Elasticsearch cluster nodes can be accessed by various clients such as the following:
Sentinel: to fetch and present event data in the Event Visualization dashboard.
Spark jobs running in the YARN NodeManager nodes: to perform bulk indexing of the events received from Kafka. (for SSDM)
Collector Manager: to perform bulk indexing of events in Sentinel with traditional storage.
Other external clients: to perform custom operations such as custom analytics.
Sentinel provides a security plug-in for Elasticsearch named elasticsearch-security-plugin that authenticates and authorizes access to Elasticsearch.
The plug-in uses either a SAML token or a whitelist for validation depending on how the clients connect:
When a client sends a SAML token along with the request, the plug-in authenticates the token against the Sentinel authentication server. Upon successful authentication, the plug-in allows access only to the filtered events that the client is authorized for.
For example, the Event Visualization dashboard (client) displays only those events from Elasticsearch that a user's role is authorized to view.
For information about roles and permissions, see Creating a Role
in the Sentinel Administration Guide.
When a client cannot send a SAML token, the plug-in checks its ’whitelist of legitimate clients. Upon successful validation, the plug-in allows access to all events without filtering.
When a client does not send a valid SAML token or is not allowed by the whitelist, the plug-in considers it as an illegitimate client and denies access to the client.
This section provides information about installing and configuring the Elasticsearch Security plug-in:
You must install the Elasticsearch security plug-in in each node of the Elasticsearch cluster and also in the Elasticsearch node included in Sentinel.
To install the elasticsearch-security-plug-in on the Elasticsearch node included in Sentinel:
Log in to the Sentinel main or SSDM server.
Set the path for the JAVA_HOME environment variable as follows:
export JAVA_HOME=/<Sentinel_installation_path>/opt/novell/sentinel/jdk/
Install the plug-in:
For Linux, log in as the user that Elasticsearch is running as and run the following command:
<sentinel_installation_path>/opt/novell/sentinel/3rdparty/elasticsearch/bin/elasticsearch-plugin install file://localhost/<Sentinel_installation_path>/etc/opt/novell/sentinel/scalablestore/elasticsearch-security-plugin*.zip --verbose
When prompted to continue with installation, enter y.
(Conditional) If Elasticsearch is not listening on the default HTTP port (9200), you must update the Elasticsearch port number in each entry of the <Sentinel_installation_path>/opt/novell/sentinel/3rdparty/elasticsearch/plugins/elasticsearch-security-plugin/elasticsearch-ip-whitelist.txt file.
For more information, see Providing Access to Elasticsearch Clients by Using Whitelist.
Restart the indexing services in Sentinel using the command:
rcsentinel stopSIdb rcsentinel startSIdb
To install the elasticsearch-security-plug-in on external Elasticsearch nodes:
Perform the following steps on each node in the Elasticsearch cluster:
Log in to the Sentinel main or SSDM server.
Copy the <Sentinel_installation_path>/etc/opt/novell/sentinel/scalablestore/elasticsearch-security-plugin*.zip file to a temporary location on each node in the Elasticsearch cluster.
Install the plug-in:
For Linux, log in as the user that Elasticsearch is running as and run the following command:
<elasticsearch_install_directory>/bin/elasticsearch-plugin install file://localhost/<full path of elasticsearch-security-plugin*.zip file> --verbose
When prompted to continue with installation, enter y.
(Conditional) If Elasticsearch is not listening on the default HTTP port (9200), you must update the Elasticsearch port number in each entry of the <elasticsearch_install_directory>/plugins/elasticsearch-security-plugin/elasticsearch-ip-whitelist.txt file.
For more information, see Providing Access to Elasticsearch Clients by Using Whitelist.
Restart Elasticsearch.
By default, trusted clients, such as SSDM server (for the Event Visualization Dashboard) and YARN NodeManagers, Sentinel server (for the Event Visualization Dashboard) and RCM have access to Elasticsearch. If you want to use additional Elasticsearch clients, you must provide secure access to those additional clients either by using SAML token or whitelist.
If you are using a REST client to access Elasticsearch, you can include a SAML token in the request header as follows:
Obtain a SAML token from the Sentinel authentication server. For more information, see the REST API documentation available in Sentinel.
Click Help > APIs > Tutorial > API Security > Obtaining a SAML Token (Logon).
Use the SAML token in the subsequent REST requests: include the SAML token in the Authorization header of each request made by the REST client. Specify the header name as Authorization and the header value as the <SAML token> obtained in Step 1.
By default, Sentinel auto-populates a whitelist with the IP addresses of the trusted Elasticsearch clients, such as the SSDM server (for the Event Visualization Dashboard) and YARN NodeManagers, Sentinel server (for the Event Visualization Dashboard) and RCM. The Elasticsearch security plug-in grants access to Elasticsearch for all the clients listed in its whitelist.
To provide access to additional clients that do not send a valid Sentinel token, you must add the IP address of the client and the HTTP port number of the Elasticsearch server to the whitelist in the IP address:port format. You must ensure that the external clients you add in the whitelist are legitimate and trustworthy to prevent any unauthorized access.
To update the whitelist:
Log in to the Sentinel server or Elasticsearch node as the user which Elasticsearch is running as.
Add the entry <Elasticsearch_Client_IP>:<Target_Elasticsearch_HTTP_Port> in the file:
<Sentinel_installation_path>/opt/novell/sentinel/3rdparty/elasticsearch/plugins/elasticsearch-security-plugin//elasticsearch-ip-whitelist.txt for Elasticsearch node included in Sentinel.
<elasticsearch_install_directory>/plugins/elasticsearch-security-plugin/elasticsearch-ip-whitelist.txt for external Elasticsearch nodes.
If there are multiple entries, add each entry in a new line and save the file.
Repeat the above steps in each node of the Elasticsearch cluster.
In cases where you modify the scalable storage components’ IP address/hostname and port number or the Elasticsearch version and port number, you must update the Elasticsearch plug-in configuration files accordingly.
Perform the following steps on each node of the Elasticsearch cluster:
Log in to the Elasticsearch node as the user which Elasticsearch is running as.
(Conditional) If you modified YARN NodeManager IP addresses, SSDM or Sentinel server IP address, RCM IP addresses, or the Elasticsearch port number, update the whitelist accordingly to ensure that the Elasticsearch security plug-in grants access to the Elasticsearch clients.
If you are configuring SSDM or Sentinel in HA mode, add entries for the physical IP address of each active node and passive node of the HA cluster.
If you modify the physical IP address of any node of the HA cluster or add a new node to the HA cluster, update the whitelist with the physical IP addresses of the modified or the newly added nodes.
For more information, see Providing Access to Elasticsearch Clients by Using Whitelist.
(Conditional) If you modified the SSDM IP address, Sentinel server IP address or web server port number, update the authServer.host and authServer.port properties in the following files and restart Elasticsearch:
<Sentinel_installation_path>/opt/novell/sentinel/3rdparty/elasticsearch/plugins/elasticsearch-security-plugin/plugin-configuration.properties for Elasticsearch node included in Sentinel.
<elasticsearch_install_directory>/plugins/elasticsearch-security-plugin/plugin-configuration.properties for external Elasticsearch nodes.
If you are configuring SSDM or Sentinel in HA mode, set the authServer.host property to the virtual IP address of the HA cluster.
If you modify the virtual IP address of the HA cluster, update the authServer.host property to the modified virtual IP address.
(Conditional) If you upgraded Elasticsearch to a newer version, update the elasticsearch.version property in the following files and restart Elasticsearch:
/opt/novell/sentinel/3rdparty/elasticsearch/plugins/elasticsearch-security-plugin/plugin-descriptor.properties for Elasticsearch node included in Sentinel.
<elasticsearch_install_directory>/plugins/elasticsearch-security-plugin/plugin-descriptor.properties for external Elasticsearch nodes.