Introduction to Shield and kibana

Shield & Kibana
Sushil Kumar
Software Consultant
Knoldus Software LLP.

Agenda
Shield
• Introduction
• Installation
• Basic Authentication
• Role-based Access Control
• Message Authentication
Kibana
• Introduction
• Installation
• Using Kibana with Shield
• Getting Started with Kibana
• Demo

● Shield is a plugin for Elasticsearch that enables you to easily secure
an elasticsearch cluster.
● With Shield, you can protect your data with username and passwod.
● It also provides advance security features such as encrypting
communications, role-based access control, IP filtering, and
auditing.
Introduction

Features
● Preventing unauthorized access with password protection,
role-based access control, and IP filtering.
● Preserving the integrity of your data with message
authentication and SSL/TLS encryption.
● Maintaining an audit trail so you know who’s doing what to
your data.

Installation
1. Run bin/plugin install from ES_HOME to install the license plugin
2. Run bin/plugin install to install the Shield plugin into Elasticsearch.
Note: The Shield plugin must be installed on every node in the cluster. If you are installing
to a live cluster, you must stop all of the nodes, install Shield, and restart the nodes.
bin/plugin install license
bin/plugin install shield

Uninstalling Shield
To uninstall Shield:
1. Shut down Elasticsearch.
2. Remove the Shield plugin from Elasticsearch:
3. Restart Elasticsearch.
bin/plugin remove shield

Basic Authentication
Once Shield is installed, a username and password is required to
communicate with the cluster.
All you need to do to use basic authentication is set up users and assign
them to one of the basic predefined roles:
➢ admin: Can perform any cluster or index action.
➢ power_user: Can monitor the cluster and perform any index action.
➢ user: Can perform read actions on any index.

Set up Users
Use the esusers command line tool to create an user:
Example:
Now you can submit requests as your admin user:
bin/shield/esusers useradd admin -r admin -p password
curl -u admin -XGET 'http://localhost:9200/'
curl -u admin:password -XGET 'http://localhost:9200/'

Delete User
List Users
Update Roles
bin/shield/esusers userdel username
bin/shield/esusers list
bin/shield/esusers roles username -r admin -a user

User API
● The Users API enables you to create, read, update, and delete native
users from the native realm.
● To use this API, you must have at least the manage_security cluster
privilege.

User API
Adding
Submit a PUT or POST request to the /_shield/user/<username> endpoint
Response
{
"user": {
"created" : true
}
}
POST /_shield/user/alice
{
"password" : "j@rV1s",
"roles" : [ "user", "other_role1" ]
}

User API
Retrieving
GET request to the /_shield/user endpoint
Deleting
DELETE request to the /_shield/user/<username> endpoint
DELETE /_shield/user/ironman
GET /_shield/user
GET /_shield/user/alice,bob

Managing Roles
Roles Api
Adding Roles
PUT or POST request to the /_shield/role/<rolename> endpoint
POST /_shield/role/my_role
{
"cluster": ["monitor"],
"indices": [
{
"names" : [ "index1", "index2" ],
"privileges" : ["all"],
"fields" : [ "title", "body" ],
"query" : "{"match": {"title": "foo"}}"
}
]
}

Shield Privileges
1. Cluster privileges
● all
● monitor
● manage
● manage_security
● mangae_index_templates
● transport_clients
Managing Roles

2. Indices privileges
● all
● monitor
● manage
● read
● index
● create
● delete
● write
● delete_index
● create_index
Managing Roles

Managing Roles
Response
● Can also use wildcards and regular expression to reffer to multiple indices.
{
"role" : {
"created" : true
}
}
"foo-bar": # match the literal `foo-bar`
"foo-*": # match anything beginning with "foo-"
"/.*-201[0-9]-.*/": # match anything containing 2010-2019

Managing Roles
Example:
POST /_shield/role/customer_care
{
"indices": [
{
"names": [ "*" ],
"privileges": ["read"],
"fields": [
"issue_id",
"description",
“customer.*
]
}
]
}

Managing Roles
Retrieving Roles
GET request to the /_shield/role endpoint:
Deleting Roles
DELETE request to the /_shield/role/<rolename> endpoint
GET /_shield/role
GET /_shield/role/my_admin_role,log_admin_role
DELETE /_shield/role/my_admin_role

Node Authentication and Channel Encryption
● With Shield, you can use SSL/TLS to encrypt communication to and from
nodes.
● When SSL/TLS is enabled, the nodes validate each other’s certificates,
establishing trust between the nodes.
● Require that nodes authenticate new nodes that join the cluster using SSL
certificates.

Enable Message Authenticaton
Message authentication verifies that a message has not been tampered
with or corrupted in transit during node-to-node communication.
This creates a system key file in CONFIG_DIR/shield/system_key.
Copy the genererated system key to the rest of the nodes in the cluster.
Notes: The system key is a symmetric key, so the same key must be on every node in the
cluster.
Bin/shield/syskeygen

Enable Auditing
It allow you to stores a record of attempted and successful interactions
with your Elasticsearch cluster.
You can use this information track of who is doing what to your cluster and
identify potential security issues.
To enable auditing, add the following setting to elasticsearch.yml:
By default, events are logged to a dedicated elasticsearch-access.log file in ES_HOME/logs.
shield.audit.enabled: true

Introduction to Shield and kibana

Introduction
● Kibana is an open source analytics and visualization platform designed to
work with Elasticsearch
● Use Kibana to search, view, and interact with data stored in Elasticsearch
indices.
● Easily perform advanced data analysis and visualize your data in a variety
of charts, tables, and maps.
● Easy to understand large volumes of data. Its simple, browser-based
interface enables you to quickly create and share dynamic dashboards
that display changes to Elasticsearch queries in real time.

Features
● Seamless Integration with Elasticsearch
Architected to work with Elasticsearch, Kibana gives shape to any kind of data — structured and
unstructured — indexed into Elasticsearch. It also benefits from Elasticsearch's powerful search and
analytics capabilities.
● Give shape to your data
To better understand large volumes of data, easily create bar charts, line and scatter plots,
histograms, pie charts, and maps.
● Sophisticated Analytics
Leverage the power of Elasticsearch analytics capabilities to analyze your data intelligently,
perform mathematical transformations, and slice and dice your data as you see fit.
● Flexible Interface, Easy to Share
Easily create, save, share, and embed your visualized data for quick and smart communication.

Features
● Easy Setup
Simple and friendly setup and startup. Kibana 4 ships with its own web server to help you get
up and running quickly.
● Visualize Data from Many Sources
Easily visualize data pushed into Elasticsearch from Logstash, ES-Hadoop, Beats, or third-
party technologies like Apache Flume, Fluentd, and many others.
● Simple Data Export
Easily export interesting bits of data to merge and meld with other data sets to quickly
prototype new analyses and discover something new.

Installations
To get Kibana up and running:
1. Download the Kibana 4 binary package for your platform.
2. Extract the .zip or tar.gz archive file.
3. Run Kibana from the install directory: bin/kibana (Linux/MacOSX) or
binkibana.bat (Windows).

Using Kibana with Shield
● Kibana users have to authenticate when your cluster has Shield installed.
● Need to configure credentials for the Kibana server to authenticate
requests coming from Kibana webserver.
To use Kibana with Shield:
1. Configure credentials for the Kibana server.
Create a user account for the Kibana server and assign it the kibana4_server
role
esusers useradd kibana4-server -r kibana4_server -p password

2. Specify the credentials for your Kibana server user in the Kibana configuration
file, /config/kibana.yml.
elasticsearch.username: "kibana4-server"
elasticsearch.password: "password"

3. Derive Kibana user roles
kibana_user:
cluster:
- monitor
indices:
- names: 'customer'
privileges:
- view_index_metadata
- read
- names: '.kibana'
privileges:
- manage
- read

4. Assign the appropriate roles to your Kibana users or groups of users
POST /_shield/user/alice
{
"password" : "t0pS3cr3",
"roles" : [ "kibana_user" ]
}

5. Install the Shield plugin into Kibana. The Shield plugin secures user sessions
and enables users to log in and out of Kibana.
6. Configure Kibana to encrypt communications between the browser and the
Kibana server.
bin/kibana plugin --install kibana/shield/2.3.3
server.ssl.key: /path/to/your/server.key
server.ssl.cert: /path/to/your/server.crt
shield.encryptionKey: "something_secret"

Kibana Dynamic Mapping
● Kibana needs dynamic mapping to use fields in visualizations correctly, as well as
to manage the .kibana index where saved searches, visualizations, and
dashboards are stored.
Create the .kibana index with dynamic mapping enabled just for that index:
PUT .kibana
{
"index.mapper.dynamic": true
}

References
● https://www.elastic.co/products/kibana
● https://www.elastic.co/products/shield
● http://blog.trifork.com/2015/03/05/shield-your-kibana-dashboards/
● https://www.timroes.de/2015/02/07/kibana-4-tutorial-part-2-discover/
● https://www.timroes.de/2015/02/07/kibana-4-tutorial-part-3-visualize/
● https://www.timroes.de/2015/02/07/kibana-4-tutorial-part-4-dashboard/

Introduction to Shield and kibana

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Introduction to Shield and kibana (20)

More from Knoldus Inc. (20)

Recently uploaded (20)

Introduction to Shield and kibana

Editor's Notes