElasticSearch server01 and server02 OS CentOS 7 CPU AMD Opteron 6212 2.6GHz 8 cores RAM 8 GB ElasticSearch 2.3.4 SearchGuard 2.3.4 ElasticSearch Rally 0.3.1
  • 22. Results 13% degradation 116ms 87ms 82ms • Overhead of each query can be estimated as 80〜120ms by 90% and 99% of queries completion lines. • Kerberos authentication, Reverse proxy, LDAP lookup, Search Guard access control 22 • 99%tile: 99% queries completed in under a given latency • Document indexing throughput • Query latencies • Term matching query • Phrase matching query • “Group by” query
  • 23. Summary • In multi-user environment, user/group based access restriction and dashboard separation are necessary for secure use of Kibana and ElasticSearch. • We provided alternative solution based on the CERN cloud team’s one. 1. Kerberos 5 authentication integration 2. Kibana plugin separates Kibana dashboards based on user/group 3. SearchGuard enables access control on ElasticSearch and patches for SearchGuard enabling flexible access control have been merged to the upstream 4. We measured performance of SearchGuard-ed ElasticSearch and compared to the normal one: • Overhead of indexing throughput: 13% • Estimated overhead of each query: 80〜120ms 23