Search Guard - Enterprise Security for Elasticsearch
Version: SG FLX
Enterprise

REST management API

Content

This module adds the capability of managing users, roles, roles mapping and action groups via a REST Api. It is required if you plan to use the Kibana config GUI.

Access control

Since the REST management API makes it possible to change users, roles and permissions, access to this functionality is restricted by Search Guard. Access is granted either by a user’s role or by providing an admin certificate.

Role-based access control

All roles that should have access to the API must be configured in elasticsearch.yml with the following key:

copy 
searchguard.restapi.roles_enabled: ["SGS_ALL_ACCESS", ...]

This will grant full access permission to the REST API for all users that have the Search Guard role SGS_ALL_ACCESS.

You can further limit access to certain API endpoints and methods on a per role basis. For example, you can give a user permission to retrieve role information, but not to change or delete it.

The structure of the respective configuration is:

copy 
searchguard.restapi.endpoints_disabled..: ["",...]

For example:

copy 
searchguard.restapi.endpoints_disabled.SGS_ALL_ACCESS.ROLES: ["PUT", "POST", "DELETE"]

Possible values for endpoint are:

copy 
ACTIONGROUPS
ROLES
ROLESMAPPING
INTERNALUSERS
TENANTS
SGCONFIG
CACHE
LICENSE
SYSTEMINFO

Possible values for then method are:

copy 
GET
PUT
POST
DELETE

You can also disable endpoints and methods for all users by using global as role name:

copy 
searchguard.restapi.endpoints_disabled.global.: ["",...]

Admin certificate access control

Access can also be granted by using an admin certificate. This is the same certificate that you use when executing sgctl.

In order for Search Guard to pick up this certificate on the REST layer, you need to set the clientauth_mode in elasticsearch.yml to either OPTIONAL or REQUIRE:

copy 
searchguard.ssl.http.clientauth_mode: OPTIONAL

For curl, you need to specify the admin certificate with its complete certificate chain, and also the key:

copy 
curl --insecure --cert chain.pem --key kirk.key.pem ""

If you use the example PKI scripts provided by Search Guard SSL, the kirk.key.pem is already generated for you. You can generate the chain file by cating the certificate and the ca chain file:

copy 
cd search-guard-sll
cat example-pki-scripts/kirk.crt.pem example-pki-scripts/ca/chain-ca.pem > chain.pem

Fixing curl issues

If you experience problems with curl commands see Fixing curl first before reporting any issues.

Questions? Drop us a note!

Not what you were looking for? Try the search.