Welcome!

Blog Feed Post

Securing Elasticsearch and Kibana with Search Guard for free

Note: This is a guest post by Jochen Kressin, the CTO of floragunn GmbH, the makers of Search Guard, an open-source X-Pack Security alternative.

In this article, we show you how to secure Elasticsearch and Kibana for free using the Community edition of Search Guard. We start with a vanilla Elasticsearch and Kibana setup, install and configure Search Guard for Elasticsearch, and use the Search Guard Kibana plugin to add session management capabilities to Kibana.

Prerequisites

As a prerequisite, install the latest Elasticsearch and Kibana version. At the time of writing, this is 5.4.0.

Installing Elasticsearch

https://www.elastic.co/guide/en/elasticsearch/reference/current/setup.html

Installing Kibana:

https://www.elastic.co/guide/en/kibana/current/setup.html

Installing Search Guard

Search Guard is an Elasticsearch plugin, and can thus be installed by using the standard plugin installation procedure of Elasticsearch.

First, figure out which version of Search Guard you need for your Elasticsearch installation. Due to compatibility checks in Elasticsearch, the version of Search Guard must match the version of Elasticsearch exactly. So if you run Elasticsearch 5.4.0, you need to install Search Guard 5.4.0. Other versions will not work. If in doubt, you can always refer to our version matrix, which lists all available versions of Search Guard. In this tutorial, we use Elasticsearch and Kibana 5.4.0.

First, stop all running nodes, change to the installation directory of Elasticsearch and install Search Guard:

bin/elasticsearch-plugin install -b com.floragunn:search-guard-5:5.4.0-12

The plugin will be downloaded from Maven and installed automatically. Once the installation is complete, you will find a new folder plugins/search-guard-5 in your Elasticsearch installation directory.

Configuring TLS

Search Guard makes heavy use of TLS to encrypt and secure the complete traffic in your cluster. In order for TLS to work, you need to generate and install TLS certificates on all nodes. This makes sure that no one can sniff or tamper with your data, and that only trusted nodes can join the cluster.

There are several ways of generating the necessary certificates, but for this quickstart tutorial we will use the demo installation script that ships with Search Guard. For other ways of generating certificates, please refer to the section “Configuring Search Guard SSL” of the official Search Guard documentation.

In order to execute the demo installation script, change to the directory

<ES installation directory>/plugins/search-guard-5/tools

and execute the script

install_demo_configuration.sh

Depending on which platform you are on, you may need to set execution permissions first. The script will generate the TLS certificates and add the corresponding configuration settings to the elasticsearch.yml file. Once this is finished, you can start your nodes again.

Initializing Search Guard

After your nodes are up, you need to initialize Search Guard. In this tutorial, we will use the sample configuration files that ship with Search Guard. They already contain the correct users, roles and permissions for the Kibana integration.

The configuration files are located in this directory:

<ES installation directory>/plugins/search-guard-5/sgconfig

In order to upload this configuration to Search Guard, you can either use the sgadmin command line tool, or the REST management API. When using the sgadmin command line tool, you need to specify various parameters, such as the path to your certificates or the name of your cluster. You can read all about sgadmin in the official documentation.

For our quick start tutorial, we will use the demo sgadmin script, which already contains all required parameters. Change to:

<ES installation directory>/plugins/search-guard-5/tools

and execute the script

sgadmin_demo.sh

As with the installation script, you might need to set execution permissions first. After the script has been executed, Search Guard is initialized and your cluster is fully secured by TLS.

You can verify that everything works as expected by visiting the following URL with a browser:

https://localhost:9200/_searchguard/authinfo

Since we are using self-signed certificates, ignore the browser warning and accept the Root certificate that Search Guard is using. The warning message varies from browser to browser. Note that because TLS is now enabled on the REST layer, you have to use https when talking to Elasticsearch. Connecting with unsecured http will not work anymore.

When prompted for a username and password, you can use admin/admin. This user has full access to the cluster and all indices. You should see information about the currently logged in user in JSON format.

Congratulations, Search Guard is now installed and configured properly.

If you want to learn more about the structure and contents of the configuration files, refer to chapter Search Guard configuration of the documentation. After you make changes to the configuration, simply execute sgadmin_demo.sh again for the changes to take effect.

Adding Kibana to the mix

As with Elasticsearch, Kibana does not provide any security or session management out of the box. As the first step, we will configure Kibana so that it is able to talk to our Search Guard secured cluster. In the second step, we will install the Search Guard Kibana plugin which adds session management capabilities.

Configuring Kibana

For Kibana to work with a Search Guard secured cluster, we need to make some adjustments in the kibana.yml configuration file. First, change the default Elasticsearch URL from http to https:

elasticsearch.url: "https://localhost:9200"

And since we are using self-signed certificates in this tutorial, we need to tell Kibana to accept them explicitly by disabling certificate verification:

elasticsearch.ssl.verificationMode: none

This is of course not recommended for production. In production, you would rather install and configure your Root CA in Kibana, but that’s out of the scope of this tutorial.

Kibana is using a service user under the hood to manage the Kibana index, check the cluster health etc. This service user has to be present in Search Guard, and it needs to have the correct permissions to execute all required actions. The demo configuration already contains such a service user. The username and password of this user is “kibanaserver”. To tell Kibana to use these credentials when talking to Elasticsearch, add the following lines to kibana.yml:

elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"

These are the minimal changes you need to perform. You can now start Kibana again and check that the connection to Elasticsearch works correctly.

Installing the Kibana plugin

If you now try to access Kibana, you will see a Basic Authentication dialog popping up. This works, but we’d like to have a proper login dialogue and the possibility to logout again, without closing the browser. This is where the Kibana plugin comes into play.

As with Search Guard, you need to install the plugin that matches your Kibana version exactly. In our case, this is version 5.4.0-2. You can find all available versions on the GitHub release page:

https://github.com/floragunncom/search-guard-kibana-plugin/releases

Stop Kibana and download the zip file of the plugin to a directory on your machine:

https://github.com/floragunncom/search-guard-kibana-plugin/releases/download/v5.4.0/searchguard-kibana-5.4.0-2.zip

After that, install it like any other Kibana plugin: Change to the Kibana installation directory and execute:

bin/kibana-plugin install file:///path/to/searchguard-kibana-5.4.0-2.zip

This will install the plugin, and run the Kibana optimizer afterwards. This may take a couple of minutes. After that, restart Kibana and access it via

http://localhost:5601

You will be redirected to the login page and are prompted to provide username and password.

https://sematext.com/wp-content/uploads/2017/05/image1-237x300.png 237w" sizes="(max-width: 704px) 100vw, 704px" />Use the demo Kibana user to login, the username and password is “kibanaro”. This user is mapped to the role sg_kibana and has access to all indices.

That’s it. Both Elasticsearch and Kibana are secured with Search Guard.

Where to go next?

Deep-dive into Search Guard by reading the official documentation:

https://github.com/floragunncom/search-guard-docs

Learn more about integrating Kibana and Search Guard:

https://github.com/floragunncom/search-guard-docs/blob/master/kibana.md

Add Kibana multi tenancy to separate dashboards and visualizations

https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md

Ask questions on the Search Guard Google Group:

https://groups.google.com/forum/#!forum/search-guard

Read about our fair, flexible and affordable enterprise license model:

https://floragunn.com/searchguard/searchguard-license-support/

Follow us on Twitter to stay up-to-date with new releases and features:

https://twitter.com/searchguard

 

Read the original blog entry...

More Stories By Sematext Blog

Sematext is a globally distributed organization that builds innovative Cloud and On Premises solutions for performance monitoring, alerting and anomaly detection (SPM), log management and analytics (Logsene), and search analytics (SSA). We also provide Search and Big Data consulting services and offer 24/7 production support for Solr and Elasticsearch.

Latest Stories
"Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
The question before companies today is not whether to become intelligent, it’s a question of how and how fast. The key is to adopt and deploy an intelligent application strategy while simultaneously preparing to scale that intelligence. In her session at 21st Cloud Expo, Sangeeta Chakraborty, Chief Customer Officer at Ayasdi, provided a tactical framework to become a truly intelligent enterprise, including how to identify the right applications for AI, how to build a Center of Excellence to oper...
"IBM is really all in on blockchain. We take a look at sort of the history of blockchain ledger technologies. It started out with bitcoin, Ethereum, and IBM evaluated these particular blockchain technologies and found they were anonymous and permissionless and that many companies were looking for permissioned blockchain," stated René Bostic, Technical VP of the IBM Cloud Unit in North America, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventi...
In his session at 21st Cloud Expo, James Henry, Co-CEO/CTO of Calgary Scientific Inc., introduced you to the challenges, solutions and benefits of training AI systems to solve visual problems with an emphasis on improving AIs with continuous training in the field. He explored applications in several industries and discussed technologies that allow the deployment of advanced visualization solutions to the cloud.
"ZeroStack is a startup in Silicon Valley. We're solving a very interesting problem around bringing public cloud convenience with private cloud control for enterprises and mid-size companies," explained Kamesh Pemmaraju, VP of Product Management at ZeroStack, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
In his session at 21st Cloud Expo, Carl J. Levine, Senior Technical Evangelist for NS1, will objectively discuss how DNS is used to solve Digital Transformation challenges in large SaaS applications, CDNs, AdTech platforms, and other demanding use cases. Carl J. Levine is the Senior Technical Evangelist for NS1. A veteran of the Internet Infrastructure space, he has over a decade of experience with startups, networking protocols and Internet infrastructure, combined with the unique ability to it...
22nd International Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, and co-located with the 1st DXWorld Expo will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud ...
Enterprises are adopting Kubernetes to accelerate the development and the delivery of cloud-native applications. However, sharing a Kubernetes cluster between members of the same team can be challenging. And, sharing clusters across multiple teams is even harder. Kubernetes offers several constructs to help implement segmentation and isolation. However, these primitives can be complex to understand and apply. As a result, it’s becoming common for enterprises to end up with several clusters. Thi...
"Infoblox does DNS, DHCP and IP address management for not only enterprise networks but cloud networks as well. Customers are looking for a single platform that can extend not only in their private enterprise environment but private cloud, public cloud, tracking all the IP space and everything that is going on in that environment," explained Steve Salo, Principal Systems Engineer at Infoblox, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventio...
"Cloud Academy is an enterprise training platform for the cloud, specifically public clouds. We offer guided learning experiences on AWS, Azure, Google Cloud and all the surrounding methodologies and technologies that you need to know and your teams need to know in order to leverage the full benefits of the cloud," explained Alex Brower, VP of Marketing at Cloud Academy, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clar...
Gemini is Yahoo’s native and search advertising platform. To ensure the quality of a complex distributed system that spans multiple products and components and across various desktop websites and mobile app and web experiences – both Yahoo owned and operated and third-party syndication (supply), with complex interaction with more than a billion users and numerous advertisers globally (demand) – it becomes imperative to automate a set of end-to-end tests 24x7 to detect bugs and regression. In th...
Widespread fragmentation is stalling the growth of the IIoT and making it difficult for partners to work together. The number of software platforms, apps, hardware and connectivity standards is creating paralysis among businesses that are afraid of being locked into a solution. EdgeX Foundry is unifying the community around a common IoT edge framework and an ecosystem of interoperable components.
Agile has finally jumped the technology shark, expanding outside the software world. Enterprises are now increasingly adopting Agile practices across their organizations in order to successfully navigate the disruptive waters that threaten to drown them. In our quest for establishing change as a core competency in our organizations, this business-centric notion of Agile is an essential component of Agile Digital Transformation. In the years since the publication of the Agile Manifesto, the conn...
"MobiDev is a software development company and we do complex, custom software development for everybody from entrepreneurs to large enterprises," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Large industrial manufacturing organizations are adopting the agile principles of cloud software companies. The industrial manufacturing development process has not scaled over time. Now that design CAD teams are geographically distributed, centralizing their work is key. With large multi-gigabyte projects, outdated tools have stifled industrial team agility, time-to-market milestones, and impacted P&L stakeholders.