Elasticsearch cluster nodes can be accessed by various clients such as the following:
Sentinel Scalable Data Manager: to fetch and present event data in the Event Visualization dashboard.
Spark jobs running in the YARN NodeManager nodes: to perform bulk indexing of the events received from Kafka.
Other external clients: to perform custom operations such as custom analytics.
Sentinel provides a security plug-in for Elasticsearch named elasticsearch-security-plugin that authenticates and authorizes access to Elasticsearch. The plug-in uses either a SAML token or a whitelist for validation depending on how the clients connect:
When a client sends a SAML token along with the request, the plug-in authenticates the token against the Sentinel authentication server. Upon successful authentication, the plug-in allows access only to the filtered events that the client is authorized for.
For example, the Event Visualization dashboard (client) displays only those events from Elasticsearch that a user's role is authorized to view.
For information about roles and permissions, see Creating Roles.
When a client cannot send a SAML token, the plug-in checks it’s whitelist of legitimate clients. Upon successful validation, the plug-in allows access to all events without filtering.
When a client does not send a valid SAML token or is not allowed by the whitelist, the plug-in considers it as an illegitimate client and denies access to the client.
The Elasticsearch security plug-in must be installed in each node of the Elasticsearch cluster.
To install the elasticsearch-security-plug-in:
Log in to the SSDM server.
Copy the /etc/opt/novell/sentinel/scalablestore/elasticsearch-security-plugin*.zip file to a temporary location on each node in the Elasticsearch cluster.
Install the plug-in:
For Linux, log in as the user that Elasticsearch is running as and run the following command:
<elasticsearch_install_directory>/bin/elasticsearch-plugin install file://localhost/<full path of elasticsearch-security-plugin*.zip file> --verbose
When prompted to continue with installation, enter y.
(Conditional) If Elasticsearch is not listening on the default HTTP port (9200), you must update the Elasticsearch port number in each entry of the <elasticsearch_install_directory>/plugins/elasticsearch-security-plugin/elasticsearch-ip-whitelist.txt file.
For more information, see Providing Access to Elasticsearch Clients by Using Whitelist.
Restart Elasticsearch.
Repeat Step 3 through Step 5 on each node in the Elasticsearch cluster.
By default, trusted clients such as SSDM server (for the Event Visualization Dashboard) and YARN NodeManagers have access to Elasticsearch. If you want to use additional Elasticsearch clients, you must provide secure access to those additional clients either by using SAML token or whitelist.
If you are using a REST client to access Elasticsearch, you can include a SAML token in the request header as follows:
Obtain a SAML token from the Sentinel authentication server. For more information, see the REST API documentation available in Sentinel.
Click Help > APIs > Tutorial > API Security > Obtaining a SAML Token (Logon).
Use the SAML token in the subsequent REST requests: include the SAML token in the Authorization header of each request made by the REST client. Specify the header name as Authorization and the header value as the <SAML token> obtained in Step 1.
By default, Sentinel auto-populates a whitelist with the IP addresses of the trusted Elasticsearch clients such as the SSDM server (for the Event Visualization Dashboard) and YARN NodeManagers. The Elasticsearch security plug-in grants access to Elasticsearch for all the clients listed in its whitelist.
To provide access to additional clients that do not send a valid Sentinel token, you must add the IP address of the client and the HTTP port number of the Elasticsearch server to the whitelist in the IP address:port format. You must ensure that the external clients you add in the whitelist are legitimate and trustworthy to prevent any unauthorized access.
To update the whitelist:
Log in to the Elasticsearch node as the user which Elasticsearch is running as.
Add the entries in the <elasticsearch_install_directory>/plugins/elasticsearch-security-plugin/elasticsearch-ip-whitelist.txt file as follows:
<Elasticsearch_Client_IP>:<Target_Elasticsearch_HTTP_Port>
If there are multiple entries, add each entry in a new line and save the file.
Repeat the above steps in each node of the Elasticsearch cluster.
In cases where you modify the scalable storage components’ IP address/hostname and port number or the Elasticsearch version and port number, you must update the Elasticsearch plug-in configuration files accordingly.
Perform the following steps on each node of the Elasticsearch cluster:
Log in to the Elasticsearch node as the user which Elasticsearch is running as.
(Conditional) If you modified YARN NodeManager IP addresses, SSDM IP address, or the Elasticsearch port number, update the whitelist accordingly to ensure that the Elasticsearch security plug-in grants access to the Elasticsearch clients.
If SSDM is in HA mode, add entries for the physical IP address of each active node and passive node of the HA cluster.
For more information, see Providing Access to Elasticsearch Clients by Using Whitelist.
(Conditional) If you modified the SSDM IP address or web server port number, update the authServer.host and authServer.port properties in the <elasticsearch_install_directory>/plugins/elasticsearch-security-plugin/plugin-configuration.properties file accordingly and restart Elasticsearch.
If SSDM is in HA mode, set the authServer.host property to the virtual IP address of the HA cluster.
(Conditional) If you upgraded Elasticsearch to a newer version, update the elasticsearch.version property in the <elasticsearch_install_directory>/plugins/elasticsearch-security-plugin/plugin-descriptor.properties file accordingly and restart Elasticsearch.