Professional Level

Configure User Access Control for Elasticsearch

2 hours

6 Learning Objectives

About this Hands-on Lab

To enforce data confidentiality and maintain user accessibility with Elasticsearch, we need to know how to create custom roles and users. In this hands-on lab, we go through the following tasks on a single-node Elasticsearch cluster, using either Kibana or `curl` on the command line:

* Create custom roles
* Create users

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Create the sample_read Role

Use the Kibana console tool to execute the following:

POST _security/role/sample_read
{
  "indices": [
    {
      "names": [
        "sample-*"
      ],
      "privileges": [
        "read"
      ]
    }
  ]
}

Or, use command-line curl on any one of the nodes via ssh:

curl -k -u elastic:la_elastic_409 -XPOST "http://localhost:9200/_security/role/sample_read?pretty" -H 'Content-Type: application/json' -d'{"indices":[{"names":["sample-*"],"privileges":["read"]}]}'

Create the sample_write Role

Use the Kibana console tool to execute the following:

POST _security/role/sample_write
{
  "indices": [
    {
      "names": [
        "sample-*"
      ],
      "privileges": [
        "read",
        "write"
      ]
    }
  ]
}

Or, use command-line curl on any one of the nodes via ssh:

curl -k -u elastic:la_elastic_409 -XPOST "http://localhost:9200/_security/role/sample_write?pretty" -H 'Content-Type: application/json' -d'{"indices":[{"names":["sample-*"],"privileges":["read","write"]}]}'

Create the sample_monitor Role

Use the Kibana console tool to execute the following:

POST _security/role/sample_monitor
{
  "indices": [
    {
      "names": [
        "sample-*"
      ],
      "privileges": [
        "read",
        "monitor"
      ]
    }
  ]
}

Or, use command-line curl on any one of the nodes via ssh:

curl -k -u elastic:la_elastic_409 -XPOST "http://localhost:9200/_security/role/sample_monitor?pretty" -H 'Content-Type: application/json' -d'{"indices":[{"names":["sample-*"],"privileges":["read","monitor"]}]}'

Create the john User

Use the Kibana console tool to execute the following:

POST _security/user/john
{
  "roles": [
    "kibana_user",
    "sample_read"
  ],
  "full_name": "John Doe",
  "email": "john@company.com",
  "password": "john_123"
}

Or, use command-line curl on any one of the nodes via ssh:

curl -k -u elastic:la_elastic_409 -XPOST "http://localhost:9200/_security/user/john?pretty" -H 'Content-Type: application/json' -d'{"roles":["kibana_user","sample_read"],"full_name":"John Doe","email":"john@company.com","password":"john_123"}'

Create the jane User

Use the Kibana console tool to execute the following:

POST _security/user/jane
{
  "roles": [
    "kibana_user",
    "sample_write"
  ],
  "full_name": "Jane Doe",
  "email": "jane@company.com",
  "password": "jane_456"
}

Or, use command-line curl on any one of the nodes via ssh:

curl -k -u elastic:la_elastic_409 -XPOST "http://localhost:9200/_security/user/jane?pretty" -H 'Content-Type: application/json' -d'{"roles":["kibana_user","sample_write"],"full_name":"Jane Doe","email":"jane@company.com","password":"jane_456"}'

Create the noc User

Use the Kibana console tool to execute the following:

POST _security/user/noc
{
  "roles": [
    "kibana_user",
    "sample_monitor",
    "monitoring_user"
  ],
  "full_name": "Network Operations Center",
  "email": "noc@company.com",
  "password": "noc_789"
}

Or, use command-line curl on any one of the nodes via ssh:

curl -k -u elastic:la_elastic_409 -XPOST "http://localhost:9200/_security/user/noc?pretty" -H 'Content-Type: application/json' -d'{"roles":["kibana_user","sample_monitor","monitoring_user"],"full_name":"Network Operations Center","email":"noc@company.com","password":"noc_789"}'

Contact Sales See Pricing

Additional Resources

You work as a system administrator and are in charge of a 3-node Elasticsearch cluster that will serve as a proof of concept for using Elasticsearch to store sensitive information. In an effort to evaluate data confidentiality and accessibility requirements, your security team has asked you to lock down Elasticsearch with user authentication.

For this proof of concept, the security team has loaded the cluster with some sample data. Now, they need you to create custom roles and users to limit access to said data accordingly.

Roles:

----------------+----------+------------------+--------------------
 Role Name      | Indexes  | Index Privileges | Cluster Privileges 
----------------+----------+------------------+--------------------
 sample_read    | sample-* | Read             | None               
----------------+----------+------------------+--------------------
 sample_write   | sample-* | Read, Write      | None               
----------------+----------+------------------+--------------------
 sample_monitor | sample-* | Read, Monitor    | None        
----------------+----------+------------------+--------------------

Users:

----------+---------------------------+------------------+-----------------+----------
 Username | Full Name                 | Email            | Roles           | Password 
----------+---------------------------+------------------+-----------------+----------
 john     | John Doe                  | john@company.com | kibana_user     | john_123 
          |                           |                  | sample_read     |          
----------+---------------------------+------------------+-----------------+----------
 jane     | Jane Doe                  | jane@company.com | kibana_user     | jane_456 
          |                           |                  | sample_write    |          
----------+---------------------------+------------------+-----------------+----------
          |                           |                  | kibana_user     | noc_789  
 noc      | Network Operations Center | noc@company.com  | monitoring_user |          
          |                           |                  | sample_monitor  |          
----------+---------------------------+------------------+-----------------+----------

The 3-node Elasticsearch cluster is already installed at /home/elastic/elasticsearch on each node. A Kibana instance is also installed at /home/elastic/kibana on the coordinator-1 node. You can optionally use this instance to interface with Elasticsearch via the Security UI or the Console tool. Otherwise, you can use curl on the command line to interface with Elasticsearch.

To use Kibana, navigate to the public IP address of the coordinator-1 node in your web browser and login with:

Username: elastic
Password: la_elastic_409

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.