Elasticsearch user authentication plugin with http basic auth and IP ACL
This plugin provides user authentication APIs and a User management web console.
bin/plugin install https://raw.githubusercontent.com/elasticfence/elasticsearch-http-user-auth/2.4.1/jar/elasticfence-2.4.1-SNAPSHOT.zip
mvn package clean bin/plugin install file:///path/to/repo/jar/elasticfence-2.4.1-SNAPSHOT.zip
Add following lines to elasticsearch.yml:
elasticfence.disabled: false elasticfence.root.password: rootpassword
To disable the plugin set elasticfence.disabled
to true
To set the root password on each start use http.user.auth.root.password
Only the root user can access ES's root APIs (like /_cat, /_cluster) and all indices.
Other users can access URLs under their own indices that are specified with this plugin's API.
IPs contained in whitelist/blacklist arrays will bypass authentication
elasticfence.whitelist: ["127.0.0.1", "10.0.0.1"] elasticfence.blacklist: ["127.0.0.2", "10.0.0.99"]
Add index filter "/.kibana" to a your_custom_username which you created on Elasticfence and set it in kibana.yml:
elasticsearch.username: your_custom_username elasticsearch.password: your_custom_password
Add permissions to your kibana users using regex filters:
/index.*,/_.*,/.kibana,/
To facilitate users and improve security, the optional Kibana Auth plugin can be deployed alongside Elastifence:
bin/kibana plugin --install kibana-auth-plugin -u https://github.com/elasticfence/kibana-auth-elasticfence/releases/download/snapshot/kauth-latest.tar.gz
The authentication method of this plugin is Basic Authentication. Therefore, you should add your username and password on URL string. For example:
http://root:rootpassword@your.elasticsearch.hostname:9200/
curl -u root:rootpassword http://your.elasticsearch.hostname:9200/
{
"status" : 200,
"name" : "Piranha",
"cluster_name" : "elastic1",
"version" : {
"number" : "1.7.3",
"build_hash" : "05d4530971ef0ea46d0f4fa6ee64dbc8df659682",
"build_timestamp" : "2015-10-15T09:14:17Z",
"build_snapshot" : false,
"lucene_version" : "4.10.4"
},
"tagline" : "You Know, for Search"
}
Plugins using ES's REST API also have to be set root password in their configurations.
The ways of configuring Marvel and Kibana 4 are below:
elasticsearch.yml:
marvel.agent.exporter.es.hosts: ["root:rootpassword@127.0.0.1:9200"]
This plugin provides a web console which manages users.
http://your.elasticsearch.hostname:9200/_plugin/elasticfence/index.html
This plugin provides a web API to manage users and permissions.
http://your.elasticsearch.hostname:9200/_httpuserauth?mode=adduser&username=admin&password=somepass
http://your.elasticsearch.hostname:9200/_httpuserauth?mode=addindex&username=admin&password=somepass&index=index*
http://your.elasticsearch.hostname:9200/_httpuserauth?mode=updateindex&username=admin&index=index-*
http://your.elasticsearch.hostname:9200/_httpuserauth?mode=deleteuser&username=admin
http://your.elasticsearch.hostname:9200/_httpuserauth?mode=list
[{
"username":"admin",
"password":"7080bfe27990021c562398e79823h920e9a38aa5d3b10c5ff5d8c498305",
"indices":["/_*"],
"created":"2015-11-06T21:57:21+0100"
}]