Control Access with Basic Authentication

Shield makes it simple to password-protect your Elasticsearch cluster. Once Shield is installed, a username and password is required to communicate with the cluster.

If you submit a request without a username and password, the request is rejected:

curl -XGET 'http://localhost:9200/'

All you need to do to use basic authentication is set up users and assign them to one of the basic predefined roles:

admin
Can perform any cluster or index action.
power_user
Can monitor the cluster and perform any index action.
user
Can perform read actions on any index.

To get started, create a "super user" with the admin role:

  1. Use the esusers tool to create an admin user:

    bin/shield/esusers useradd es_admin -r admin
  2. When prompted, enter a password for the new user. Passwords must be at least 6 characters long.

Now you can submit requests as your admin user:

curl -u es_admin -XGET 'http://localhost:9200/'

That’s it! That’s all it takes to set up the first layer of security for your Elasticsearch cluster.

To set up additional users, use your admin user credentials to submit requests to the Users API. For more information, see Managing Native Users. You can also integrate with external user management systems, such as LDAP and Active Directory. For more information, see User Authentication.

Authenticating users is a great first step, but Shield offers much more than simple password protection. For example, you can:

Once you get these basic security measures in place, we strongly recommend that you secure communications to and from nodes by configuring your cluster to use SSL/TLS encryption. Nodes that do not have encryption enabled send passwords in plain text!

If your security requirements are more complex, you can also: