Become the elastic user with:
sudo su - elastic
Create a certs directory on each node:
mkdir /home/elastic/elasticsearch/config/certs
On the master-1 node, create a CA certificate with password elastic_ca in the new certs directory:
/home/elastic/elasticsearch/bin/elasticsearch-certutil ca --out config/certs/ca --pass elastic_ca
Become the elastic user with:
sudo su - elastic
On the master-1 node, generate each node’s certificate with the CA per instructions:
/home/elastic/elasticsearch/bin/elasticsearch-certutil cert --ca config/certs/ca --ca-pass elastic_ca --name master-1 --dns ip-10-1-101.ec2.internal --ip 10.0.1.101 --out config/certs/master-1 --pass elastic_master_1
/home/elastic/elasticsearch/bin/elasticsearch-certutil cert --ca config/certs/ca --ca-pass elastic_ca --name master-2 --dns ip-10-1-102.ec2.internal --ip 10.0.1.102 --out config/certs/master-2 --pass elastic_master_2
/home/elastic/elasticsearch/bin/elasticsearch-certutil cert --ca config/certs/ca --ca-pass elastic_ca --name master-3 --dns ip-10-1-103.ec2.internal --ip 10.0.1.103 --out config/certs/master-3 --pass elastic_master_3
/home/elastic/elasticsearch/bin/elasticsearch-certutil cert --ca config/certs/ca --ca-pass elastic_ca --name data-1 --dns ip-10-1-104.ec2.internal --ip 10.0.1.104 --out config/certs/data-1 --pass elastic_data_1
/home/elastic/elasticsearch/bin/elasticsearch-certutil cert --ca config/certs/ca --ca-pass elastic_ca --name data-2 --dns ip-10-1-105.ec2.internal --ip 10.0.1.105 --out config/certs/data-2 --pass elastic_data_2
/home/elastic/elasticsearch/bin/elasticsearch-certutil cert --ca config/certs/ca --ca-pass elastic_ca --name data-3 --dns ip-10-1-106.ec2.internal --ip 10.0.1.106 --out config/certs/data-3 --pass elastic_data_3
On the master-1 node, remote copy each certificate to the certs directory created on each node:
scp /home/elastic/elasticsearch/config/certs/master-2 10.0.1.102:/home/elastic/elasticsearch/config/certs
scp /home/elastic/elasticsearch/config/certs/master-3 10.0.1.103:/home/elastic/elasticsearch/config/certs
scp /home/elastic/elasticsearch/config/certs/data-1 10.0.1.104:/home/elastic/elasticsearch/config/certs
scp /home/elastic/elasticsearch/config/certs/data-2 10.0.1.105:/home/elastic/elasticsearch/config/certs
scp /home/elastic/elasticsearch/config/certs/data-3 10.0.1.106:/home/elastic/elasticsearch/config/certs
Add the transport keystore password on each node:
echo "CERTIFICATE_PASSWORD_HERE" | /home/elastic/elasticsearch/bin/elasticsearch-keystore add --stdin xpack.security.transport.ssl.keystore.secure_password
Add the transport truststore password on each node:
echo "CERTIFICATE_PASSWORD_HERE" | /home/elastic/elasticsearch/bin/elasticsearch-keystore add --stdin xpack.security.transport.ssl.truststore.secure_password
Add the HTTP keystore password on each node:
echo "CERTIFICATE_PASSWORD_HERE" | /home/elastic/elasticsearch/bin/elasticsearch-keystore add --stdin xpack.security.http.ssl.keystore.secure_password
Add the HTTP truststore password on each node:
echo "CERTIFICATE_PASSWORD_HERE" | /home/elastic/elasticsearch/bin/elasticsearch-keystore add --stdin xpack.security.http.ssl.truststore.secure_password
Become the elastic user with:
sudo su - elastic
Add the following to /home/elastic/elasticsearch/config/elasticsearch.yml on each node:
#
# ---------------------------------- X-Pack ------------------------------------
#
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: full
xpack.security.transport.ssl.keystore.path: certs/CERTIFICATE_FILE_NAME_HERE
xpack.security.transport.ssl.truststore.path: certs/CERTIFICATE_FILE_NAME_HERE
Stop Elasticsearch:
pkill -F /home/elastic/elasticsearch/pid
Start Elasticsearch as a background daemon and record the PID to a file:
/home/elastic/elasticsearch/bin/elasticsearch -d -p pid
Become the elastic user with:
sudo su - elastic
Set the built-in user passwords using the elasticsearch-setup-passwords utility on the master-1 node:
/home/elastic/elasticsearch/bin/elasticsearch-setup-passwords interactive
Use the following passwords:
User: elastic
Password: la_elastic_409
User: apm_system
Password: la_apm_system_409
User: kibana
Password: la_kibana_409
User: logstash_system
Password: la_logstash_system_409
User: beats_system
Password: la_beats_system_409
User: remote_monitoring_user
Password: la_remote_monitoring_user_409
Become the elastic user with:
sudo su - elastic
Add the following to /home/elastic/elasticsearch/config/elasticsearch.yml:
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/CERTIFICATE_FILE_NAME_HERE
xpack.security.http.ssl.truststore.path: certs/CERTIFICATE_FILE_NAME_HERE
Stop Elasticsearch:
pkill -F /home/elastic/elasticsearch/pid
Start Elasticsearch as a background daemon and record the PID to a file:
/home/elastic/elasticsearch/bin/elasticsearch -d -p pid
Vous travaillez en tant qu’administrateur système et êtes en charge d’un cluster Elasticsearch à 3 nœuds qui servira de preuve de concept pour l’utilisation d’Elasticsearch pour stocker des informations sensibles. Afin d’évaluer les exigences de confidentialité et d’accessibilité des données, votre équipe de sécurité vous a demandé de verrouiller Elasticsearch avec une authentification de l’utilisateur.
Pour cette preuve de concept, l’équipe de sécurité a chargé le cluster avec quelques échantillons de données. Maintenant, elle a besoin que vous créiez des rôles et des utilisateurs personnalisés pour limiter l’accès auxdites données en conséquence.
----------------+----------+------------------+--------------------
Role Name | Indexes | Index Privileges | Cluster Privileges
----------------+----------+------------------+--------------------
sample_read | sample-* | Read | None
----------------+----------+------------------+--------------------
sample_write | sample-* | Read, Write | None
----------------+----------+------------------+--------------------
sample_monitor | sample-* | Read, Monitor | None
----------------+----------+------------------+--------------------
----------+---------------------------+------------------+-----------------+----------
Username | Full Name | Email | Roles | Password
----------+---------------------------+------------------+-----------------+----------
john | John Doe | john@company.com | kibana_user | john_123
| | | sample_read |
----------+---------------------------+------------------+-----------------+----------
jane | Jane Doe | jane@company.com | kibana_user | jane_456
| | | sample_write |
----------+---------------------------+------------------+-----------------+----------
| | | kibana_user | noc_789
noc | Network Operations Center | noc@company.com | monitoring_user |
| | | sample_monitor |
----------+---------------------------+------------------+-----------------+----------
POST _security/role/sample_read
{
"indices": [
{
"names": [
"sample-*"
],
"privileges": [
"read"
]
}
]
}
Ou
curl -k -u elastic:la_elastic_409 -XPOST "http://localhost:9200/_security/role/sample_read?pretty" -H 'Content-Type: application/json' -d'{"indices":[{"names":["sample-*"],"privileges":["read"]}]}'
POST _security/role/sample_write
{
"indices": [
{
"names": [
"sample-*"
],
"privileges": [
"read",
"write"
]
}
]
}
Ou
curl -k -u elastic:la_elastic_409 -XPOST "http://localhost:9200/_security/role/sample_write?pretty" -H 'Content-Type: application/json' -d'{"indices":[{"names":["sample-*"],"privileges":["read","write"]}]}'
POST _security/role/sample_monitor
{
"indices": [
{
"names": [
"sample-*"
],
"privileges": [
"read",
"monitor"
]
}
]
}
Ou
curl -k -u elastic:la_elastic_409 -XPOST "http://localhost:9200/_security/role/sample_monitor?pretty" -H 'Content-Type: application/json' -d'{"indices":[{"names":["sample-*"],"privileges":["read","monitor"]}]}'
POST _security/user/john
{
"roles": [
"kibana_user",
"sample_read"
],
"full_name": "John Doe",
"email": "john@company.com",
"password": "john_123"
}
Ou
curl -k -u elastic:la_elastic_409 -XPOST "http://localhost:9200/_security/user/john?pretty" -H 'Content-Type: application/json' -d'{"roles":["kibana_user","sample_read"],"full_name":"John Doe","email":"john@company.com","password":"john_123"}'
POST _security/user/jane
{
"roles": [
"kibana_user",
"sample_write"
],
"full_name": "Jane Doe",
"email": "jane@company.com",
"password": "jane_456"
}
Ou
curl -k -u elastic:la_elastic_409 -XPOST "http://localhost:9200/_security/user/jane?pretty" -H 'Content-Type: application/json' -d'{"roles":["kibana_user","sample_write"],"full_name":"Jane Doe","email":"jane@company.com","password":"jane_456"}'
POST _security/user/noc
{
"roles": [
"kibana_user",
"sample_monitor",
"monitoring_user"
],
"full_name": "Network Operations Center",
"email": "noc@company.com",
"password": "noc_789"
}
Ou
curl -k -u elastic:la_elastic_409 -XPOST "http://localhost:9200/_security/user/noc?pretty" -H 'Content-Type: application/json' -d'{"roles":["kibana_user","sample_monitor","monitoring_user"],"full_name":"Network Operations Center","email":"noc@company.com","password":"noc_789"}'