Using Roles and Users for Data Access in Elasticsearch

Elasticsearch uses a security model to control access to data through roles and users. This allows only authorized users to log in and perform certain actions according to roles. Implementing role-based access control is essential for data security and operational integrity in an Elasticsearch environment.
This guide explains how to configure roles and users for secure data access.

Enable Security in Elasticsearch

Why It Matters
Security features, including user authentication and role-based access, must be enabled to use roles and users.
Steps:
  1. Open your elasticsearch.yml file.
  2. Add the following configurations to enable security features:
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.enabled: true

3. Restart Elasticsearch to apply the changes:

sudo systemctl restart elasticsearch

Create Roles

Roles define the permissions for a user or group of users. Each role specifies:
  • The indices a user can access.
  • The operations a user can perform on those indices.
  • Cluster-wide privileges.
Example: Create a Role for Read-Only Access
POST /_security/role/data_reader
{
  "cluster": [],
  "indices": [
    {
      "names": ["logs-*"],
      "privileges": ["read"]
    }
  ]
}
Explanation
  • The role data_reader allows read access (read) to all indices matching the pattern logs-*.
  • No cluster-level privileges are assigned (“cluster”: []).

Create Users

Users are mapped to one or more roles, determining their permissions.
Example: Create a User with the data_reader Role

POST /_security/user/john_doe
{
  "password": "securepassword123",
  "roles": ["data_reader"],
  "full_name": "Your Name",
  "email": "[email protected]"
}

Default Roles

Elasticsearch comes with predefined roles that cover common use cases:
  • superuser: Full access to all cluster and index operations.
  • kibana_dashboard_only_user: Read-only access to Kibana dashboards.
  • monitoring_user: Access to cluster monitoring data.
These roles can be assigned directly or used as templates for custom roles.

Role and User Management in Kibana

If Kibana is installed, you can manage roles and users via the Management > Security section in the Kibana UI.
Steps
  1. Log in to Kibana with a user that has superuser privileges.
  2. Navigate to Management > Security > Roles or Management > Security > Users.
  3. Create or modify roles and users through the UI.

Role-Based Access for Index Operations

Example 1: Write-Only Access
A role that allows write operations but prevents users from reading data:

POST /_security/role/data_writer
{
  "cluster": [],
  "indices": [
    {
      "names": ["logs-*"],
      "privileges": ["write"]
    }
  ]
}

Example 2: Restricted Data Access
A role that allows access to specific fields within an index:

POST /_security/role/restricted_access
{
  "cluster": [],
  "indices": [
    {
      "names": ["sensitive-data-*"],
      "privileges": ["read"],
      "field_security": {
        "grant": ["public_field", "metadata_field"]
      }
    }
  ]
}

Monitor User Activity

Elasticsearch provides audit logging to monitor user actions.
Steps to Enable Audit Logging:
  1. Add the following to your elasticsearch.yml:
xpack.security.audit.enabled: true

Logs are stored in the logs/security_audit.log file by default.

Best Practices for Role and User Management

  • Follow the Principle of Least Privilege: Assign only the minimum required permissions to each role.
  • Use Patterns for Index Names: Define roles with wildcard patterns for flexible data access.
  • Regularly Review Roles and Users: Audit permissions periodically to ensure compliance.
  • Enable TLS/SSL: Secure communication to protect user credentials and sensitive data.

Test User Permissions

After configuring roles and users, test their permissions to ensure they meet the requirements.
Example Test Query
Log in with the user credentials and attempt an action:

curl -u your_name:securepassword123 -X GET "<https://your-cluster:9200/logs-2024/_search>"
  • A successful query confirms the correct role configuration.
  • A permission denied error (403 Forbidden) indicates missing privileges.

Conclusion

The main tools for data protection and access control in Elasticsearch are roles and users. Using RBAC, administrators can control the level of permissions, ensuring that users have access to only the data and actions they need. For more details, visit the official Elasticsearch documentation.

The post Using Roles and Users for Data Access in Elasticsearch appeared first on SOC Prime.