[[enable-basic-auth]] === Control Access with Basic Authentication Shield makes it simple to password-protect your Elasticsearch cluster. Once Shield is installed, a username and password is required to communicate with the cluster. If you submit a request without a username and password, the request is rejected: [source,shell] ---------------------------------------------------------- curl -XGET 'http://localhost:9200/' ---------------------------------------------------------- All you need to do to use basic authentication is set up users and assign them to one of the basic predefined roles: `admin` :: Can perform any cluster or index action. `power_user` :: Can monitor the cluster and perform any index action. `user` :: Can perform read actions on any index. To create a user and try out basic authentication: . Add a user called `es_admin` and assign the `admin` role. + [source,shell] ---------------------------------------------------------- bin/shield/esusers useradd es_admin -r admin ---------------------------------------------------------- . When prompted, enter a password for the new user. Passwords must be at least 6 characters long. . Submit a request using the newly-created user. + [source,shell] ---------------------------------------------------------- curl -u es_admin -XGET 'http://localhost:9200/' ---------------------------------------------------------- That's it! That's all it takes to set up the first layer of security for your Elasticsearch cluster. However, Shield offers much more that simple password protection. For example, you can: * <> to verify that messages have not not been tampered with or corrupted in transit. * <> to keep track of attempted and successful interactions with your Elasticsearch cluster. And that's just the start. You can also: * <> for fine-grained access control. * Integrate with <> or <>, or <> for authentication. * Use <> to secure communications to and from nodes. * Use <> to allow or deny requests from particular IP addresses or address ranges.