...
Info |
---|
Valid from Datafari 5.0The documentation below is valid starting from v5.0 onwards |
Starting with Datafari 5.0, the Elastic ELK stack has been replaced by the Opendistro one, this on. This has brought some changes, specially especially concerning the security aspect. Indeed, : Opendistro provides a an open source security plugin equivalent to the proprietary Elastic security suite.
As a consequence, the access to the Kibana UI is no more not handled anymore by an apache proxy in front, but is instead managed rather by the Opendistro plugin.
Info |
---|
When performing |
...
modifications in any file mentioned in this documentation, you will need to run the following command in order to apply them (the OpenDistro stack |
...
needs to be up and running):
|
1. Tenant system
The security principle is based on what it is called a “tenant”, to be quick the . Simply put, a tenant is a “space” where are created that contains Kibana dashboards, visualizations and objects. We can then attribute read/write rights to users in order to read/write or , or allow them to do some admin operations on those tenants, so they will have . This will give them access to the dashboards, visualizations etc. linked to contained in the tenants on which they have read access and even . They can obviously modify or create new ones if assuming they have the correct rights.
In Datafari we have created two tenants:
admin_tenant: tenant were are where we stored all the dashboards and visualizations reserved to the searchadmin user
searchexpert_tenant: tenant were are where we stored all dashboards and visualizations reserved to the searchexpert user
The tenants are declared and stored in the file [DATAFARI_HOME]/elk/elasticsearch/plugins/opendistro_security/securityconfig/tenants.yml
To modify or create a tenant you can either:
use the REST API: https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/multi-tenancy/
Modify the tenants.yml file then apply them by running the script
[DATAFARI_HOME]/elk/elasticsearch/securityadmin_datafari.sh
with the ‘datafari’ user
In the Kibana UI, if in case f you have access rights to several tenants, you will need to switch between them in order to view all the dashboards and visualizations. Because Please remember this, because only one tenant can be active at a time, so . This means that although globally you are entitled to visualise dashboards from separate tenants, if you not manually switch from one tenant to the other, you will only access to the dashboards and visualizations linked to the currently active tenantnot be able to see all of the dashboards.
To switch between tenants click on the “Tenant” tab located in the left menu:
...
Then click on the “Select” button of the tenant you want to active/switch to:
...
2. Users and roles
With OpenDistro, users and roles are managed independently from Datafari.
a. The users
There are 3 users defined by default:
admin: this user has full access to the tenants and can perform any operation on them and this its purpose
searchadmin: this user has full access to the two tenants and can then read all the dashboards and visualization but can also modify them and create new ones
searchexpert: this user has full read access to the searchexpert_tenant, so he can visualize any dashboard and visualization from this tenant, but cannot modify them or add new ones. He does not have access to the admin_tenant.
These users are defined in the file [DATAFARI_HOME]/elk/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
They are also created with the “admin” default password. To change their password you need tocan use the admin UI (see further below) or you can do it manually :
Hash the wanted password using the tool provided by OpenDistro:
Code Block bash [DATAFARI_HOME]/elk/elasticsearch/plugins/opendistro_security/tools/hash.sh -p newpassword
Set the hashed password to the desired user in [DATAFARI_HOME]/elk/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
Code Block admin: hash: "newpasswordhashvalue"
Apply you modification thanks to the securityadmin_datafari.sh script:
Code Block sudo su datafari -c "[DATAFARI_HOME]/elk/elasticsearch/securityadmin_datafari.sh"
Datafari provides an admin UI to simply modify the password of the searchadmin and searchexpert users but not for the admin user (for the latter, use the manual procedure above). This UI is located under the User Management → Manage Datafari Services Users:
...
You can add new users by either using the Kibana UI or the REST API or through the file [DATAFARI_HOME]/elk/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
. Here is the official OpenDistro documentation concerning how to do with Kibana and the REST API: https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/users-roles/#kibana
If you add new users with the file you will need to apply the changes by running the script [DATAFARI_HOME]/elk/elasticsearch/securityadmin_datafari.sh
with the ‘datafari’ user.
b. The roles
OpenDistro roles allow users to have read and/or write access to either index patterns, or tenants, or both.
Index patterns are linked to Elasticsearch indexes and tell Kibana what Elasticsearch indexes to query to retrieve data and how to interpret the data/fields. So having read rights to an index pattern means that one can perform queries on the Elasticsearch indexes linked to the index pattern and retrieve the fields defined by the index pattern. Having write rights on an index pattern means that one can modify the index pattern to add or remove fields for example.
There are 4 index patterns defined by default by Datafari:
...
The roles are defined in the file [DATAFARI_HOME]/elk/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml
along with some “standard” roles defined by default by OpenDistro.
You can add or modify roles either through the Kibana UI, or the REST API or in the file. Here is the official OpenDistro documentation concerning how to do with Kibana and the REST API: https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/users-roles/#create-roles
As usual if you made changes in the file you will then need to run the script [DATAFARI_HOME]/elk/elasticsearch/securityadmin_datafari.sh
with the ‘datafari’ user in order to apply them.
To attribute roles to users, you need to define roles mapping. For the default roles described above, this is done in the file [DATAFARI_HOME]/elk/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml
. So you can modify or define new roles mapping in that file or you can use the Kibana UI or REST API. You can have a more detailed explanation about role mapping in the official OpenDistro documentation: https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/users-roles/#map-users-to-roles
As usual if you made changes in the file you will then need to run the script [DATAFARI_HOME]/elk/elasticsearch/securityadmin_datafari.sh
with the ‘datafari’ user in order to apply them !
...