Elasticsearch cluster nodes can be accessed by various clients such as the following:
Sentinel: to fetch and present event data in the Event Visualization dashboard.
Collector Manager: to perform bulk indexing of events in Sentinel with traditional storage.
Other external clients: to perform custom operations such as custom analytics.
Sentinel provides a security plug-in for Elasticsearch named elasticsearch-security-plugin that authenticates and authorizes access to Elasticsearch.
The plug-in uses either a SAML token or a whitelist for validation depending on how the clients connect:
When a client sends a SAML token along with the request, the plug-in authenticates the token against the Sentinel authentication server. Upon successful authentication, the plug-in allows access only to the filtered events that the client is authorized for.
For example, the Event Visualization dashboard (client) displays only those events from Elasticsearch that a user's role is authorized to view.
For information about roles and permissions, see Creating Roles
in the Sentinel Administration Guide.
When a client cannot send a SAML token, the plug-in checks its ’whitelist of legitimate clients. Upon successful validation, the plug-in allows access to all events without filtering.
When a client does not send a valid SAML token or is not allowed by the whitelist, the plug-in considers it as an illegitimate client and denies access to the client.
This section provides information about installing and configuring the Elasticsearch Security plug-in:
You must install the Elasticsearch Security plug-in in each node of the Elasticsearch cluster and also in the Elasticsearch node included in Sentinel.
To install the elasticsearch-security-plug-in on the Elasticsearch node included in Sentinel:
Log in to the Sentinel main server.
Set the path for the JAVA_HOME environment variable as follows:
export JAVA_HOME=/<sentinel_installation_path>/opt/novell/ sentinel/jdk/
Install the plug-in:
Once installed change the permission of Elasticsearch Security plug-in to Elasticsearch user.
<sentinel_installation_path>/opt/novell/sentinel/3rdparty/ elasticsearch/bin/elasticsearch-plugin install file://localhost/ <sentinel_installation_path>/etc/opt/novell/sentinel/scalablestore/ elasticsearch-security-plugin*.zip --verbose
When prompted to continue with installation, enter y.
(Conditional) If Elasticsearch is not listening on the default HTTP port (9200), you must update the Elasticsearch port number in each entry of the <sentinel_installation_path>/opt/novell/sentinel/3rdparty/elasticsearch/plugins/elasticsearch-security-plugin/elasticsearch-ip-whitelist.txt file.
For more information, see Providing Access to Elasticsearch Clients by Using Whitelist.
Restart the indexing services in Sentinel using the command:
rcsentinel stopES rcsentinel startES
To install the elasticsearch-security-plug-in on external Elasticsearch nodes:
Perform the following steps on each node in the Elasticsearch cluster:
Log in to the Sentinel main server.
Copy the <sentinel_installation_path>/etc/opt/novell/sentinel/scalablestore/elasticsearch-security-plugin*.zip file to a temporary location on each node in the Elasticsearch cluster.
Install the plug-in:
Once installed change the permission of Elasticsearch Security plug-in to Elasticsearch user.
<elasticsearch_installation_path>/ bin/elasticsearch-plugin install file://localhost/<full path of elasticsearch-security-plugin*.zip file> --verbose
When prompted to continue with installation, enter y.
(Conditional) If Elasticsearch is not listening on the default HTTP port (9200), you must update the Elasticsearch port number in each entry of the <elasticsearch_installation_path>/plugins/elasticsearch-security-plugin/elasticsearch-ip-whitelist.txt file.
For more information, see Providing Access to Elasticsearch Clients by Using Whitelist.
Restart Elasticsearch.
By default, trusted clients, such as Sentinel server (for the Event Visualization Dashboard) and RCM have access to Elasticsearch. If you want to use additional Elasticsearch clients, you must provide secure access to those additional clients by using whitelist.
By default, Sentinel auto-populates a whitelist with the IP addresses of the trusted Elasticsearch clients, such as the Sentinel server (for the Event Visualization Dashboard) and RCM. The Elasticsearch security plug-in grants access to Elasticsearch for all the clients listed in its whitelist.
To provide access to additional clients that do not send a valid Sentinel token, you must add the IP address of the client and the HTTP port number of the Elasticsearch server to the whitelist in the IP address:port format. You must ensure that the external clients you add in the whitelist are legitimate and trustworthy to prevent any unauthorized access.
To update the whitelist:
Log in to the Sentinel server or Elasticsearch node as the user which Elasticsearch is running as.
Add the entry <Elasticsearch_Client_IP>:<Target_Elasticsearch_HTTP_Port> in the file:
<sentinel_installation_path>/opt/novell/sentinel/3rdparty/elasticsearch/plugins/elasticsearch-security-plugin//elasticsearch-ip-whitelist.txt for Elasticsearch node included in Sentinel.
<elasticsearch_installation_path>/plugins/elasticsearch-security-plugin/elasticsearch-ip-whitelist.txt for external Elasticsearch nodes.
If there are multiple entries, add each entry in a new line and save the file.
Repeat the above steps in each node of the Elasticsearch cluster.
Perform the following steps on each node of the Elasticsearch cluster:
Log in to the Elasticsearch node as the user which Elasticsearch is running as.
(Conditional) If you modified Sentinel server IP address, RCM IP addresses, or the Elasticsearch port number, update the whitelist accordingly to ensure that the Elasticsearch security plug-in grants access to the Elasticsearch clients.
If you are configuring Sentinel in HA mode, add entries for the physical IP address of each active node and passive node of the HA cluster.
If you modify the physical IP address of any node of the HA cluster or add a new node to the HA cluster, update the whitelist with the physical IP addresses of the modified or the newly added nodes.
For more information, see Providing Access to Elasticsearch Clients by Using Whitelist.
(Conditional) If you modified the Sentinel server IP address or web server port number, update the authServer.host and authServer.port properties in the following files and restart Elasticsearch:
<sentinel_installation_path>/opt/novell/sentinel/3rdparty/elasticsearch/plugins/elasticsearch-security-plugin/plugin-configuration.properties for Elasticsearch node included in Sentinel.
<elasticsearch_installation_path>/plugins/elasticsearch-security-plugin/plugin-configuration.properties for external Elasticsearch nodes.
If you are configuring Sentinel in HA mode, set the authServer.host property to the virtual IP address of the HA cluster.
If you modify the virtual IP address of the HA cluster, update the authServer.host property to the modified virtual IP address.
(Conditional) If you upgraded Elasticsearch to a newer version, update the elasticsearch.version property in the following files and restart Elasticsearch:
<sentinel_installation_path>/opt/novell/sentinel/3rdparty/elasticsearch/plugins/elasticsearch-security-plugin/plugin-descriptor.properties for Elasticsearch node included in Sentinel.
<elasticsearch_installation_path>/plugins/elasticsearch-security-plugin/plugin-descriptor.properties for external Elasticsearch nodes.