Setting up X-Pack Security

August 11, 2018

X-Pack is a group of plugins for Elasticsearch and Kibana which enhances the functionality of the Elastic Stack. We will focus in this blog post on the Security plugin but there are other plugins for Monitoring, Graph and Machine Learning.

Install Elasticsearch

Let’s install Elasticsearch first. With homebrew is super easy on Mac:

brew install elasticsearch

Install X-Pack into Elasticsearch

Next we install the X-Pack plugin using the following command:

elasticsearch-plugin install x-pack

We can verify that the plugin was installed using the command:

elasticsearch-plugin list
x-pack
	x-pack-core
	x-pack-deprecation
	x-pack-graph
	x-pack-logstash
	x-pack-ml
	x-pack-monitoring
	x-pack-security
	x-pack-upgrade
	x-pack-watcher

Starting from Elasticsearch 6.0 the elastic user uses a default bootstrap password instead of changeme. This password is set in the keystore.seed keystore in the bootstrap.password entry and was created when the X-Pack was installed.

In order to set a new password for the elastic user we can use the following command:

/usr/local/Cellar/elasticsearch/6.2.4/libexec/bin/x-pack/setup-passwords interactive

With this command we set the passwords for all the reserved users elastic,kibana,logstash_system.

Next we can start elasticsearch:

elasticsearch

In the logs we will see that a 30 day trial license for X-Pack is used.

[2018-08-10T20:29:39,236][INFO ][o.e.l.LicenseService     ] [x3swaP_] license [167cd147-1515-4ac3-9016-118877aa1c44] mode [trial] - valid

Next we can verify that we need to provide username and password otherwise we get 401 Unauthorized response.

http :9200

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="security" charset="UTF-8"
content-encoding: gzip
content-length: 191
content-type: application/json; charset=UTF-8

{
    "error": {
        "header": {
            "WWW-Authenticate": "Basic realm=\"security\" charset=\"UTF-8\""
        },
        "reason": "missing authentication token for REST request [/]",
        "root_cause": [
            {
                "header": {
                    "WWW-Authenticate": "Basic realm=\"security\" charset=\"UTF-8\""
                },
                "reason": "missing authentication token for REST request [/]",
                "type": "security_exception"
            }
        ],
        "type": "security_exception"
    },
    "status": 401
}
http :9200 -a elastic:s3cr3t
{
    "cluster_name": "elasticsearch_zoal",
    "cluster_uuid": "wTAn5CR4Q8-AvXzyGrLzVA",
    "name": "x3swaP_",
    "tagline": "You Know, for Search",
    "version": {
        "build_date": "2018-04-12T20:37:28.497551Z",
        "build_hash": "ccec39f",
        "build_snapshot": false,
        "lucene_version": "7.2.1",
        "minimum_index_compatibility_version": "5.0.0",
        "minimum_wire_compatibility_version": "5.6.0",
        "number": "6.2.4"
    }
}

Information about the used license we can get via

http :9200/_xpack/license -a elastic:s3cr3t
HTTP/1.1 200 OK
content-encoding: gzip
content-length: 245
content-type: application/json; charset=UTF-8

{
    "license": {
        "expiry_date": "2018-09-09T15:34:15.304Z",
        "expiry_date_in_millis": 1536507255304,
        "issue_date": "2018-08-10T15:34:15.304Z",
        "issue_date_in_millis": 1533915255304,
        "issued_to": "elasticsearch_zoal",
        "issuer": "elasticsearch",
        "max_nodes": 1000,
        "start_date_in_millis": -1,
        "status": "active",
        "type": "trial",
        "uid": "167cd147-1515-4ac3-9016-118877aa1c44"
    }
}

We can update the license via PUT _xpack/license endpoint. More information can be found here

Install Kibana

Installing Kibana with homebrew is very easy:

brew install kibana

Install X-Pack Plugin into Kibana

Installing the X-Pack plugin into Kibana took significantly more time:

kibana-plugin install x-pack
Attempting to transfer from x-pack
Attempting to transfer from https://artifacts.elastic.co/downloads/kibana-plugins/x-pack/x-pack-6.2.4.zip
Transferring 264988487 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Optimizing and caching browser bundles...
Plugin installation complete

Before starting Kibana we need to set the password of the built-in kibana user in the kibana.yml file found in /usr/local/Cellar/kibana/6.2.4/config directory. The kibana user is used for the internal requests (like the cluster monitoring APIs and accessing the .kibana index) between the Kibana server and the Elasticsearch cluster.
We need to uncomment the following two lines and set the same password which was configured during the previous setup-passwords interactive command for the built-in kibana user.

elasticsearch.username: "kibana"
elasticsearch.password: "s3cr3t"

After starting Kibana in the logs we should see that the trial license is being used.

...
log   [16:30:52.492] [info][license][xpack] Imported license information from Elasticsearch for the [monitoring] cluster: mode: trial | status: active | expiry date: 2018-09-09T17:34:15+02:00...
...

Use the Kibana Keystore the elasticsearch.password

Storing the password in plain text is not a good idea. We can use the Keystore in Kibana to store the password. First we need to create a Keystore via

kibana-keystore create
Created Kibana keystore in /usr/local/Cellar/kibana/6.2.4/data/kibana.keystore

Then we need to add elasticsearch.password entry into the Keystore and remove the elasticsearch.password from the kibana.yml configuration file.

kibana-keystore add elasticsearch.password

After restarting Kibana we should be able to login via elastic user

Kibana

and

Kibana with X-Pack

Conclusion

We have configured passwords for both the elastic user and the kibana user, and we modified kibana.yml so that Kibana can connect to your Elasticsearch using the password, and we used the Keystore to secure the password of the kibana user.