From version 5.0 onward, Shield is part of X-Pack. For more information, see Securing the Elastic Stack.
« Controlling the User Cache Role-based Access Control »
Elastic Docs Shield [2.4] User Authentication

Migration tool for users and roles

edit

Migration tool for users and roles

edit

The easiest way to migrate from file based users and roles to the native realm is to use the migrate tool included with the shield plugin. The migrate tool reads the file realm files to load the defined users and realms and executes HTTP requests to add the specified user(s) and role(s) to the store.

To run the migrate tool after installing the shield plugin, run the migrate tool as follows:

$ bin/shield/migrate native -U http://localhost:9200 -u test_user -p changeme -n lee,foo -r role1,role2,role3,role4,foo
starting migration of users and roles...
importing users from [/home/es/config/shield/users]...
found existing users: [test_user, joe3, joe2]
migrating user [lee]
{"user":{"created":true}}
no user [foo] found, skipping
importing roles from [/home/es/config/shield/roles.yml]...
found existing roles: [marvel_user, role_query_fields, admin_role, role3, admin, remote_marvel_agent, power_user, role_new_format_name_array, role_run_as, logstash, role_fields, role_run_as1, role_new_format, kibana4_server, user, transport_client, role1.ab, role_query]
migrating role [role1]
{"role":{"created":true}}
migrating role [role2]
{"role":{"created":true}}
role [role3] already exists, skipping
no role [foo] found, skipping
users and roles imported.

Existing users or roles will not be replaced or overridden, and users or roles will be skipped if they do not occur in the file based configuration.

The "native" subcommand supports the following options:

Table 7. Migration Tool Settings

Parameter Required Description

-U, --url

yes

The URL endpoint of the Elasticsearch cluster to which the users and roles will be added

-u, --username

no

Username to use for authentication

-p, --password

no

Password to use for authentication

-c, --config

no

Configuration directory to use instead of the default for SSL configuration, user, and role files

-n, --users

no

Comma-separated list of usernames to migrate, if empty, all users found will be migrated

-r, --roles

no

Comma-separated list of role names to migrate, if empty, all roles found will be migrated
« Controlling the User Cache Role-based Access Control »