Example Shield Deployments

The examples in this section demonstrate how you might deploy Shield to secure an Elasticsearch cluster.

E-commerce Example Using esusers

The e-commerce store site in this example store has the following components:

  • A webshop application, which executes queries
  • A nightly bulk import process, which reindexes the documents to ensure correct pricing for the following day
  • A update mechanism that writes data concurrently during business hours on a per-document base
  • A sales representative that needs to read sales-specific indices

Defining the roles

bulk:
  indices:
    'products_*': write, manage, read

updater:
  indices:
    'products': index, delete, indices:admin/optimize

webshop:
  indices:
    'products': search, get

monitoring:
  cluster: monitor
  indices:
    '*': monitor

sales_rep :
   cluster : none
   indices:
      'sales_*' : all
      'social_events' : data_access, monitor

Let’s step through each of the role definitions:

  • The bulk role definition has the privileges to create/delete all indices starting with products_ as well as indexing data into it. This set of privileges enables the user with this role to delete and repopulate a particular index.
  • The updater role does not require any information about concrete indices. The only privileges required for updating the products index are the write and delete privileges, as well as index optimization.
  • The webshop role is a read-only role that solely executes queries and GET requests.
  • The monitoring role extracts monitoring data for display on an internal screen of the web application.
  • The sales_rep role has write access on all indices starting with sales and read access to the social_events index.

Creating Users and Their Roles

After creating the roles.yml file, you can use the esusers tool to create the needed users and the respective user-to-role mapping.

bin/shield/esusers useradd webshop -r webshop,monitoring
bin/shield/esusers useradd bulk -r bulk
bin/shield/esusers useradd updater -r updater
bin/shield/esusers useradd best_sales_guy_of_the_world -r sales_rep
bin/shield/esusers useradd second_best_sales_guy_of_the_world -r sales_rep

Modifying Your Application

With the users and roles defined, you now need to modify your application. Each part of the application must authenticate to Elasticsearch using the username and password you gave it in the previous steps.