[[getting-started]]
== Getting Started with Shield

This getting started guide walks you through installing Shield, setting up basic authentication, and getting started with role-based
access control. You can install Shield on nodes running Elasticsearch {version}.

IMPORTANT: The Shield plugin must be installed on every node in the cluster. If you are installing 
to a live cluster, you must stop all of the nodes, install Shield, and restart the nodes. You cannot
perform a rolling restart to install Shield.

To install and run Shield:

. Run `bin/plugin install` from `ES_HOME` to install the license plugin.
+
[source,shell]
----------------------------------------------------------
bin/plugin install license
----------------------------------------------------------

. Run `bin/plugin install` to install the Shield plugin.
+
[source,shell]
----------------------------------------------------------
bin/plugin install shield
----------------------------------------------------------
+
NOTE: If you are using a <<deb-rpm-install, DEB/RPM distribution>> of Elasticsearch, you need to run the installation with superuser permissions. To perform an offline installation, <<offline-install,download the Shield binaries>>.

. Start Elasticsearch.
+
[source,shell]
----------------------------------------------------------
bin/elasticsearch
----------------------------------------------------------

. To verify that Shield is up and running, check the startup log entries. When Shield is operating 
normally, the log indicates that the network transports are using Shield: 
+
[source,shell]
----------------
[2014-10-09 13:47:38,841][INFO ][transport ] [Ezekiel Stane] Using [org.elasticsearch.shield.transport.ShieldServerTransportService] as transport service, overridden by [shield]
[2014-10-09 13:47:38,841][INFO ][transport ] [Ezekiel Stane] Using [org.elasticsearch.shield.transport.netty.ShieldNettyTransport] as transport, overridden by [shield]
[2014-10-09 13:47:38,842][INFO ][http      ] [Ezekiel Stane] Using [org.elasticsearch.shield.transport.netty.ShieldNettyHttpServerTransport] as http transport, overridden by [shield]
----------------

Now you're ready to secure your cluster! Here are a few things
you might want to do to start with:

* <<enable-basic-auth, Control Access with Basic Authentication>>
* <<enable-message-authentication, Enable Message Authentication>>
* <<enable-auditing, Enable Auditing>>

include::getting-started/enable-basic-auth.asciidoc[]
include::getting-started/enable-message-authentication.asciidoc[]
include::getting-started/enable-auditing.asciidoc[]
include::getting-started/moving-on.asciidoc[]