From version 5.0 onward, Shield is part of X-Pack. For more information, see Securing the Elastic Stack.
« Managing Your License Reference »
Elastic Docs Shield [2.4]

Example Shield Deployments

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Example Shield Deployments

edit

The examples in this section demonstrate how you might deploy Shield to secure an Elasticsearch cluster.

E-commerce Example Using esusers

edit

The e-commerce store site in this example store has the following components:

  • A webshop application, which executes queries
  • A nightly bulk import process, which reindexes the documents to ensure correct pricing for the following day
  • A update mechanism that writes data concurrently during business hours on a per-document base
  • A sales representative that needs to read sales-specific indices

Defining the roles

edit
bulk:
  indices:
    - names: 'products_*'
      privileges:
        - write
        - read
        - manage

updater:
  indices:
    - names: 'products'
      privileges:
        - write

webshop:
  indices:
    - names: 'products'
      privileges:
        - read

monitoring:
  cluster:
    - monitor
  indices:
    - names: '*'
      privileges:
        - monitor

sales_rep :
   cluster:
     - none
   indices:
     - names: 'sales_*'
       privileges:
         - all
     - names: 'social_events'
       privileges:
         - read

Let’s step through each of the role definitions:

  • The bulk role definition has the privileges to create/delete all indices starting with products_ as well as indexing data into it. This set of privileges enables the user with this role to delete and repopulate a particular index as well as change settings on the index.
  • The updater role does not require any information about concrete indices. The only privileges required for updating the products index is the write privilege.
  • The webshop role is a read-only role that allows data access.
  • The monitoring role extracts monitoring data for display on an internal screen of the web application.
  • The sales_rep role has full access on all indices starting with sales and read access to the social_events index.

Creating Users and Their Roles

edit

After creating the roles.yml file, you can use the esusers tool to create the needed users and the respective user-to-role mapping.

bin/shield/esusers useradd webshop -r webshop,monitoring
bin/shield/esusers useradd bulk -r bulk
bin/shield/esusers useradd updater -r updater
bin/shield/esusers useradd best_sales_guy_of_the_world -r sales_rep
bin/shield/esusers useradd second_best_sales_guy_of_the_world -r sales_rep

Modifying Your Application

edit

With the users and roles defined, you now need to modify your application. Each part of the application must authenticate to Elasticsearch using the username and password you gave it in the previous steps.

« Managing Your License Reference »