Control Access with Basic Authentication
editControl Access with Basic Authentication
editShield makes it simple to password-protect your Elasticsearch cluster. Once Shield is installed, a username and password is required to communicate with the cluster.
If you submit a request without a username and password, the request is rejected:
curl -XGET 'http://localhost:9200/'
All you need to do to use basic authentication is set up users and assign them to one of the basic predefined roles:
-
admin - Can perform any cluster or index action.
-
power_user - Can monitor the cluster and perform any index action.
-
user - Can perform read actions on any index.
To create a user and try out basic authentication:
-
Add a user called
es_adminand assign theadminrole.bin/shield/esusers useradd es_admin -r admin
- When prompted, enter a password for the new user. Passwords must be at least 6 characters long.
-
Submit a request using the newly-created user.
curl -u es_admin -XGET 'http://localhost:9200/'
That’s it! That’s all it takes to set up the first layer of security for your Elasticsearch cluster.
Authenticating users is a great first step, but Shield offers much more than simple password protection. For example, you can:
- Enable Message Authentication to verify that messages have not not been tampered with or corrupted in transit.
- Enable Auditing to keep track of attempted and successful interactions with your Elasticsearch cluster.
Once you get these basic security measures in place, we strongly recommend that you secure communications to and from nodes by configuring your cluster to use SSL/TLS encryption. Nodes that do not have encryption enabled send passwords in plain text!
If your security requirements are more complex, you can also:
- Define and Use Custom Roles for fine-grained access control.
- Integrate with LDAP or Active Directory, or require certificates for authentication.
- Use IP Filtering to allow or deny requests from particular IP addresses or address ranges.