Control Access with Basic Authentication

Shield makes it simple to password-protect your Elasticsearch cluster. Once Shield is installed, a username and password is required to communicate with the cluster.

If you submit a request without a username and password, the request is rejected:

curl -XGET 'http://localhost:9200/'

All you need to do to use basic authentication is set up users and assign them to one of the basic predefined roles:

admin: Can perform any cluster or index action.
power_user: Can monitor the cluster and perform any index action.
user: Can perform read actions on any index.

To create a user and try out basic authentication:

Add a user called es_admin and assign the admin role.
```
bin/shield/esusers useradd es_admin -r admin
```
When prompted, enter a password for the new user. Passwords must be at least 6 characters long.

Submit a request using the newly-created user.

curl -u es_admin -XGET 'http://localhost:9200/'

That’s it! That’s all it takes to set up the first layer of security for your Elasticsearch cluster. However, Shield offers much more that simple password protection. For example, you can:

Enable Message Authentication to verify that messages have not not been tampered with or corrupted in transit.
Enable Auditing to keep track of attempted and successful interactions with your Elasticsearch cluster.

And that’s just the start. You can also:

Define and Use Custom Roles for fine-grained access control.
Integrate with LDAP or Active Directory, or require certificates for authentication.
Use SSL/TLS encryption to secure communications to and from nodes.
Use IP Filtering to allow or deny requests from particular IP addresses or address ranges.

« Getting Started with Shield Enable Message Authentication »