Getting Started with Shield

This getting started guide walks you through installing Shield, setting up basic authentication, and getting started with role-based access control. You can install Shield on nodes running Elasticsearch 2.4.6.

Important

The Shield plugin must be installed on every node in the cluster. If you are installing to a live cluster, you must stop all of the nodes, install Shield, and restart the nodes. You cannot perform a rolling restart to install Shield.

To install and run Shield:

  1. Run bin/plugin install from ES_HOME to install the license plugin.

    bin/plugin install license
  2. Run bin/plugin install to install the Shield plugin into Elasticsearch.

    bin/plugin install shield

    If you are using a DEB/RPM distribution of Elasticsearch, you need to run the installation with superuser permissions. To perform an offline installation, download the Shield binaries.

  3. If you have disabled automatic index creation in Elasticsearch, configure action.auto_create_index in elasticsearch.yml to allow Shield to create the .security index:

    action.auto_create_index: .security
    Note

    Marvel and Watcher also store data in automatically created indices. If you are using Marvel, you must allow creation of the .marvel-* indices. If you are using Watcher, you must allow creation of the .watch-history-* indices.

  4. Start Elasticsearch.

    bin/elasticsearch
  5. Check the startup log entries to verify that Shield is up and running. When Shield is operating normally, the log indicates that the network transports are using Shield:

    [2014-10-09 13:47:38,841][INFO ][transport ] [Ezekiel Stane] Using [org.elasticsearch.shield.transport.ShieldServerTransportService] as transport service, overridden by [shield]
    [2014-10-09 13:47:38,841][INFO ][transport ] [Ezekiel Stane] Using [org.elasticsearch.shield.transport.netty.ShieldNettyTransport] as transport, overridden by [shield]
    [2014-10-09 13:47:38,842][INFO ][http      ] [Ezekiel Stane] Using [org.elasticsearch.shield.transport.netty.ShieldNettyHttpServerTransport] as http transport, overridden by [shield]

Now you’re ready to secure your cluster! Here are a few things you might want to do to start with: