Install Shield and license plugin for elasticsearch https://www.elastic.co/guide/en/shield/current/getting-started.html
bin/plugin install license
bin/plugin install shield
- Follow https://www.elastic.co/guide/en/shield/current/kibana.html to install the Shield plugin for Kibi
- SSL in points (4 is not required for development) and (5) are not the same
- Kibana does not support SSL with a passphrase
Create server.{key,crt} using http://blog.justin.kelly.org.au/how-to-create-a-self-sign-ssl-cert-with-no-pa/
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 366 -in server.csr -signkey server.key -out server.crt
Add my own user with kibana4 role and kibana4-server user with kibana4-server role
./bin/shield/esusers useradd kibana4-server -r kibana4_server -p password
./bin/shield/esusers useradd transport_client -r transport_client -p password
./bin/shield/esusers useradd simon -r kibana4 -p password
./bin/shield/esusers useradd simon-index -r restrictedindex -p password
./bin/shield/esusers useradd simon-fields -r restrictedfieldsinvestment -p password
To enable field and doc restriction for version 2.2.0 add this flag to elasticsearch.yml
shield.dls_fls.enabled: true
it was fixed in 2.2.1
- Edit
config/shield/roles.yml
. I added some authorization for various actions performed in Kibi (listing plugins, getting stats, ...);
# Defines the required permissions for transport clients
transport_client:
cluster:
- cluster:monitor/nodes/liveness
#uncomment the following for sniffing
#- cluster:monitor/state
indices:
'*':
privileges: indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/read/msearch
# The required permissions for kibana 4 users.
# The required permissions for kibana 4 users.
kibana4:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
indices:
'article':
privileges: indices:data/read/get, indices:admin/mappings/fields/get, indices:admin/validate/query, indices:data/read/search, indices:data/read/msearch, indices:data/read/field_stats, indices:admin/get, indices:data/read/coordinate-search, indices:data/read/coordinate-msearch
'company':
privileges: indices:data/read/get, indices:admin/mappings/fields/get, indices:admin/validate/query, indices:data/read/search, indices:data/read/msearch, indices:data/read/field_stats, indices:admin/get, indices:data/read/coordinate-search, indices:data/read/coordinate-msearch
'investment':
privileges: indices:data/read/get, indices:admin/mappings/fields/get, indices:admin/validate/query, indices:data/read/search, indices:data/read/msearch, indices:data/read/field_stats, indices:admin/get, indices:data/read/coordinate-search, indices:data/read/coordinate-msearch
'investor':
privileges: indices:data/read/get, indices:admin/mappings/fields/get, indices:admin/validate/query, indices:data/read/search, indices:data/read/msearch, indices:data/read/field_stats, indices:admin/get, indices:data/read/coordinate-search, indices:data/read/coordinate-msearch
'.kibi':
privileges: indices:data/read/coordinate-search, indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update
# The required permissions for the kibana 4 server
kibana4_server:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
- cluster:monitor/state
- cluster:monitor/nodes/stats
indices:
'*':
privileges: indices:monitor/stats
'.kibi':
privileges: indices:admin/create, indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update
# Role for grant access only to index "investment"
restrictedindex:
indices:
'investment':
privileges: all
'.kibi':
privileges: indices:data/read/coordinate-search, indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update
# Role for restrict access to some fields of index "investment" (user can't see data referred to funded_date)
restrictedfieldsinvestment:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
- cluster:admin/plugin/siren/license/get
indices:
'investment':
privileges: all
fields:
- hassourcedescription
- localname
- investorid
- hassourceurl
- companyid
- id
- label
- raised_amount
- round_code
- raised_currency_code
- funded_date
- funded_year
- _source
- _score
'article':
privileges: all
'company':
privileges: all
'investor':
privileges: all
'.kibi':
privileges: indices:data/read/coordinate-search, indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update
wget http://download.elastic.co/kibana/shield/shield-2.2.0.tar.gz
./bin/kibi plugin --install shield --url file://$PWD/shield-2.2.0.tar.gz
Edit config/kibi.dev.yml
:
elasticsearch.username: "kibana4-server"
elasticsearch.password: "password"
shield.encryptionKey: "something_secret"
shield.sessionTimeout: 86400000
server.ssl.key: server.key
server.ssl.cert: server.crt
The server.key
and server.crt
files were generated above.
Then in the kibi core we need
kibi_core:
load_jdbc: true
datasource_encryption_algorithm: 'AES-GCM'
datasource_encryption_key: 'iSxvZRYisyUW33FreTBSyJJ34KpEquWznUPDvn+ka14='
datasource_cache_size: 501
default_dashboard_id: Articles
elasticsearch:
transport_client:
username: transport_client
password: password
gremlin_server:
url: https://127.0.0.1:8061
path: ../gremlin_server/gremlin-es2-server-0.1.0.jar
# uncomment this for gremlin behind ssl
#ssl:
# key_store: '/Users/szydan/home/workspace-kibana/kibi-internal/ca/gremlin.jks'
# key_store_password: 'password'
# ca: '/Users/szydan/home/workspace-kibana/kibi-internal/ca/certs/cacert.pem'