Control Access with Basic Authentication

Shield makes it simple to password-protect your Elasticsearch cluster. Once Shield is installed, a username and password is required to communicate with the cluster.

If you submit a request without a username and password, the request is rejected:

curl -XGET 'http://localhost:9200/'

All you need to do to use basic authentication is set up users and assign them to one of the basic predefined roles:

admin
Can perform any cluster or index action.
power_user
Can monitor the cluster and perform any index action.
user
Can perform read actions on any index.

To create a user and try out basic authentication:

  1. Add a user called es_admin and assign the admin role.

    bin/shield/esusers useradd es_admin -r admin
  2. When prompted, enter a password for the new user. Passwords must be at least 6 characters long.
  3. Submit a request using the newly-created user.

    curl -u es_admin -XGET 'http://localhost:9200/'

That’s it! That’s all it takes to set up the first layer of security for your Elasticsearch cluster. However, Shield offers much more that simple password protection. For example, you can:

And that’s just the start. You can also: