Lab 3 : Security Plugin

Change admin password

OD4FE ships with an advanced security plugin. The Security plugin stores its configuration—including users, roles, and permissions—in an index on the Elasticsearch cluster (.opendistro_security). Storing these settings in an index lets you change settings without restarting the cluster and eliminates the need to edit configuration files on every single node.

The plugin comes pre-configured with a number of different users and default passwords for them. Passwords for some of the preconfigured users—kibanaro, logstash, readall, and snapshotrestore—are available to change in the Security UI in Kibana. The admin and kibanaserver users are reserved users, and they must be changed in the security configuration files. Default location : /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml

First run the hash tool to generate a new password hash.

$ sudo bash /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh
[Password:] <type a new secure password>
$2y$12$7f9DHLNLV1QkfhM9K5vhVeLpRxM2.7SMfZnAxUhLDJ5AYC/cs9y1S

Now open /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml in your favorite editor, and change the password string for the just the admin user with the hash created in the previous step.

After changing any of the configuration files in plugins/opendistro_security/securityconfig, however, you must run plugins/opendistro_security/tools/securityadmin.sh to load these new settings into the index.

Each node also includes the tool at plugins/opendistro_security/tools/securityadmin.sh. Make the script executable before running it:

sudo chmod +x /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh

To load configuration changes to Security plugin, you must provide your admin certificate to the tool:

cd /usr/share/elasticsearch/plugins/opendistro_security/tools/
sudo ./securityadmin.sh -cd ../securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert  /etc/elasticsearch/kirk.pem -key  /etc/elasticsearch/kirk-key.pem

Open Distro Security Admin v7
Will connect to localhost:9300 ... done
Connected as CN=kirk,OU=client,O=client,L=test,C=de
Elasticsearch Version: 7.2.1
Open Distro Security Version: 1.2.1.0
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: od4es
Clusterstate: GREEN
Number of nodes: 7
Number of data nodes: 3
.opendistro_security index already exists, so we do not need to create one.
Populate config from /usr/share/elasticsearch/plugins/opendistro_security/securityconfig
Will update '_doc/config' with ../securityconfig/config.yml
   SUCC: Configuration for 'config' created or updated
Will update '_doc/roles' with ../securityconfig/roles.yml
   SUCC: Configuration for 'roles' created or updated
Will update '_doc/rolesmapping' with ../securityconfig/roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '_doc/internalusers' with ../securityconfig/internal_users.yml
   SUCC: Configuration for 'internalusers' created or updated
Will update '_doc/actiongroups' with ../securityconfig/action_groups.yml
   SUCC: Configuration for 'actiongroups' created or updated
Will update '_doc/tenants' with ../securityconfig/tenants.yml
   SUCC: Configuration for 'tenants' created or updated
Done with success
  • The -cd option specifies where the Security plugin configuration files to upload to the cluster can be found.
  • The -icl (--ignore-clustername) option tells the Security plugin to upload the configuration regardless of the cluster name. As an alternative, you can also specify the cluster name with the -cn (--clustername) option.
  • Because the demo certificates are self-signed, we also disable hostname verification with the -nhnv (--disable-host-name-verification) option.
  • The -cacert, -cert and -key options define the location of your root CA certificate, the admin certificate, and the private key for the admin certificate.

For further details on securityadmin.sh, please refer to the documentation.

Users

We will create local users in the internal user database. We'll create 2 users – devops & itsupport

Login to kibana ( http://<client-node-ip>:5601/ ) with the new admin password.

For each user :

  1. Choose Security , Internal User Database , and Add a new internal user ( blue + button ).

  1. Provide the username and choose a password. The Security plugin automatically hashes the password and stores it in the .opendistro_security index.