Using curator with Search Guard
Search Guard is compatible with curator. Since curator is written in Python, depending on the Python version you are using you may experience some challenges with the SSL setup.
Please read the Elasticsearch documentation on curator, Python and security
First set up a curator role and allow access to all indices that you want to manage via curator. For example, if you use logstash and want to manage your daily rolling logstash index a matching role might look like:
sg_curator: cluster_permissions: - SGS_CLUSTER_MONITOR - SGS_CLUSTER_COMPOSITE_OPS_RO index_permissions: - index_patterns: - 'logstash-*' allowed_actions: - SGS_UNLIMITED
If you use the Search Guard internal user database, set up a curator user.
curator: hash: $2y$12$Y7znAYZWqJBTJSrT8.iHreCyCVhRE5RQ4dKbbLKXtnutdTE2IP2n.
Last, map the
curator user to the
sg_curator Search Guard role:
sg_curator: users: - curator
Setting up TLS/SSL
If you use
HTTPS instead of
HTTP, configure curator to use
client: hosts: - 127.0.0.1 port: 9200 use_ssl: True certificate: /path/to/root_CA ssl_no_validate: True ...
|use_ssl||If set to True, curator will connect with HTTPS instead of HTTP|
|certificate||Absolute path to the root CA|
|ssl_no_validate||If set to True curator will not validate the certificate it receives from Elasticsearch. Enable this if you are using self-signed certificates.|
Setting ssl_no_validate to True will likely result in a warning message that your SSL certificates are not trusted. This is expected behavior.
HTTP Basic Authentication
In case you are using HTTP Basic Authentication, add the username and password like:
client: hosts: - 127.0.0.1 port: 9200 ... http_auth: "curator:curator" ...
You can also set the credentials via the command line:
curator_cli --http_auth 'user:pass' ...
client: hosts: - 127.0.0.1 port: 9200 url_prefix: use_ssl: True certificate: /etc/elasticsearch/config/root-ca.pem ssl_no_validate: True http_auth: curator:curator timeout: 30 master_only: False
Client Certificate Authentication
You can also use client certificates for authentication:
client: hosts: - 127.0.0.1 port: 9200 ... client_cert: /path/to/client_certificate client_key: /path/to/private_key ...
|client_cert||Absolute path to the client TLS certificate that is sent with each request.|
|client_key||Absolute path to the private key of the client certificate.|
Curator only supports unencrypted private keys.
If you use client certificates, you also need to set up a client certificate authentication domain.
client: hosts: - 127.0.0.1 port: 9200 url_prefix: use_ssl: True certificate: /etc/elasticsearch/config/root-ca.pem client_cert: /etc/elasticsearch/config/spock.pem client_key: /etc/elasticsearch/config/spock-key.pem ssl_no_validate: True timeout: 30 master_only: False
clientcert_auth_domain: enabled: true order: 1 http_authenticator: type: clientcert config: username_attribute: cn challenge: false authentication_backend: type: noop