Add users to AWS elasticsearch kibana dashboard through API - elasticsearch

I'm trying to map users to kibana roles, however, when I do a GET request on _plugins/_security
I get a 401 error. I'm trying to do this from Kibana dashboard where I have all_access
role as well as from an Ec2 instance where the machine role is mapped to all_access
role. Need help in understanding how can I fix the same.
{"Message":"Your request: '/_plugins/_security' is not allowed."}

you will need to ask aws about this, as they run a fork of Elasticsearch that doesn't contain this particular functionality

On our version of AWS ES, I have to do this prefix in order to access the security API:
GET _opendistro/_security/api/roles
What you have to understand is the AWS ES does not use the "normal" ElasticSearch, it uses the OpenDistro version, therefor some commands are different.
Here is the link to the API doc for security :
https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/api/#access-control-for-the-api

Related

SCP: How to get role collection (CF) and roles (NEO) through the api

I'm working with the SAP cloud platform with Neo and Cloud Foundry Applications/Organizations on it. Currently I have the task to get all role collections from the cloud foundry applications and all the roles (or better called groups) from Neo.
Currently I can access the CF SCP API through the v3 cloud controller and get for example all roles from the cloud foundry applications.
The two problems I'm facing are that:
I dont know how to get the role collections, because I couldn t find anything in the documentation (I can get the roles but they do not link with the role collection because I think role collections are a SAP thing and not a CF thing).
I dont know how to access the NEO-API (I never worked with NEO) and I dont know how to get roles/groups from it
Does anybody know how I can do these things and has documentation for me so I can read a little further?

Get ARN of vendored layers

Looks like AWS layers like AWSLambda-Python37-SciPy1x have a different account and head version in the ARN in different regions. Eg
us-east-1: arn:aws:lambda:us-east-1:668099181075:layer:AWSLambda-Python37-SciPy1x:22
us-east-2: arn:aws:lambda:us-east-2:259788987135:layer:AWSLambda-Python37-SciPy1x:20
From a script I need to add the layer that pertains to the lambda's region, but I'm not finding an AWS CLI or boto3 command that will give me the ARN of a "published" layer (ie one that was given access to by an AWS admin to all accounts), I can only find my own layers (eg aws lambda list-layers).
The AWS console for lambda in web browser shows the vendored layers, so I loaded the page and looked through js console and saw the following request is made:
https://console.aws.amazon.com/lambda/services/ajax?operation=listAwsVendedLayers&locale=en
So it looks like the REST API has this operation to get that, but I cannot find the equivalent anywhere in AWS CLI or boto3.
Any ideas (short of using curl with the proper request head and auth info, pain), perhaps a way to run a "raw" request in boto3 so I could give it this listAwsVendedLayers operation? I looked in the docs could not find anything.

Role based access control in elastic search

What are the elastic search versions will support security features like role based access control ??
I am using elastic search only as a document store (no kibana or logstash), can we achieve role based access ?
If yes, how to create users and provide read/write role for it ?
I would suggest you read the X-pack docs for the same.
This is not the exact answer but I am new to the elastic as well.
I would recommend using ELK stack for getting the access control.

Implementing security on ELK using x-pack

I want to secure all the communications in ELK. For that i have installed x-pack plugin. Please let me know if its right plugin to do so. I want to introduce username & password and also SSL enabled communication.
I have installed x-pack plugin in elasticsearch.
elasticsearch-plugin.bat install x-pack
i have also learnt that there are 3 default users in x-pack. elastic, kibana and logstash-system.
Even though i have installed x-pack only on elasticsearch, kibana also asks for credentials.
My Doubts:
I want to know why kibana is asking for credentials.
If i give credentials as kibana/changeme, i dont get any logs in kibana. But if i login as elastic/changeme, i can see logs in kibana.Why it is so? Is it like, the credentials used should be same across elasticsearch and kibana?
How should i manage using elastic, kibana and logstash-system users provided by x-pack?
You can check out the users (assuming you are accessing Kibana on localhost and authenticate with elastic and changeme) at http://localhost:5601/app/kibana#/management/security/users?_g=().
In that list you'll also see the user kibana with the role kibana_system. If you check out the details of that role, you'll see that it only has the monitor privilege and can only access the indices .kibana* and .reporting-*. That explains why your kibana user cannot see any data.
If you want to make this production ready:
Only enable the users that you need.
Change passwords.
Maybe disable the default users and just create your own.
PS: I've only checked this on the 6.0.0-alpha2, but I think this should be the same on version 5 as well.

Create a new role dynamically using Elasticsearch Java Client

I have an elasticsearch(2.4.4) server and I'm using elasticsearch java client to manage indicies. I've added authentication with elasticsearch shield plugin(2.2.0) and it works properly. Now, i want to create new roles dynamically but it seems that not possible to do this using client.
Is it the only way making API requests to manage roles dynamically or am i missing something?

Resources