Do I still have to setup roles and users after I successfully added one user in file realm?

security

(Li Jessen) #1

In the online document - Configuring security in elasticsearch,
https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html#

the step 7 is
Choose which types of realms you want to use to authenticate users.

While in configure a file realm, I already added a user with user role, say, superuser. But the step 8 is : Set up roles and users to control access to Elasticsearch. For example, to grant John Doe full access to all indices that match the pattern events* and enable him to create visualizations and dashboards for those indices in Kibana, you could create an events_admin role and assign the role to a new johndoe user.
Do I still need to do so after I already added a user by elasticsearch-users tool which adds an item in both ES_PATH_CONF/users file and ES_PATH_CONF/users_roles file?


(Tim Vernum) #2

If you only want to have a single user, then you don't need to set anything else up.

But for most use cases, a single user isn't a good idea. You shouldn't have everything connect to your cluster as superuser, it is much better to create users and roles for specific purposes that limit the user's access to just what they need.


(Li Jessen) #3

But all these can also be done in file realm by elasticsearch-users tool. So I don't think step 8 is necessary. Have I made my question clear?


(Tim Vernum) #4

Step 7 is to decide what realm types you want. You have decided on a file realm (which is not our usual recommendation, but that's a separate issue).

Step 8 is to set up roles and users in the realms you want to use. The example there shows creating a Native role and Native user, but it's just an example. You can create File roles and users instead.

So, you need to do step 8, but what you do in step 8 is entirely dependent on the decisions you made in step 7.