Setting basic security in ES
As you probably know from Elastic 6.8 and 7.1 versions, security module is free in Basic License, providing important features such as:
- Native realm for create and managing local users.
- Role based control access for indices and cluster APIs in Kibana.
From some time ago, I can read news about security breaches about unprotected and misconfigured Kibana instances on the Internet. But this is a lack of a basic configuration of a popular stack as Elastic.
Below, I summarize some of the steps needed for setting local security in a single node setup:
0. Stop Elastic Search and Kibana (if so).
1. Generate a p12 certificate for all Elastic Search nodes.
$ cd /opt/elk/elasticsearch $ ./bin/elasticsearch-certutil cert . . . Certificates written to /opt/elk/elasticsearch-7.4.1/config/elastic-certificates.p12
2. In config/elasticsearch.yml , we add:
xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
4. Then we start Elastic:
[2019-11-06T12:28:10,815][INFO ][o.e.x.s.s.SecurityStatusChangeListener] [pudu1] Active license is now [BASIC]; Security is enabled
5. After this, you can generate passwords:
$ ./bin/elasticsearch-setup-passwords auto Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user. The passwords will be randomly generated and printed to the console. Please confirm that you would like to continue [y/N] y
6. Then, change kibana.yml for authetication with kibana user, and start Kibana.
7. Finally, add the corresponding users and passwords for logstash, filebeat and metricbeat.
So, there is no reason to leave misconfigured or unprotected instances of Kibana with access to our data. If you have an older version, you can upgrade to the cited versions for using freely the security features.
You will see a login form in Kibana like this:
and the usual endpoints to Elastic Search (curl..) must be used now with user credentials.