From version 5.0 onward, Shield is part of X-Pack. For more information, see
Securing the Elastic Stack.
Control Access with Basic Authentication
editControl Access with Basic Authentication
editShield makes it simple to password-protect your Elasticsearch cluster. Once Shield is installed, a username and password is required to communicate with the cluster.
If you submit a request without a username and password, the request is rejected:
curl -XGET 'http://localhost:9200/'
All you need to do to use basic authentication is set up users and assign them to one of the basic predefined roles:
-
admin
- Can perform any cluster or index action.
-
power_user
- Can monitor the cluster and perform any index action.
-
user
- Can perform read actions on any index.
To create a user and try out basic authentication:
-
Add a user called
es_admin
and assign theadmin
role.bin/shield/esusers useradd es_admin -r admin
- When prompted, enter a password for the new user. Passwords must be at least 6 characters long.
-
Submit a request using the newly-created user.
curl -u es_admin -XGET 'http://localhost:9200/'
That’s it! That’s all it takes to set up the first layer of security for your Elasticsearch cluster. However, Shield offers much more that simple password protection. For example, you can:
- Enable Message Authentication to verify that messages have not not been tampered with or corrupted in transit.
- Enable Auditing to keep track of attempted and successful interactions with your Elasticsearch cluster.
And that’s just the start. You can also:
- Define and Use Custom Roles for fine-grained access control.
- Integrate with LDAP or Active Directory, or require certificates for authentication.
- Use SSL/TLS encryption to secure communications to and from nodes.
- Use IP Filtering to allow or deny requests from particular IP addresses or address ranges.