Control Access with Basic Authentication
editControl Access with Basic Authentication
editShield makes it simple to password-protect your Elasticsearch cluster. Once Shield is installed, a username and password is required to communicate with the cluster.
If you submit a request without a username and password, the request is rejected:
curl -XGET 'http://localhost:9200/'
All you need to do to use basic authentication is set up users and assign them to one of the basic predefined roles:
-
admin - Can perform any cluster or index action.
-
power_user - Can monitor the cluster and perform any index action.
-
user - Can perform read actions on any index.
To get started, create a "super user" with the admin role:
-
Use the
esuserstool to create an admin user:bin/shield/esusers useradd es_admin -r admin
- When prompted, enter a password for the new user. Passwords must be at least 6 characters long.
Now you can submit requests as your admin user:
curl -u es_admin -XGET 'http://localhost:9200/'
That’s it! That’s all it takes to set up the first layer of security for your Elasticsearch cluster.
To set up additional users, use your admin user credentials to submit requests to the Users API. For more information, see Managing Native Users. You can also integrate with external user management systems, such as LDAP and Active Directory. For more information, see User Authentication.
Authenticating users is a great first step, but Shield offers much more than simple password protection. For example, you can:
- Enable Message Authentication to verify that messages have not been tampered with or corrupted in transit.
- Enable Auditing to keep track of attempted and successful interactions with your Elasticsearch cluster.
Once you get these basic security measures in place, we strongly recommend that you secure communications to and from nodes by configuring your cluster to use SSL/TLS encryption. Nodes that do not have encryption enabled send passwords in plain text!
If your security requirements are more complex, you can also:
- Define and Use Custom Roles for fine-grained access control.
- Integrate with LDAP or Active Directory, or require certificates for authentication.
- Use IP Filtering to allow or deny requests from particular IP addresses or address ranges.