Skip to content

Instantly share code, notes, and snippets.

@szydan
Forked from scampi/Shield-and-Kibi.md
Last active May 3, 2016 16:52
Show Gist options
  • Save szydan/ed177231179f732e47427745d28be35d to your computer and use it in GitHub Desktop.
Save szydan/ed177231179f732e47427745d28be35d to your computer and use it in GitHub Desktop.
Kibi bits and pieces

Steps

Install Shield and license plugin for elasticsearch https://www.elastic.co/guide/en/shield/current/getting-started.html

bin/plugin install license
bin/plugin install shield

Create server.{key,crt} using http://blog.justin.kelly.org.au/how-to-create-a-self-sign-ssl-cert-with-no-pa/

openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 366 -in server.csr -signkey server.key -out server.crt

In elasticsearch root folder execute

Add my own user with kibana4 role and kibana4-server user with kibana4-server role

./bin/shield/esusers useradd kibana4-server -r kibana4_server -p password
./bin/shield/esusers useradd transport_client -r transport_client -p password

./bin/shield/esusers useradd simon -r kibana4 -p password
./bin/shield/esusers useradd simon-index -r restrictedindex -p password
./bin/shield/esusers useradd simon-fields -r restrictedfieldsinvestment -p password

To enable field and doc restriction for version 2.2.0 add this flag to elasticsearch.yml

shield.dls_fls.enabled: true

it was fixed in 2.2.1

Elasticsearch roles

  • Edit config/shield/roles.yml. I added some authorization for various actions performed in Kibi (listing plugins, getting stats, ...);
# Defines the required permissions for transport clients
transport_client:
  cluster:
      - cluster:monitor/nodes/liveness
      #uncomment the following for sniffing
      #- cluster:monitor/state
  indices:
    '*':
      privileges: indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/read/msearch

# The required permissions for kibana 4 users.
# The required permissions for kibana 4 users.
kibana4:
  cluster: 
      - cluster:monitor/nodes/info
      - cluster:monitor/health 
  indices:
    'article':
      privileges: indices:data/read/get, indices:admin/mappings/fields/get, indices:admin/validate/query, indices:data/read/search, indices:data/read/msearch, indices:data/read/field_stats, indices:admin/get, indices:data/read/coordinate-search, indices:data/read/coordinate-msearch
    'company':
      privileges: indices:data/read/get, indices:admin/mappings/fields/get, indices:admin/validate/query, indices:data/read/search, indices:data/read/msearch, indices:data/read/field_stats, indices:admin/get, indices:data/read/coordinate-search, indices:data/read/coordinate-msearch
    'investment':
      privileges: indices:data/read/get, indices:admin/mappings/fields/get, indices:admin/validate/query, indices:data/read/search, indices:data/read/msearch, indices:data/read/field_stats, indices:admin/get, indices:data/read/coordinate-search, indices:data/read/coordinate-msearch
    'investor':
      privileges: indices:data/read/get, indices:admin/mappings/fields/get, indices:admin/validate/query, indices:data/read/search, indices:data/read/msearch, indices:data/read/field_stats, indices:admin/get, indices:data/read/coordinate-search, indices:data/read/coordinate-msearch
    '.kibi':
      privileges: indices:data/read/coordinate-search, indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update

# The required permissions for the kibana 4 server
kibana4_server:
  cluster:
      - cluster:monitor/nodes/info
      - cluster:monitor/health
      - cluster:monitor/state
      - cluster:monitor/nodes/stats
  indices:
    '*':
      privileges: indices:monitor/stats
    '.kibi':
      privileges: indices:admin/create, indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update

# Role for grant access only to index "investment"
restrictedindex:
  indices:
    'investment':
      privileges: all
    '.kibi':
      privileges: indices:data/read/coordinate-search, indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update

# Role for restrict access to some fields of index "investment" (user can't see data referred to funded_date)
restrictedfieldsinvestment:
  cluster: 
      - cluster:monitor/nodes/info
      - cluster:monitor/health
      - cluster:admin/plugin/siren/license/get 
  indices:
    'investment':
      privileges: all
      fields:
        - hassourcedescription
        - localname
        - investorid
        - hassourceurl
        - companyid
        - id
        - label
        - raised_amount
        - round_code
        - raised_currency_code
        - funded_date
        - funded_year
        - _source
        - _score
    'article':
      privileges: all
    'company':
      privileges: all
    'investor':
      privileges: all
    '.kibi':
      privileges: indices:data/read/coordinate-search, indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update

Install shield for kibana !!! It has to be version 2.2.0 at the moment

wget http://download.elastic.co/kibana/shield/shield-2.2.0.tar.gz
./bin/kibi plugin --install shield --url file://$PWD/shield-2.2.0.tar.gz

Modify kibi.yml

Edit config/kibi.dev.yml:

elasticsearch.username: "kibana4-server"
elasticsearch.password: "password"
shield.encryptionKey: "something_secret"
shield.sessionTimeout: 86400000
server.ssl.key: server.key
server.ssl.cert: server.crt

The server.key and server.crt files were generated above.

Then in the kibi core we need

kibi_core:
  load_jdbc: true
  datasource_encryption_algorithm: 'AES-GCM'
  datasource_encryption_key: 'iSxvZRYisyUW33FreTBSyJJ34KpEquWznUPDvn+ka14='
  datasource_cache_size: 501
  default_dashboard_id: Articles
  elasticsearch:
    transport_client:
      username: transport_client
      password: password
  gremlin_server:
    url: https://127.0.0.1:8061
    path: ../gremlin_server/gremlin-es2-server-0.1.0.jar
    # uncomment this for gremlin behind ssl
    #ssl:
    # key_store: '/Users/szydan/home/workspace-kibana/kibi-internal/ca/gremlin.jks'
    # key_store_password: 'password'
    # ca: '/Users/szydan/home/workspace-kibana/kibi-internal/ca/certs/cacert.pem'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment