Elasticsearch security strategy with free X-Pack basic security

1. 1 | P a g e
Elasticsearch Security Strategy
Table of Contents
Existing State of Elasticsearch Cluster Security........................................................................................................ 2
X-Pack..................................................................................................................................................................2
Installation........................................................................................................................................................... 2
Implementation.................................................................................................................................................... 3
Desired State of Elasticsearch Cluster Security........................................................................................................ 4
Proof of Concept - cURL Commands................................................................................................................... 4
Anonymous User trying to access Elasticsearch Cluster....................................................................................... 6
Super-User "elastic" accessing Elasticsearch Cluster............................................................................................ 6
User "charan" with role "filebeat_admin" trying to view all the indices................................................................ 7
User "charan" with role "filebeat_admin" accessing "filebeat-*" index.................................................................8
User "charan" with role "filebeat_admin" accessing "logstash-*" index................................................................ 9
User "vasu" with role "logstash_admin" trying to access "filebeat-*" index.......................................................... 9
User "vasu" with role "logstash_admin" accessing "logstash-*" index................................................................ 10
Super-User "elastic" accessing Kibana.............................................................................................................. 11
User "charan" with role "filebeat_admin" accessing Kibana............................................................................... 12
Auditing............................................................................................................................................................. 12

2. 2 | P a g e
Existing State of Elasticsearch Cluster Security
Market IntelligenceandInvestmentServices Teamsare usingElasticsearch. Boththe teamscan view all the indices
available inElasticsearch. Also,eachof these teamscansearchthe contentsof the indicesthatare not relatedor
ownedbythem.
Thiscan cause a potential securitybreach.
X-Pack
X-Packisan ElasticStack extensionthatimplementsfeatureslike security,alerting,monitoring,reportingandgraph
representationinone package.Itiseasyto install andthese componentscanbe easilyenabledordisabled.
X-PackprovidesSecurityModule. The featuresof thismoduleare asfollows:
 Role BasedAccessControl (RBAC)
o Elasticsearchistreatedasa NoSql Database. Accesstoindex isprovidedasperthe roles.
 Privileges/Permissions
o Figuringoutthe actionsand accessesonthe index.
 Roles
o Groupingprivileges/permissionsintoroles.
 Users
o Addinguserstoroles.
Installation
X-Packisinstalledoneachandeverynode inthe Cluster. Bydefault,basicauthenticationshall be enabled. We
mustspecifya username andpassword.
X-PackSecurityprovidesabuilt-inelasticsuperuserthatcanbe usedtoset upthe securityinthe Cluster.

3. 3 | P a g e
The default user is elastic and password is changeme.
"elastic" user hasfull accessto the cluster,includingall the indicesanddata.
Implementation
1. Install X-PackplugininElasticsearch,KibanaandLogstash
2. Modify elasticsearch.ymlfile:
a. xpack.security.enabled: true
3. Modify kibana.ymlfile:
a. xpack.security.enabled: true
b. elasticsearch.username: "kibana"
c. elasticsearch.password: "kibanapassword"
4. RestartElasticsearchandKibanaservices.
5. Change the passwordsof the built-inelastic,kibana,andlogstash_system users.
$ curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/elastic/_password' -H "Content-Type:
application/json" -d '{
"password" : "elasticpassword"
}'
$ curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/kibana/_password' -H "Content-Type:
application/json" -d '{
"password" : "kibanapassword"
}'
$ curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/logstash_system/_password' -H "Content-Type:
application/json" -d '{
"password" : "logstashpassword"
}'
6. We needtosetup rolesandusersto control access to ElasticsearchandKibana

4. 4 | P a g e
Desired State of Elasticsearch Cluster Security
Proof of Concept - cURL Commands
To grant DivyaCharan TejaMulagaleti full accesstoall indicesthatmatchthe pattern filebeat-*and enable himto
create visualizationsanddashboardsforthose indicesinKibana,we shall create an filebeat_admin role andassign
the role to a new charan user.
$ curl -XPOST -u elastic 'localhost:9200/_xpack/security/role/filebeat_admin' -H "Content-Type:
application/json" -d '{
"indices" : [
{
"names" : [ "filebeat-*" ],
"privileges" : [ "all" ]
},
{
"names" : [ ".kibana*" ],
"privileges" : [ "manage", "read", "index" ]
}
]
}'
{"role":{"created":true}}
$ curl -XPOST -u elastic 'localhost:9200/_xpack/security/user/charan' -H "Content-Type: application/json" -d
'{
"password" : "sagarsoft",
"full_name" : "Divya Charan Teja Mulagaleti",
"email" : "divyacharan.mulagaleti@sagarsoft.in",
"roles" : [ "filebeat_admin" ]
}'
{"user":{"created":true}}

5. 5 | P a g e
To grant VasudevaReddyGangasani full accesstoall indicesthatmatchthe pattern logstash-*andenable himto
create visualizationsanddashboardsforthose indicesinKibana,we shall create an logstash_admin role andassign
the role to a new vasu user.
$ curl -XPOST -u elastic 'localhost:9200/_xpack/security/role/logstash_admin' -H "Content-Type:
application/json" -d '{
"indices" : [
{
"names" : [ "logstash-*" ],
"privileges" : [ "all" ]
},
{
"names" : [ ".kibana*" ],
"privileges" : [ "manage", "read", "index" ]
}
]
}'
{"role":{"created":true}}
$ curl -XPOST -u elastic 'localhost:9200/_xpack/security/user/vasu' -H "Content-Type: application/json" -d '{
"password" : "sagarsoft",
"full_name" : "Vasudeva Reddy Gangasani",
"email" : "vasudeva.gangasani@sagarsoft.in",
"roles" : [ "logstash_admin" ]
}'
{"user":{"created":true}}

6. 6 | P a g e
AnonymousUser trying to access Elasticsearch Cluster
HTTP status code: 401 Unauthorized error
Super-User "elastic" accessing Elasticsearch Cluster
"elastic" user can access all the indices

7. 7 | P a g e
User "charan"with role "filebeat_admin"trying to view all the indices
HTTP status code: 403 Forbidden error

8. 8 | P a g e
User "charan"with role "filebeat_admin"accessing "filebeat-*" index
Elasticsearch serves the request with JSON response

9. 9 | P a g e
User "charan"with role "filebeat_admin" accessing "logstash-*" index
HTTP status code: 403 Forbidden error
User "vasu" with role"logstash_admin" trying to access "filebeat-*" index
HTTP status code: 403 Forbidden error

10. 10 | P a g e
User "vasu" with role"logstash_admin" accessing "logstash-*" index
Elasticsearch serves the request with JSON response

11. 11 | P a g e
Super-User "elastic" accessing Kibana
"elastic" user can access all the indices

12. 12 | P a g e
User "charan"with role "filebeat_admin"accessing Kibana
"logstash-*" index is not accessible
Only "filebeat-*" index is accessible
Auditing
Auditlogsare disabledbydefault.Toenable thisfunctionality,setthe followingin elasticsearch.yml:
xpack.security.audit.enabled: true
X-PackSecurityprovidesaudittrail functionalityforall nodesinthe cluster.We can configure the auditlevel,which
accounts forthe type of eventsthatare logged.These eventsinclude failedauthenticationattempts,useraccess
denied,node connectiondenied,andmore.