- Shield Reference for 2.x and 1.x:
- Introduction
- Getting Started with Shield
- How Shield Works
- Installing Shield
- Setting Up User Authentication
- Managing Users in an esusers Realm
- Configuring Role-based Access Control
- Configuring Auditing
- Securing Communications with Encryption and IP Filtering
- Configuring Clients and Integrations
- Managing Shield Licenses
- Example Shield Deployments
- Reference
- Limitations
- Troubleshooting
- Setting Up a Certificate Authority
- Release Notes
From version 5.0 onward, Shield is part of X-Pack. For more information, see
Securing the Elastic Stack.
Control Access with Basic Authentication
editControl Access with Basic Authentication
editShield makes it simple to password-protect your Elasticsearch cluster. Once Shield is installed, a username and password is required to communicate with the cluster.
If you submit a request without a username and password, the request is rejected:
curl -XGET 'http://localhost:9200/'
All you need to do to use basic authentication is set up users and assign them to one of the basic predefined roles:
-
admin - Can perform any cluster or index action.
-
power_user - Can monitor the cluster and perform any index action.
-
user - Can perform read actions on any index.
To create a user and try out basic authentication:
-
Add a user called
es_adminand assign theadminrole.bin/shield/esusers useradd es_admin -r admin
- When prompted, enter a password for the new user. Passwords must be at least 6 characters long.
-
Submit a request using the newly-created user.
curl -u es_admin -XGET 'http://localhost:9200/'
That’s it! That’s all it takes to set up the first layer of security for your Elasticsearch cluster. However, Shield offers much more that simple password protection. For example, you can:
- Enable Message Authentication to verify that messages have not not been tampered with or corrupted in transit.
- Enable Auditing to keep track of attempted and successful interactions with your Elasticsearch cluster.
And that’s just the start. You can also:
- Define and Use Custom Roles for fine-grained access control.
- Integrate with LDAP or Active Directory, or require certificates for authentication.
- Use SSL/TLS encryption to secure communications to and from nodes.
- Use IP Filtering to allow or deny requests from particular IP addresses or address ranges.
Was this helpful?
Thank you for your feedback.