Security and authentication

Hi,

I want to configure a very limited security in my cluster such that all user except few have only read permission to all the data in elasticsearch and all the Kibana UI feaures without having to login.

Only certain privileged users will be able to write data to elasticsearch and edit things in Kibana UI.

What's the best way to achieve this?

Thanks in advance!

Hello,

Your best path is to use Role-Based Access Control but I would read up on the whole User Authorization section of the docs for some context and related info. There's plenty to this topic so it's probably worth looking through these first. Feel free to follow up with a new issue if there's anything specific in there you need help with. For what it's worth, I found it to be pretty intuitive once I'd played around with it a bit.

Regards,
Aaron

Thanks for the link @Aaron_Caldwell it really helped.

But I'm not able to get the anonymous access to work. There doesn't seems to be clear documentation on how to get anonymous auth working in ELK stack (elasticsearch and Kibana). As my requirement is to be able to read the data without having to login. And user should only be asked for password when performing some write/PUT operation to elasticsearch/Kibana management.

Is this a good starting point : https://www.elastic.co/guide/en/elasticsearch/reference/7.4/anonymous-access.html ? You need to assign an appropriate role to your anonymous users that only have read access to your indices.

Thanks @ikakavas I just started there.

After creating a role through roles.yml and then using that role to configure anonymous user as the documentation says as below,

part of elasticsearch.yml

xpack.security.authc:
  anonymous:
    username: anonymous_user
    roles: anonymous
    authz_exception: true

roles.yml

anonymous:
  run_as: [ 'anonymous_user' ]
  cluster: []
  indices:
    - names: [ '*' ]
      privileges: [ 'read' ]

I tried to do a PUT operation to change the replication setting of the cluster without any username and password. I was kind of expecting it to fail as There weren't any cluster level permissions given for anonymous user. But it succeeded.

Does that mean my changes weren't applied? (may be because 'xpack.security.enabled: true' setting was not in elasticsearch.yml? )

You can't enable anonymous access when security is not enabled.

Hi,

I was trying to setup ssl certs to enable security and then bumped into below error:

Exception in thread "main" java.lang.IllegalStateException: unable to read from standard input; is standard input open and a tty attached?
        at org.elasticsearch.cli.Terminal$SystemTerminal.readText(Terminal.java:173)
        at org.elasticsearch.cli.Terminal$SystemTerminal.readSecret(Terminal.java:183)
        at org.elasticsearch.xpack.security.cli.CertificateTool.withPassword(CertificateTool.java:929)
        at org.elasticsearch.xpack.security.cli.CertificateTool.access$100(CertificateTool.java:85)
        at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.generateCA(CertificateTool.java:384)
        at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateAuthorityCommand.execute(CertificateTool.java:864)
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
        at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:77)
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
        at org.elasticsearch.cli.Command.main(Command.java:90)
        at org.elasticsearch.xpack.security.cli.CertificateTool.main(CertificateTool.java:137)

I'm trying to create certs by running elasticsearch container through ansible while deployment:

  docker_container:
    name: "generate_cert"
    image: "docker.elastic.co/elasticsearch/elasticsearch:7.3.1"
    command: >
      bash -c '
        if [[ ! -d config/certificates/certs ]]; then
          mkdir -p config/certificates/certs;
        fi;
        bin/elasticsearch-certutil ca --silent --pass '' --out elastic-stack-ca.p12
        bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --ca-pass '' --pass '' --silent --out config/certs/elastic-certificates.p12
      '
    working_dir: /usr/share/elasticsearch
    volumes: ["/tmp/elk/certs/:/usr/share/elasticsearch/config/certs/"]

What am i doing wrong? (I'm planning to copy this generated cert file on each node while deployment later)

The issue seems to be your use of single quotes embedded within single quotes.

You're running bash -c '(command)' but your command has --pass '' in it, so those single quotes aren't being treated the way you would expect. Switch it to --pass "" instead.

Oops! Thank you so much @TimV

I could enable anonymous access in elasticsearch. But Kibana prompts me for a login. What i want is to be able to access data and some kibana space without having to login. I searched for kibana anonymous access but couldn't find anything helpful.

Kibana does not support anonymous access.
You can simulate it by putting a proxy in front of Kibana to automatically add authorization headers, but it's not supported natively.

There's a tracking issue here: https://github.com/elastic/kibana/issues/18331

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.