- Shield Reference for 2.x and 1.x:
- Introduction
- Getting Started with Shield
- Installing Shield
- How Shield Works
- User Authentication
- How Authentication Works
- Enabling Anonymous Access [1.1.0] Added in 1.1.0.
- Native User Authentication
- LDAP User Authentication
- Active Directory User Authentication
- PKI User Authentication [1.3.0] Added in 1.3.0.
- File-based User Authentication
- Integrating with Other Authentication Systems
- Controlling the User Cache
- Migration tool for users and roles
- Role-based Access Control
- Auditing Security Events
- Securing Communications with Encryption and IP Filtering
- Configuring Clients and Integrations
- Managing Your License
- Example Shield Deployments
- Reference
- Limitations
- Troubleshooting
- Setting Up a Certificate Authority
- Release Notes
Migration tool for users and roles
editMigration tool for users and roles
editThe easiest way to migrate from file based users and roles to the native realm
is to use the migrate
tool included with the shield plugin. The migrate tool
reads the file realm files to load the defined users and realms and executes
HTTP requests to add the specified user(s) and role(s) to the store.
To run the migrate tool after installing the shield plugin, run the migrate tool as follows:
$ bin/shield/migrate native -U http://localhost:9200 -u test_user -p changeme -n lee,foo -r role1,role2,role3,role4,foo starting migration of users and roles... importing users from [/home/es/config/shield/users]... found existing users: [test_user, joe3, joe2] migrating user [lee] {"user":{"created":true}} no user [foo] found, skipping importing roles from [/home/es/config/shield/roles.yml]... found existing roles: [marvel_user, role_query_fields, admin_role, role3, admin, remote_marvel_agent, power_user, role_new_format_name_array, role_run_as, logstash, role_fields, role_run_as1, role_new_format, kibana4_server, user, transport_client, role1.ab, role_query] migrating role [role1] {"role":{"created":true}} migrating role [role2] {"role":{"created":true}} role [role3] already exists, skipping no role [foo] found, skipping users and roles imported.
Existing users or roles will not be replaced or overridden, and users or roles will be skipped if they do not occur in the file based configuration.
The "native" subcommand supports the following options:
Table 7. Migration Tool Settings
Parameter | Required | Description |
---|---|---|
|
yes |
The URL endpoint of the Elasticsearch cluster to which the users and roles will be added |
|
no |
Username to use for authentication |
|
no |
Password to use for authentication |
|
no |
Configuration directory to use instead of the default for SSL configuration, user, and role files |
|
no |
Comma-separated list of usernames to migrate, if empty, all users found will be migrated |
|
no |
Comma-separated list of role names to migrate, if empty, all roles found will be migrated |