/elasticsearch-http-user-auth

HTTP Basic Authentication and IP ACL plugin for Elasticsearch :key:

Primary LanguageJava

Build Status

Elasticfence - Elasticsearch HTTP Basic User Auth plugin

Elasticsearch user authentication plugin with http basic auth and IP ACL

This plugin provides user authentication APIs and a User management web console.

Installation

bin/plugin install https://raw.githubusercontent.com/elasticfence/elasticsearch-http-user-auth/2.4.1/jar/elasticfence-2.4.1-SNAPSHOT.zip

Build with Maven

mvn package clean
bin/plugin install file:///path/to/repo/jar/elasticfence-2.4.1-SNAPSHOT.zip

Configuration

Add following lines to elasticsearch.yml:

elasticfence.disabled: false
elasticfence.root.password: rootpassword

To disable the plugin set elasticfence.disabled to true

To set the root password on each start use http.user.auth.root.password
Only the root user can access ES's root APIs (like /_cat, /_cluster) and all indices.

Other users can access URLs under their own indices that are specified with this plugin's API.

Basic IP ACL

IPs contained in whitelist/blacklist arrays will bypass authentication

elasticfence.whitelist: ["127.0.0.1", "10.0.0.1"]
elasticfence.blacklist: ["127.0.0.2", "10.0.0.99"]

Kibana 4

Add index filter "/.kibana" to a your_custom_username which you created on Elasticfence and set it in kibana.yml:

elasticsearch.username: your_custom_username
elasticsearch.password: your_custom_password

Add permissions to your kibana users using regex filters:

/index.*,/_.*,/.kibana,/

Kibana 4.x Auth Plugin

To facilitate users and improve security, the optional Kibana Auth plugin can be deployed alongside Elastifence:

bin/kibana plugin --install kibana-auth-plugin -u https://github.com/elasticfence/kibana-auth-elasticfence/releases/download/snapshot/kauth-latest.tar.gz

Add username and password on HTTP requests

The authentication method of this plugin is Basic Authentication. Therefore, you should add your username and password on URL string. For example:

http://root:rootpassword@your.elasticsearch.hostname:9200/
CURL
curl -u root:rootpassword http://your.elasticsearch.hostname:9200/

{
  "status" : 200,
  "name" : "Piranha",
  "cluster_name" : "elastic1",
  "version" : {
    "number" : "1.7.3",
    "build_hash" : "05d4530971ef0ea46d0f4fa6ee64dbc8df659682",
    "build_timestamp" : "2015-10-15T09:14:17Z",
    "build_snapshot" : false,
    "lucene_version" : "4.10.4"
  },
  "tagline" : "You Know, for Search"
}

Plugins using ES's REST API also have to be set root password in their configurations.

The ways of configuring Marvel and Kibana 4 are below:

Marvel

elasticsearch.yml:

marvel.agent.exporter.es.hosts: ["root:rootpassword@127.0.0.1:9200"]

User Management Console

This plugin provides a web console which manages users.

http://your.elasticsearch.hostname:9200/_plugin/elasticfence/index.html

User Management API

This plugin provides a web API to manage users and permissions.

Add User:
http://your.elasticsearch.hostname:9200/_httpuserauth?mode=adduser&username=admin&password=somepass
Add Index Permissions:
http://your.elasticsearch.hostname:9200/_httpuserauth?mode=addindex&username=admin&password=somepass&index=index*
Update Index Permissions:
http://your.elasticsearch.hostname:9200/_httpuserauth?mode=updateindex&username=admin&index=index-*
Delete User:
http://your.elasticsearch.hostname:9200/_httpuserauth?mode=deleteuser&username=admin
List User(s):
http://your.elasticsearch.hostname:9200/_httpuserauth?mode=list

[{ 
  "username":"admin",
  "password":"7080bfe27990021c562398e79823h920e9a38aa5d3b10c5ff5d8c498305",
  "indices":["/_*"],
  "created":"2015-11-06T21:57:21+0100"
}]