Cluster security

Smartsite 7.9 - ...

Purpose

When using an Elastic Search cluster for multiple tenants (customers, applications) it is required to shield each tenant from other tenants. Tenants should be able to access their indices, and must not be able to access indices of other tenants.

Multitenant measures

The following measures are taken at installation time.

  • Communication between nodes of the cluster is secured.
  • Communication between clients and the cluster is secured. Clients include the Smartsite Manager, search applications, Kibana and curl.
  • The cluster requires credentials for access. Internal passwords for various system users are replaced by strong passwords.

Multitenant model

Enterprise Search applies the following multitenant model:

  • Tenant configuration specifies the tenant, for example test. This tenant has access to al indices test-*, for example test-123test-abc and test-abc-1. however not test123, testabc or test. This configuration is tenant specific, for example there is one Web.config for the Smartsite Manager for a particular tenant. The Smartsite Manager adds the prefix test- to index names entered by the tenant.
  • Role Based Access Control (RBAC) of Elastic Search / xpack is used to configure a tenant specific role, for example test-manager, and a tenant specific user, for example test-user. The role is configured for full control of indices test-*, and the user is configured to have that role.
  • Elastic Search / xpack requires credentials and checks whether the user is authorized to perform a particular operation or operation against an index. Elastic Search native user authentication is used as opposed to, for example, active directory. Tenant configuration specifies the user credentials and the Smartsite Manager in the above example passes credentials to Elastic Search.
  • A customer in a Software as a Service (SAAS) environment controls the Smartsite Manager without having control of the tenant configuration. The Smartsite Manager supports to configure parts of the Web.config; the parts involving the Elastic Search cluster can however not be accessed in a multitenant environment.

Configuration of a tenant, using Kibana

These are the steps to configure a tenant in the multitenant environment. Use of Kibana is assumed.  Alternatively curl can be used, see below.

  1. Select a unique tenant prefix for the customer, for example test. Make sure no indices named test-* are in use. Consider performing GET /_cat/indices in Kibana. Kibana, Dev Tools.
  2. Use Kibana to create a role, for example test-manager. Kibana, Home menu, Management (not: Security), Stack Management, under Security: Roles.
    1. Role name: test-manager.
    2. Add cluster privilege: monitor.
    3. Add indices: test-*, privileges: all.
  3. Create a user. Under Security: Users.
    1. User name: test-user.
    2. Roles: test-manager.
    3. Password: create and enter a strong password.

Configuration of a tenant, using curl

Alternatively use curl to configure. If necessary install curl first, on a local machine, on a node of the cluster, on a server used for management of the Elastic Search cluster, or on another system that has access to the cluster. On that machine open a command box. Elevation is not required.

Which indices are present?

curl --user elastic:StRoNgPaSsWoRd --cacert ../../Kibana/7.17.3/config/elasticsearch-ca.pem https://host-123.example.com:9200/_cat/indices
  • Use the strong password of system user elastic.
  • Ensure the path to the certificate authority (CA) certificate is correct.
  • Specify a node of the cluster.

Select a tenant prefix.

test

Which roles are present?

curl --user elastic:StRoNgPaSsWoRd --cacert ../../Kibana/7.17.3/config/elasticsearch-ca.pem https://host-123.example.com:9200/_security/role?pretty=true

Create role test-manager. Obtain and adjust file Create-role.json:

{
"cluster": ["monitor"],
"indices": [
{
"names": ["test-*"],
"privileges": ["all"]
}
]
}

Create or replace the role:

curl --user elastic:StRoNgPaSsWoRd --cacert ../../Kibana/7.17.3/config/elasticsearch-ca.pem -H Content-Type:application/json -X PUT https://host-123.example.com:9200/_security/role/test-manager -d @Create-role.json

Request the details of the role:

curl --user elastic:StRoNgPaSsWoRd --cacert ../../Kibana/7.17.3/config/elasticsearch-ca.pem https://host-123.example.com:9200/_security/role/test-manager?pretty=true

Resuls in:

{
"test-manager" : {
"cluster" : [
"monitor"
],
"indices" : [
{
"names" : [
"test-*"
],
"privileges" : [
"all"
],
"allow_restricted_indices" : false
}
],
"applications" : [ ],
"run_as" : [ ],
"metadata" : { },
"transient_metadata" : {
"enabled" : true
}
}
}

 If a role needs deleting:

curl --user elastic:StRoNgPaSsWoRd --cacert ../../Kibana/7.17.3/config/elasticsearch-ca.pem -X DELETE https://host-123.example.com:9200/_security/role/delete-me

Create user test-user. Obtain and adjust file Create-user.json:

{
"password": "AnOtHeRpAsSwOrD",
"roles": ["test-manager"],
"full_name": "Test user"
}

 Create or replace the user:

curl --user elastic:StRoNgPaSsWoRd --cacert ../../Kibana/7.17.3/config/elasticsearch-ca.pem -H Content-Type:application/json -X PUT https://host-123.example.com:9200/_security/user/test-user -d @Create-user.json

Request the details of the user:

 curl --user elastic:StRoNgPaSsWoRd --cacert ../../Kibana/7.17.3/config/elasticsearch-ca.pem https://host-123.example.com:9200/_security/user/test-user?pretty=true

Results in: 

{
"test-user" : {
"username" : "test-user",
"roles" : [
"test-manager"
],
"full_name" : "Test user",
"email" : null,
"metadata" : { },
"enabled" : true
}
}

Smartsite manager Web.config

For the Smartsite Manager edit the Web.config. Other client applications such as search applications have their own Web.Config or App.config.

  1. Set enterprisesearch.elastic.tenant: test.
  2. Set enterprisesearch.elastic.username: test-user.
  3. Set enterprisesearch.elastic.password: the above strong password.
  4. Restart the manager and assert that at several settings cannot be managed. System, Configuration Editor, Enterprise Search. Expect other settings; do not expect settings for the username and password. For information: older versions of Smartsite may expose these settings. Smartsite 7.11 b4 and later should not expose these settings if a tenant is configured.