honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
OpenSearch/shield/docs/public/getting-started/enable-basic-auth.asciidoc

54 lines
2.3 KiB
Plaintext
Raw Blame History

[[enable-basic-auth]]
=== Control Access with Basic Authentication
Shield makes it simple to password-protect your Elasticsearch cluster. Once Shield is installed, a username and password is required to communicate with the cluster.
If you submit a request without a username and password, the request is rejected:
[source,shell]
----------------------------------------------------------
curl -XGET 'http://localhost:9200/'
----------------------------------------------------------
All you need to do to use basic authentication is set up users and assign them to one of the basic predefined roles:
`admin` :: Can perform any cluster or index action.
`power_user` :: Can monitor the cluster and perform any index action.
`user` :: Can perform read actions on any index.
To create a user and try out basic authentication:
. Add a user called `es_admin` and assign the `admin` role.
+
[source,shell]
----------------------------------------------------------
bin/shield/esusers useradd es_admin -r admin
----------------------------------------------------------
. When prompted, enter a password for the new user. Passwords must be at least 6 characters long.
. Submit a request using the newly-created user.
+
[source,shell]
----------------------------------------------------------
curl -u es_admin -XGET 'http://localhost:9200/'
----------------------------------------------------------
That's it! That's all it takes to set up the first layer of
security for your Elasticsearch cluster. However, Shield
offers much more that simple password protection. For example,
you can:
* <<enable-message-authentication, Enable Message Authentication>> to verify that messages have not not been tampered with or corrupted in transit.
* <<enable-auditing, Enable Auditing>> to keep track of attempted and successful interactions with
your Elasticsearch cluster.
And that's just the start. You can also:
* <<defining-roles, Define and Use Custom Roles>> for fine-grained access control.
* Integrate with <<ldap, LDAP>> or <<active-directory, Active Directory>>, or <<pki, require certificates>> for authentication.
* Use <<ssl-tls, SSL/TLS encryption>> to secure communications to and from nodes.
* Use <<ip-filtering, IP Filtering>> to allow or deny requests from particular IP addresses or address ranges.
Reference in New Issue View Git Blame Copy Permalink