Kerberos for Elasticsearch - elasticsearch

We are using the combination of hadoop and elasticsearch on production. We'd like to use Kerberos to centralise the authentication.
Does Elastic Search support Kerberos? Or is there a plugin around for this?

Checkout Search Guard 2 plugin: https://github.com/floragunncom/search-guard
Advanced functionalities like LDAP and **Kerberos** authentication/authorization as well as DLS/FLS will be available soon as separate and commercial licensed add-ons (but still Open Source).

Elasticsearch 6.4+ supports Kerberos as part of the Elastic stack security features.
Currently, the Kerberos realm requires a platinum license to use.

Related

Advanced Searching Using Externally-Hosted Elasticsearch Instance

I am trying to enable search with Elasticsearch enabled for my self-hosted Gitlab instance.
My question is this:
I have an Elasticsearch instance that is external to my Gitlab instance i.e. my Gitlab instance is hosted on one server and my Elasticsearch instance is hosted on another server.
Am I able to use the external Elasticsearch instance to provide the Elasticsearch functionality that Gitlab requires in order to enable Advanced Search functionality?
Thanks,
Sean
As long as you have network connectivity between your gitlab instance and your Elasticsearch instance, you can use the Elasticsearch functionality.
Elasticsearch provides all the features and API in form of REST request and designed for distributed systems where several component of an application are hosted separately.
Note: you can just use the curl command curl :9200 from your gitlab instance to see if you have network connectivity and if not, using security setting you can enable them , like in AWS ports settings can be changed using the security group.
Note: GitLab 15.0 (May 2022) offers new options.
Advanced Search is compatible with Elasticsearch 8
Elasticsearch 8 is the current version of Elasticsearch by Elastic. Previously, you could not use Elasticsearch 8 for Advanced Search. You had to use older versions instead. Starting in 15.0, you can use Elasticsearch 8 for Advanced Search.
If you use Elasticsearch 7.x, you must upgrade to GitLab 15.0 before upgrading to Elasticsearch 8.
If you use Elasticsearch 6.8, upgrade to any Elasticsearch 7.x version before upgrading to GitLab 15.0.
See Documentation and Epic.
And even, still with GitLab 15.0 (May 2022)
Advanced Search is compatible with OpenSearch
OpenSearch is an open source Elasticsearch fork. Prior to GitLab 15.0, Advanced Search was not compatible with OpenSearch. If you used AWS-managed services, you had to use older versions of Elasticsearch.
You can now take full advantage of OpenSearch for Advanced Search.
See Documentation and Epic.

Elasticsearch 5.6 authentication

I am usig elasticsearch 5.6 version.
Is there a way to add password to elassticsearch without an x-pack plugin and gold license?
I saw that x-pack supports security with basic license, but only from 6.8 version.
Currently, I can't upgrade elasticsearch and look for another way to add authentication (RBAC) to elasticsearch 5.6.
AFAIK Unfortunately, before 6.8 as you already mentioned basic X-pack security is not available and if you need RBAC at field and document level then it's not even available in Gold license and for that, you need to buy platinum or enterprise license.
I would suggest you go through the Elastic stack security section under Elastic subscription to see what is included and what is not included.
Apart from the other answer, you can look at [this shield] (https://www.elastic.co/guide/en/shield/current/index.html)
You can refer this post
This is the way with 5.6 ES and kibana.

Can i use Kibana UI for client's ? Is it open source?

I am new to kibana the requirement is to build an analytical dashboard, so we are thinking of uploading the data into elastic search and give access to only visualization of kibana to build reports and use the different dashboards. I have googled and found some links for building custom dashboards using kibana plugin but We don't need any customization so we wanted to use the same kibana UI. Please share your thoughts.
Elasticsearch and Kibana are both open-source.
If you want to prevent your users from read/writing to cluster but allow them to create visualisations and dashboards then you can do so by using a basic license and setting up Role-based access control. You'll need to give them full access to .kibana index. Have a look at Elastic subscriptions to understand the different types of licenses (subscriptions).
If they only want to view and not create visualisations/dashboards, then create a RO (read-only) user with limited privileges i.e read-all but no-write permissions.
Can i use Kibana UI for client's ? Is it open source?
Yes, Kibana is open source. You need a server to host Kibana for free, or you can buy some special option like 10 nodes ES server and Kibana with SAML (Platinium plan).
Check: https://www.elastic.co/subscriptions
The name you are looking for is Elastic stack not solo Kibana.
For example Kibana needs Elasticsearch always.
Some features are in paid versions only, or in some free additional plugins.

Is it possible to secure Kibana UI using Ranger

I create a Kibana dashboard using HDFS data.(Note: I connect Elasticsearch with Hotonworks using Elasticsearch-Hadoop).I want to secure Kibana Dashboard.Is it possible to do that Security function with Ranger.
I don't think it is possible. You can check documentation which shows what projects does Apache Ranger support.
I your case you can use:
X-Pack - great security plugin for Elasticsearch and Kibana, but it is paid.
Search Guard - free Elasticsearch and Kibana security plugin. I think it is very good tool.
But if you don't want to deploy a real security plugin (which contains SSL etc.) or something like that and you only need dashboard security you can use Kibana Own Home plugin. It is multitenancy plugin for Kibana which creates separate .kibana index for every user. It works with Apache httpd or nginx. Read more here.

What's the best Kibana multi tenancy free open source project?

I'm trying to add a role based access control over Kibana to have different privileges and dashboards for different types of users and I found those projects:
Elastic Shield Plugin
Search Guard Kibana Multitenancy Module
Elasticsearch Read Only Rest Plugin
Kibana plugin Own Home
What I found is that:
Elastic Shield (now called X-Pack) is the best, but unfortunately it's only 30 days free trial.
search guard module is a little complicated and it does the job, but it's not for free for commercial use which isn't suitable for my case.
ReadonlyREST plugin allows you to define which user reads which data, and their Enterprise Kibana plugin (non-free) also allows you to assign kibana indices to groups or users.
Kibana Plugin Own Home is a workaround solution as it defines different kibana index for different user which isn't practical.
If you know any other projects or any workaround for the mentioned projects above that satisfies my requirements, I'd be so grateful.
Disclaimer: I work for floragunn, makers of Search Guard.
The only real way to separate dashboards and visualizations based on users/tenants is to place them in separate Kibana indices. This is what both Search Guard and Own Home does.
The reason for this is how Kibana works internally: Out of the box, Kibana will place all of these objects in one global Kibana index, shared by all users. Since Kibana itself has no notion of users, roles or tenants, the only way to do it is to intercept the calls to the Kibana index, and rewrite the index name based on the provided user/role information.
Search Guard does this directly on Elasticsearch level, so the tenant
dashboards are separated even if you access Elasticsearch directly.
Own Home does that on Kibana level, but the effect/outcome is
basically the same.
X-Pack does not have multi-tenancy for Kibana, so
there's no separation of dashboards, only access control on Elasticsearch. Same is true for ReadOnly Rest.
One other option you have is to use the Red Hat OpenShift platform. They have an Elasticsearch plugin that is integrated with the Community Edition of Search Guard, and their own Kibana multi-tenancy module. As far as I know, this plugin is completely free.
This use case is now completely supported by ReadonlyREST via the Enterprise Kibana plugin.
And it comes with a lot more multitenancy/multiuser related features:
Remove certain Kibana apps to certain users
RBAC for indices, tenancies
Read only users won't see "save", "delete", "add" buttons in the Kibana UI
I made a video months ago that shows how this looks like.
Disclaimer: I work at ReadonlyREST, happy to take questions! :-)
Open Distro for Elasticsearch is a very good opensource project for multitenancy configuration in kibana. But the problem is proper documentation is not available easily for the older versions.
Set up Multi-Tenant Kibana Access in Open Distro for Elasticsearch
Kibana multi-tenancy

Resources