Using Roles and Users for Data Access in Elasticsearch
Table of contents:
Elasticsearch uses a security model to control access to data through roles and users. This allows only authorized users to log in and perform certain actions according to roles. Implementing role-based access control is essential for data security and operational integrity in an Elasticsearch environment.
This guide explains how to configure roles and users for secure data access.
Enable Security in Elasticsearch
Security features, including user authentication and role-based access, must be enabled to use roles and users.
Steps:
- Open your elasticsearch.yml file.
- Add the following configurations to enable security features:
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.enabled: true3. Restart Elasticsearch to apply the changes:
sudo systemctl restart elasticsearchCreate Roles
- The indices a user can access.
- The operations a user can perform on those indices.
- Cluster-wide privileges.
POST /_security/role/data_reader
{
"cluster": [],
"indices": [
{
"names": ["logs-*"],
"privileges": ["read"]
}
]
}- The role data_reader allows read access (read) to all indices matching the pattern logs-*.
- No cluster-level privileges are assigned (“cluster”: []).
Create Users
Users are mapped to one or more roles, determining their permissions.
Example: Create a User with the data_reader Role
POST /_security/user/john_doe
{
"password": "securepassword123",
"roles": ["data_reader"],
"full_name": "Your Name",
"email": "your.name@example.com"
}Default Roles
- superuser: Full access to all cluster and index operations.
- kibana_dashboard_only_user: Read-only access to Kibana dashboards.
- monitoring_user: Access to cluster monitoring data.
Role and User Management in Kibana
Steps
- Log in to Kibana with a user that has superuser privileges.
- Navigate to Management > Security > Roles or Management > Security > Users.
- Create or modify roles and users through the UI.
Role-Based Access for Index Operations
Example 1: Write-Only Access
A role that allows write operations but prevents users from reading data:
POST /_security/role/data_writer
{
"cluster": [],
"indices": [
{
"names": ["logs-*"],
"privileges": ["write"]
}
]
}Example 2: Restricted Data Access
A role that allows access to specific fields within an index:
POST /_security/role/restricted_access
{
"cluster": [],
"indices": [
{
"names": ["sensitive-data-*"],
"privileges": ["read"],
"field_security": {
"grant": ["public_field", "metadata_field"]
}
}
]
}Monitor User Activity
Steps to Enable Audit Logging:
- Add the following to your elasticsearch.yml:
xpack.security.audit.enabled: trueLogs are stored in the logs/security_audit.log file by default.
Best Practices for Role and User Management
- Follow the Principle of Least Privilege: Assign only the minimum required permissions to each role.
- Use Patterns for Index Names: Define roles with wildcard patterns for flexible data access.
- Regularly Review Roles and Users: Audit permissions periodically to ensure compliance.
- Enable TLS/SSL: Secure communication to protect user credentials and sensitive data.
Test User Permissions
After configuring roles and users, test their permissions to ensure they meet the requirements.
Example Test Query
Log in with the user credentials and attempt an action:
curl -u your_name:securepassword123 -X GET "<https://your-cluster:9200/logs-2024/_search>"- A successful query confirms the correct role configuration.
- A permission denied error (403 Forbidden) indicates missing privileges.
Conclusion
The main tools for data protection and access control in Elasticsearch are roles and users. Using RBAC, administrators can control the level of permissions, ensuring that users have access to only the data and actions they need. For more details, visit the official Elasticsearch documentation.
