The examples in this section demonstrate how you might deploy Shield to secure an Elasticsearch cluster.
The e-commerce store site in this example store has the following components:
- A webshop application, which executes queries
- A nightly bulk import process, which reindexes the documents to ensure correct pricing for the following day
- A update mechanism that writes data concurrently during business hours on a per-document base
- A sales representative that needs to read sales-specific indices
bulk: indices: - names: 'products_*' privileges: - write - read - manage updater: indices: - names: 'products' privileges: - write webshop: indices: - names: 'products' privileges: - read monitoring: cluster: - monitor indices: - names: '*' privileges: - monitor sales_rep : cluster: - none indices: - names: 'sales_*' privileges: - all - names: 'social_events' privileges: - read
Let’s step through each of the role definitions:
bulkrole definition has the privileges to create/delete all indices starting with
products_as well as indexing data into it. This set of privileges enables the user with this role to delete and repopulate a particular index as well as change settings on the index.
updaterrole does not require any information about concrete indices. The only privileges required for updating the
productsindex is the
webshoprole is a read-only role that allows data access.
monitoringrole extracts monitoring data for display on an internal screen of the web application.
sales_reprole has full access on all indices starting with
salesand read access to the
After creating the
roles.yml file, you can use the
esusers tool to create the needed users and the respective
bin/shield/esusers useradd webshop -r webshop,monitoring
bin/shield/esusers useradd bulk -r bulk
bin/shield/esusers useradd updater -r updater
bin/shield/esusers useradd best_sales_guy_of_the_world -r sales_rep
bin/shield/esusers useradd second_best_sales_guy_of_the_world -r sales_rep
With the users and roles defined, you now need to modify your application. Each part of the application must authenticate to Elasticsearch using the username and password you gave it in the previous steps.