Shield makes it simple to password-protect your Elasticsearch cluster. Once Shield is installed, a username and password is required to communicate with the cluster.
If you submit a request without a username and password, the request is rejected:
curl -XGET 'http://localhost:9200/'
All you need to do to use basic authentication is set up users and assign them to one of the basic predefined roles:
- Can perform any cluster or index action.
- Can monitor the cluster and perform any index action.
- Can perform read actions on any index.
To create a user and try out basic authentication:
Add a user called
es_adminand assign the
bin/shield/esusers useradd es_admin -r admin
- When prompted, enter a password for the new user. Passwords must be at least 6 characters long.
Submit a request using the newly-created user.
curl -u es_admin -XGET 'http://localhost:9200/'
That’s it! That’s all it takes to set up the first layer of security for your Elasticsearch cluster. However, Shield offers much more that simple password protection. For example, you can:
And that’s just the start. You can also:
- Define and Use Custom Roles for fine-grained access control.
- Integrate with LDAP or Active Directory, or require certificates for authentication.
- Use SSL/TLS encryption to secure communications to and from nodes.
- Use IP Filtering to allow or deny requests from particular IP addresses or address ranges.