hospital.json<\/code>with the following content:<\/p>\n\n{ "index" : { "_index" : "cases", "_type" : "case", "_id" : "101" } }\n{ "admission" : "2015-01-03", "discharge" : "2015-01-04", "injury" : "broken arm" }\n{ "index" : { "_index" : "cases", "_type" : "case", "_id" : "102" } }\n{ "admission" : "2015-01-03", "discharge" : "2015-01-06", "injury" : "broken leg" }\n{ "index" : { "_index" : "cases", "_type" : "case", "_id" : "103" } }\n{ "admission" : "2015-01-06", "discharge" : "2015-01-07", "injury" : "broken nose" }\n{ "index" : { "_index" : "cases", "_type" : "case", "_id" : "104" } }\n{ "admission" : "2015-01-07", "discharge" : "2015-01-07", "injury" : "bruised arm" }\n{ "index" : { "_index" : "cases", "_type" : "case", "_id" : "105" } }\n{ "admission" : "2015-01-08", "discharge" : "2015-01-10", "injury" : "broken arm" }\n{ "index" : { "_index" : "patients", "_type" : "patient", "_id" : "101" } }\n{ "name" : "Adam", "age" : 28 }\n{ "index" : { "_index" : "patients", "_type" : "patient", "_id" : "102" } }\n{ "name" : "Bob", "age" : 45 }\n{ "index" : { "_index" : "patients", "_type" : "patient", "_id" : "103" } }\n{ "name" : "Carol", "age" : 34 }\n{ "index" : { "_index" : "patients", "_type" : "patient", "_id" : "104" } }\n{ "name" : "David", "age" : 14 }\n{ "index" : { "_index" : "patients", "_type" : "patient", "_id" : "105" } }\n{ "name" : "Eddie", "age" : 72 }\n<\/pre>\nThen bulk index these documents in the cluster:<\/p>\n
\n$ curl -X POST 'http:\/\/localhost:9200\/_bulk' --data-binary @.\/hospital.json\n<\/pre>\nWithout security, every user can access all documents. Let’s install Shield to add security.<\/p>\n
Directions on how to install Shield can be found at the\u00a0Elasticsearch website<\/a>. We will do this step by step.<\/p>\nShield is a commercial product, so first we need to install the license manager:<\/p>\n
\n$ elasticsearch\/bin\/plugin -i elasticsearch\/license\/latest\n-> Installing elasticsearch\/license\/latest...\nTrying http:\/\/download.elasticsearch.org\/elasticsearch\/license\/license-latest.zip...\nDownloading .....................................DONE\nInstalled elasticsearch\/license\/latest into \/home\/patrick\/blog\/elasticsearch\/plugins\/license\n<\/pre>\nNow install Shield itself in the same manner:<\/p>\n
\n$ elasticsearch\/bin\/plugin -i elasticsearch\/shield\/latest\n-> Installing elasticsearch\/shield\/latest...\nTrying http:\/\/download.elasticsearch.org\/elasticsearch\/shield\/shield-latest.zip...\nDownloading .....................................DONE\nInstalled elasticsearch\/shield\/latest into \/home\/patrick\/blog\/elasticsearch\/plugins\/shield\n<\/pre>\nYou will need to restart the nodes of your cluster to activate the plugins.<\/p>\n
In the logs of Elasticsearch you’ll see some messages from the new plugins:<\/p>\n
\n[2015-02-12 08:18:01,347][INFO ][shield.license ] [node0] enabling license for [shield]\n[2015-02-12 08:18:01,347][INFO ][license.plugin.core ] [node0] license for [shield] - valid\n[2015-02-12 08:18:01,355][ERROR][shield.license ] [node0]\n#\n# Shield license will expire on [Saturday, March 14, 2015]. Cluster health, cluster stats and indices stats operations are\n# blocked on Shield license expiration. All data operations (read and write) continue to work. If you\n# have a new license, please update it. Otherwise, please reach out to your support contact.\n#\n<\/pre>\nNotice that you will get a 30-day trial period to experiment with Shield.
\nNow all our data is protected. See what happens when we try to get a document:<\/p>\n
\n$ curl localhost:9200\/cases\/case\/101?pretty=true\n{\n "error" : "AuthenticationException[missing authentication token for REST request [\/cases\/case\/1]]",\n "status" : 401\n}\n<\/pre>\nWe need to add some roles and users to configure the role-based access control of Shield. First we define the roles and their privileges. The definition of these are found in the elasticsearch\/config\/shield\/roles.yml<\/code> file. Some roles, like admin and user are predefined:<\/p>\n\n# All cluster rights\n# All operations on all indices\nadmin:\n cluster: all\n indices:\n '*': all\n\n# Read-only operations on indices\nuser:\n indices:\n '*': read\n<\/pre>\nLet’s edit this roles.yml<\/code> file to describe our needs. We do not want for every user to access all indices, so we’ll change user.indices<\/code>. We’ll add the two roles needed for our organization: doctor and nurse. A doctor has more privileges than a nurse. Doctors can access all indices. Nurses can only access the cases index:<\/p>\n\n# Read-only operations on indices\n#user:\n# indices:\n# '*': read\n\n# Doctors can access all indices\ndoctor:\n indices:\n '*': read\n\n# Nurses can only access the cases index\nnurse:\n indices:\n 'cases': read\n<\/pre>\nNow that the roles are defined, we can create users that have these roles. Shield provides three realms to store the users: an internal realm, LDAP or Active Directory. For now, we use the internal realm. The realm is configured in elasticsearch\/config\/elasticsearch.yml<\/code>. If nothing is explicitly configured, the internal realm is used.
\nTo add users the esusers command line tool can be used. Let’s create two users (both with abc123 as password), one for each role:<\/p>\n\n$ elasticsearch\/bin\/shield\/esusers useradd alice -r nurse\n$ elasticsearch\/bin\/shield\/esusers useradd bob -r doctor\n<\/pre>\nJust to check if the security works:<\/p>\n
\n$ curl --user alice:abc123 localhost:9200\/_count?pretty=true\n{\n "count" : 5,\n "_shards" : {\n "total" : 1,\n "successful" : 1,\n "failed" : 0\n }\n}\n$ curl --user bob:abc123 localhost:9200\/_count?pretty=true\n{\n "count" : 10,\n "_shards" : {\n "total" : 2,\n "successful" : 2,\n "failed" : 0\n }\n}\n<\/pre>\nAlice can see the 5 cases in our cases index. Bob can see those 5 cases plus the 5 patients in the patients index.<\/p>\n
Now it’s time to add Kibana in the mix. Instructions to download and install Kibana 4 can be found on the Elasticsearch website<\/a>.<\/p>\nWhen we start the Kibana server we notice that Kibana is not allowed access to the Elasticsearch cluster:<\/p>\n
\n$ kibana\/bin\/kibana\n{"@timestamp":"2015-02-26T08:24:48.958Z","level":"fatal","message":"AuthenticationException[missing authentication token for REST request [\/.kibana\/config\/_search]]","node_env":"production","error":{"message":"AuthenticationException[missing authentication token for REST request [\/.kibana\/config\/_search]]","name":"Error","stack":"Error: AuthenticationException[missing authentication token for REST request [\/.kibana\/config\/_search]]\\n at respond (\/home\/patrick\/kibana\/src\/node_modules\/elasticsearch\/src\/lib\/transport.js:235:15)\\n at checkRespForFailure (\/home\/patrick\/kibana\/src\/node_modules\/elasticsearch\/src\/lib\/transport.js:203:7)\\n at HttpConnector. (\/home\/patrick\/kibana\/src\/node_modules\/elasticsearch\/src\/lib\/connectors\/http.js:156:7)\\n at IncomingMessage.bound (\/home\/patrick\/kibana\/src\/node_modules\/elasticsearch\/node_modules\/lodash-node\/modern\/internals\/baseBind.js:56:17)\\n at IncomingMessage.emit (events.js:117:20)\\n at _stream_readable.js:944:16\\n at process._tickCallback (node.js:442:13)\\n"}}\n<\/pre>\nWe need to tell Shield that Kibana is allowed to access our cluster. Extra information of how to let Kibana work with Shield can be found in the Elasticsearch guide<\/a>.<\/p>\nShield is shipped with a default configuration for Kibana 4. We find the following role definition in elasticsearch\/config\/shield\/roles.yml<\/code>.<\/p>\n\n# The required role for kibana 4 users\nkibana4:\n cluster: cluster:monitor\/nodes\/info\n indices:\n '*':\n - indices:admin\/mappings\/fields\/get\n - indices:admin\/validate\/query\n - indices:data\/read\/search\n - indices:data\/read\/msearch\n - indices:admin\/get\n '.kibana':\n - indices:admin\/exists\n - indices:admin\/mapping\/put\n - indices:admin\/mappings\/fields\/get\n - indices:admin\/refresh\n - indices:admin\/validate\/query\n - indices:data\/read\/get\n - indices:data\/read\/mget\n - indices:data\/read\/search\n - indices:data\/write\/delete\n - indices:data\/write\/index\n - indices:data\/write\/update\n<\/pre>\nWhen the Kibana Server starts it needs to access the .kibana index. So we need to create a user in Shield for Kibana to connect with:<\/p>\n
\n$ elasticsearch\/bin\/shield\/esusers useradd kibana -r kibana4\n<\/pre>\nThis account must be configured in Kibana. Modify kibana\/conf\/kibana.yml<\/code>:<\/p>\n\n# If your Elasticsearch is protected with basic auth, this is the user credentials\n# used by the Kibana server to perform maintence on the kibana_index at statup. Your Kibana\n# users will still need to authenticate with Elasticsearch (which is proxied thorugh\n# the Kibana server)\nkibana_elasticsearch_username: kibana\nkibana_elasticsearch_password: abc123\n<\/pre>\nThe Kibana users must have the kibana4 role to be able to work with Kibana. They must be able to store their visualizations and dashboards in the .kibana index:<\/p>\n
\n$ elasticsearch\/bin\/shield\/esusers roles alice -a kibana4\n$ elasticsearch\/bin\/shield\/esusers roles bob -a kibana4\n<\/pre>\nSince the default kibana4 role has read access on all indices, alice and bob will be granted all access on all indices. Therefore the role permissions must be modified:<\/p>\n
\n# Doctors can access all indices\ndoctor:\n indices:\n 'cases,patients':\n - indices:admin\/mappings\/fields\/get\n - indices:admin\/validate\/query\n - indices:data\/read\/search\n - indices:data\/read\/msearch\n - indices:admin\/get\n\n# Nurses can only access the cases index\nnurse:\n indices:\n 'cases':\n - indices:admin\/mappings\/fields\/get\n - indices:admin\/validate\/query\n - indices:data\/read\/search\n - indices:data\/read\/msearch\n - indices:admin\/get\n\n# The required role for kibana 4 users\nkibana4:\n cluster:\n - cluster:monitor\/nodes\/info\n - cluster:monitor\/health\n indices:\n '.kibana':\n - indices:admin\/exists\n - indices:admin\/mapping\/put\n - indices:admin\/mappings\/fields\/get\n - indices:admin\/refresh\n - indices:admin\/validate\/query\n - indices:data\/read\/get\n - indices:data\/read\/mget\n - indices:data\/read\/search\n - indices:data\/write\/delete\n - indices:data\/write\/index\n - indices:data\/write\/update\n - indices:admin\/create\n<\/pre>\nWith this configuration any user with the kibana4 role is able to use Kibana but only sees data that he or she has the proper clearance for.<\/p>\n
We can now start the Kibana Server and see that it runs as it should:<\/p>\n
\n$ kibana\/bin\/kibana\n{"@timestamp":"2015-02-26T08:53:18.961Z","level":"info","message":"Listening on 0.0.0.0:5601","node_env":"production"}\n<\/pre>\nWe can open a browser and head to localhost:5601 to open the Kibana web interface. Log in as Alice:<\/p>\n
![\"kibana-dialog-alice\"](\"https:\/\/trifork.nl\/articles\/wp-content\/uploads\/sites\/3\/2015\/02\/kibana-dialog-alice-300x152.png\")
<\/a><\/p>\nAfter logging in, Kibana will ask for the index pattern. We’ll keep it simple:<\/p>\n
![\"kibana-configure-index-pattern\"](\"https:\/\/trifork.nl\/articles\/wp-content\/uploads\/sites\/3\/2015\/02\/kibana-configure-index-pattern-300x115.png\")
<\/a><\/p>\nThen in the discover tab you can add fields to your view. Notice that Alice only sees cases:<\/p>\n
![\"\"](\"https:\/\/trifork.nl\/articles\/wp-content\/uploads\/sites\/3\/2015\/03\/kibana-discover-alice-300x104.png\")
<\/a><\/p>\nWhen we log in as Bob our discover tab shows both cases and patients:<\/p>\n
![\"\"](\"https:\/\/trifork.nl\/articles\/wp-content\/uploads\/sites\/3\/2015\/03\/kibana-discover-bob-300x125.png\")
<\/a><\/p>\n