From 6b82c49adeeeab6fdd2426f40323e151b8d6ef31 Mon Sep 17 00:00:00 2001 From: aetter Date: Fri, 15 Mar 2019 14:48:54 -0700 Subject: [PATCH 1/5] Demonstrates certificate overrides Also covers password changes. --- docs/install/docker-security.md | 198 +++++++++++++++++++++++++++++ docs/install/docker.md | 13 +- docs/install/encryption-at-rest.md | 4 +- docs/security/index.md | 2 +- 4 files changed, 202 insertions(+), 15 deletions(-) create mode 100644 docs/install/docker-security.md diff --git a/docs/install/docker-security.md b/docs/install/docker-security.md new file mode 100644 index 00000000..1baf6897 --- /dev/null +++ b/docs/install/docker-security.md @@ -0,0 +1,198 @@ +--- +layout: default +title: Docker Security Configuration +parent: Install and Configure +nav_order: 3 +--- + +# Docker security configuration + +Before deploying to a production environment, you should replace the demo security certificates with your own. With the RPM-based installation, you have direct access to the file system, but the Docker image requires modifying the Docker Compose file to include the replacement files. + + +#### Sample Docker Compose file + +```yml +version: '3' +services: + odfe-node1: + image: amazon/opendistro-for-elasticsearch:0.7.0 + container_name: odfe-node1 + environment: + - cluster.name=odfe-cluster + - bootstrap.memory_lock=true # along with the memlock settings below, disables swapping + - "ES_JAVA_OPTS=-Xms512m -Xmx512m" # minimum and maximum Java heap size, recommend setting both to 50% of system RAM + - network.host=0.0.0.0 # required if not using the demo Security configuration + ulimits: + memlock: + soft: -1 + hard: -1 + volumes: + - odfe-data1:/usr/share/elasticsearch/data + - ./root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem + - ./esnode.pem:/usr/share/elasticsearch/config/esnode.pem + - ./esnode-key.pem:/usr/share/elasticsearch/config/esnode-key.pem + - ./kirk.pem:/usr/share/elasticsearch/config/kirk.pem + - ./kirk-key.pem:/usr/share/elasticsearch/config/kirk-key.pem + - ./custom-elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml + - ./internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml + ports: + - 9200:9200 + - 9600:9600 # required for Performance Analyzer + networks: + - odfe-net + odfe-node2: + image: amazon/opendistro-for-elasticsearch:0.7.0 + container_name: odfe-node2 + environment: + - cluster.name=odfe-cluster + - bootstrap.memory_lock=true + - "ES_JAVA_OPTS=-Xms512m -Xmx512m" + - discovery.zen.ping.unicast.hosts=odfe-node1 + - network.host=0.0.0.0 + ulimits: + memlock: + soft: -1 + hard: -1 + volumes: + - odfe-data2:/usr/share/elasticsearch/data + - ./root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem + - ./esnode.pem:/usr/share/elasticsearch/config/esnode.pem + - ./esnode-key.pem:/usr/share/elasticsearch/config/esnode-key.pem + - ./kirk.pem:/usr/share/elasticsearch/config/kirk.pem + - ./kirk-key.pem:/usr/share/elasticsearch/config/kirk-key.pem + - ./custom-elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml + - ./internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml + networks: + - odfe-net + kibana: + image: amazon/opendistro-for-elasticsearch-kibana:0.7.0 + container_name: odfe-kibana + ports: + - 5601:5601 + expose: + - "5601" + environment: + ELASTICSEARCH_URL: https://odfe-node1:9200 + volumes: + - ./custom-kibana.yml:/usr/share/kibana/config/kibana.yml + networks: + - odfe-net + +volumes: + odfe-data1: + odfe-data2: + +networks: + odfe-net: +``` + +Then make your changes to `elasticsearch.yml`. For a full list of settings, see [Security](../../security). This example adds (extremely) verbose audit logging: + +```yml +opendistro_security.ssl.transport.pemcert_filepath: esnode.pem +opendistro_security.ssl.transport.pemkey_filepath: esnode-key.pem +opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem +opendistro_security.ssl.transport.enforce_hostname_verification: false +opendistro_security.ssl.http.enabled: true +opendistro_security.ssl.http.pemcert_filepath: esnode.pem +opendistro_security.ssl.http.pemkey_filepath: esnode-key.pem +opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem +opendistro_security.allow_unsafe_democertificates: true +opendistro_security.allow_default_init_securityindex: true +opendistro_security.authcz.admin_dn: + - CN=kirk,OU=client,O=client,L=test, C=de + +opendistro_security.audit.type: internal_elasticsearch +opendistro_security.enable_snapshot_restore_privilege: true +opendistro_security.check_snapshot_restore_write_privileges: true +opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] +cluster.routing.allocation.disk.threshold_enabled: false +opendistro_security.audit.config.disabled_rest_categories: NONE +opendistro_security.audit.config.disabled_transport_categories: NONE +``` + +To start the cluster, run `docker-compose up`. + +If you encounter any `File /usr/share/elasticsearch/config/elasticsearch.yml has insecure file permissions (should be 0600)` messages, you can use `chmod` on your local machine to set file permissions before running `docker-compose up`. Docker Compose passes files to the container as-is. +{: .note } + + +## Change passwords for read-only users + +After the cluster starts, change the passwords for the read-only user accounts (`admin` and `kibanaserver`). Run `docker ps` to find the `odfe-node1` container ID. Then run: + +``` +$ docker exec /bin/sh /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh -p newpassword +``` + +The hash script returns a hashed password (e.g. `$2y$12$SFNvhLHf7MPCpRCq00o/BuU8GMdcD.7BymhT80YHNISBHsfJwhTou`), which you can then copy and paste into `internal_users.yml`. Repeat the process as necessary for all read-only users. Don't worry about the other user accounts; you can change (or delete) them in Kibana. + +When you're satisfied, restart the cluster using `docker-compose down -v` and `docker-compose up`. + +`internal_users.yml` looks like this: + +```yml +# New password applied +admin: + readonly: true + hash: $2y$12$SFNvhLHf7MPCpRCq00o/BuU8GMdcD.7BymhT80YHNISBHsfJwhTou + roles: + - admin + attributes: + #no dots allowed in attribute names + attribute1: value1 + attribute2: value2 + attribute3: value3 + +# Still using default password: logstash +logstash: + hash: $2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2 + roles: + - logstash + +# New password applied +kibanaserver: + readonly: true + hash: $2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H. + +# Still using default password: kibanaro +kibanaro: + hash: $2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC + roles: + - kibanauser + - readall + +# Still using default password: readall +readall: + hash: $2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2 + #password is: readall + roles: + - readall + +# Still using default password: snapshotrestore +snapshotrestore: + hash: $2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W + roles: + - snapshotrestore +``` + + +## Next steps + +After the cluster starts, verify the new password: + +```bash +curl -XGET https://localhost:9200 -u admin:admin -k +Unauthorized + +curl -XGET https://localhost:9200 -u admin:newpassword -k +{ + ... + "tagline" : "You Know, for Search" +} +``` + +Then you can open Kibana at [http://localhost:5601](http://localhost:5601), sign in, and perform additional user management in the **Security** panel. + +You can use this same override process to specify new [authentication settings](../../security/configuration) in `/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml`. diff --git a/docs/install/docker.md b/docs/install/docker.md index 4edaddbc..bf16a67a 100644 --- a/docs/install/docker.md +++ b/docs/install/docker.md @@ -169,18 +169,7 @@ services: - ./custom-kibana.yml:/usr/share/kibana/config/kibana.yml ``` -You can use this same method to pass your own certificates for use with the [Security](../../security/) plugin: - -```yml -services: - odfe-node1: - volumes: - - odfe-data1:/usr/share/elasticsearch/data - - ./custom-elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml - - ./my-key-file.pem:/usr/share/elasticsearch/config/my-key-file.pem - - ./my-certificate-chain.pem:/usr/share/elasticsearch/config/my-certificate-chain.pem - - ./my-root-cas.pem:/usr/share/elasticsearch/config/my-root-cas.pem -``` +You can use this same method to [pass your own certificates](../override-security) for use with the [Security](../../security/) plugin. ## Bash access to containers diff --git a/docs/install/encryption-at-rest.md b/docs/install/encryption-at-rest.md index f201efd0..0f293e94 100644 --- a/docs/install/encryption-at-rest.md +++ b/docs/install/encryption-at-rest.md @@ -1,8 +1,8 @@ --- layout: default -title: Encryption at rest +title: Encryption at Rest parent: Install and Configure -nav_order: 3 +nav_order: 99 --- # Encryption at rest diff --git a/docs/security/index.md b/docs/security/index.md index 13af2749..83503e3c 100644 --- a/docs/security/index.md +++ b/docs/security/index.md @@ -20,6 +20,6 @@ Open Distro for Elasticsearch includes the Security plugin for authentication an - Cross-cluster search - Kibana multi-tenancy -The plugin includes demo certificates so that you can get up and running quickly, but you should [replace the demo certificates](../install/docker/#configure-elasticsearch) and [reconfigure `elasticsearch.yml`](tls-configuration) before using Open Distro for Elasticsearch in a production environment. +The plugin includes demo certificates so that you can get up and running quickly, but you should [replace the demo certificates](../install/docker-security) and [reconfigure `elasticsearch.yml`](tls-configuration) before using Open Distro for Elasticsearch in a production environment. If you don't want to use the plugin, see [Disable security](disable). From 6af29195cb8a39e887fbd9e1173a39c46a005190 Mon Sep 17 00:00:00 2001 From: aetter Date: Fri, 15 Mar 2019 15:04:44 -0700 Subject: [PATCH 2/5] Small tweak courtesy of Jon --- docs/install/docker-security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/install/docker-security.md b/docs/install/docker-security.md index 1baf6897..28f5d089 100644 --- a/docs/install/docker-security.md +++ b/docs/install/docker-security.md @@ -128,7 +128,7 @@ $ docker exec /bin/sh /usr/share/elasticsearch/plugins/opendistro The hash script returns a hashed password (e.g. `$2y$12$SFNvhLHf7MPCpRCq00o/BuU8GMdcD.7BymhT80YHNISBHsfJwhTou`), which you can then copy and paste into `internal_users.yml`. Repeat the process as necessary for all read-only users. Don't worry about the other user accounts; you can change (or delete) them in Kibana. -When you're satisfied, restart the cluster using `docker-compose down -v` and `docker-compose up`. +When you're satisfied, modify `custom-kibana.yml` to include the new `kibanaserver` password. Then restart the cluster using `docker-compose down -v` and `docker-compose up`. `internal_users.yml` looks like this: From 9229bd1463e027b4868c870bef3ebaa307a094db Mon Sep 17 00:00:00 2001 From: aetter Date: Fri, 15 Mar 2019 15:53:47 -0700 Subject: [PATCH 3/5] Another Jon suggestion --- docs/install/docker-security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/install/docker-security.md b/docs/install/docker-security.md index 28f5d089..21fe2306 100644 --- a/docs/install/docker-security.md +++ b/docs/install/docker-security.md @@ -128,7 +128,7 @@ $ docker exec /bin/sh /usr/share/elasticsearch/plugins/opendistro The hash script returns a hashed password (e.g. `$2y$12$SFNvhLHf7MPCpRCq00o/BuU8GMdcD.7BymhT80YHNISBHsfJwhTou`), which you can then copy and paste into `internal_users.yml`. Repeat the process as necessary for all read-only users. Don't worry about the other user accounts; you can change (or delete) them in Kibana. -When you're satisfied, modify `custom-kibana.yml` to include the new `kibanaserver` password. Then restart the cluster using `docker-compose down -v` and `docker-compose up`. +When you're satisfied, modify `custom-kibana.yml` to include the new `kibanaserver` password. Then restart the cluster using `docker-compose down -v` and `docker-compose up`. The `-v` is critical in this case. `internal_users.yml` looks like this: From 803bce79df74441a4d703f083b43acdc8337bd74 Mon Sep 17 00:00:00 2001 From: aetter Date: Fri, 15 Mar 2019 16:38:10 -0700 Subject: [PATCH 4/5] Feedback from Eli and Shivang --- docs/install/docker-security.md | 2 +- docs/security/api.md | 4 ++-- docs/security/index.md | 2 +- docs/security/saml.md | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/install/docker-security.md b/docs/install/docker-security.md index 21fe2306..6f9368af 100644 --- a/docs/install/docker-security.md +++ b/docs/install/docker-security.md @@ -120,7 +120,7 @@ If you encounter any `File /usr/share/elasticsearch/config/elasticsearch.yml has ## Change passwords for read-only users -After the cluster starts, change the passwords for the read-only user accounts (`admin` and `kibanaserver`). Run `docker ps` to find the `odfe-node1` container ID. Then run: +After the cluster starts, change the passwords for the [read-only user accounts](../../security/api/#read-only-and-hidden-resources) (`admin` and `kibanaserver`). Run `docker ps` to find the `odfe-node1` container ID. Then run: ``` $ docker exec /bin/sh /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh -p newpassword diff --git a/docs/security/api.md b/docs/security/api.md index b0551fca..16113894 100644 --- a/docs/security/api.md +++ b/docs/security/api.md @@ -238,7 +238,7 @@ GET _opendistro/_security/api/internalusers/ ```json { "kirk": { - "hash": "$2a$12$xZOcnwYPYQ3zIadnlQIJ0eNhX1ngwMkTN.oMwkKxoGvDVPn4/6XtO", + "hash": "", "roles": [ "captains", "starfleet" ], "attributes": { "attribute1": "value1", @@ -262,7 +262,7 @@ GET _opendistro/_security/api/internalusers/ ```json { "kirk": { - "hash": "$2a$12$xZOcnwYPYQ3zIadnlQIJ0eNhX1ngwMkTN.oMwkKxoGvDVPn4/6XtO", + "hash": "", "roles": [ "captains", "starfleet" ], "attributes": { "attribute1": "value1", diff --git a/docs/security/index.md b/docs/security/index.md index 83503e3c..72fb001c 100644 --- a/docs/security/index.md +++ b/docs/security/index.md @@ -20,6 +20,6 @@ Open Distro for Elasticsearch includes the Security plugin for authentication an - Cross-cluster search - Kibana multi-tenancy -The plugin includes demo certificates so that you can get up and running quickly, but you should [replace the demo certificates](../install/docker-security) and [reconfigure `elasticsearch.yml`](tls-configuration) before using Open Distro for Elasticsearch in a production environment. +The plugin includes demo certificates so that you can get up and running quickly, but you should [replace the demo certificates](../install/docker-security), [reconfigure `elasticsearch.yml`](tls-configuration), and change passwords before using Open Distro for Elasticsearch in a production environment. If you don't want to use the plugin, see [Disable security](disable). diff --git a/docs/security/saml.md b/docs/security/saml.md index a2e23c28..0cbb07b9 100644 --- a/docs/security/saml.md +++ b/docs/security/saml.md @@ -283,11 +283,11 @@ opendistro_security.auth.type: "saml" In addition, the Kibana endpoint for validating the SAML assertions must be whitelisted: ``` -server.xsrf.whitelist: ["/opendistro_security/saml/acs"] +server.xsrf.whitelist: ["/_opendistro/_security/saml/acs"] ``` If you use the logout POST binding, you also need to whitelist the logout endpoint: ``` -server.xsrf.whitelist: ["/opendistro_security/saml/acs", "/opendistro_security/saml/logout"] +server.xsrf.whitelist: ["/_opendistro/_security/saml/acs", "/opendistro_security/saml/logout"] ``` From cc3721fc34209ebbfbfae030d971bd778d016b44 Mon Sep 17 00:00:00 2001 From: aetter Date: Mon, 18 Mar 2019 08:28:45 -0700 Subject: [PATCH 5/5] Update docker-security.md --- docs/install/docker-security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/install/docker-security.md b/docs/install/docker-security.md index 6f9368af..4aa98976 100644 --- a/docs/install/docker-security.md +++ b/docs/install/docker-security.md @@ -114,7 +114,7 @@ opendistro_security.audit.config.disabled_transport_categories: NONE To start the cluster, run `docker-compose up`. -If you encounter any `File /usr/share/elasticsearch/config/elasticsearch.yml has insecure file permissions (should be 0600)` messages, you can use `chmod` on your local machine to set file permissions before running `docker-compose up`. Docker Compose passes files to the container as-is. +If you encounter any `File /usr/share/elasticsearch/config/elasticsearch.yml has insecure file permissions (should be 0600)` messages, you can use `chmod` to set file permissions before running `docker-compose up`. Docker Compose passes files to the container as-is. {: .note }