Since Datafari 5.0 the ELK stack has been replaced by the Opendistro one, this has brought some changes, specially concerning the security aspect. Indeed, Opendistro provides a security plugin equivalent to the Elastic security suite.
As consequence, the access to the Kibana UI is no more handled by an apache proxy in front, but is instead managed by the Opendistro plugin.
1. Tenant system
The security principle is based on what it is called “tenant”, to be quick the tenant is a “space” where are created Kibana dashboards, visualizations and objects. We can then attribute rights to users in order to read/write or do some admin operations on those tenants, so they will have access to the dashboards, visualizations etc. linked to the tenants on which they have read access and even modify or create new ones if they have the rights.
In Datafari we have created two tenants:
admin_tenant: tenant were are stored all dashboards and visualizations reserved to the searchadmin user
searchexpert_tenant: tenant were are stored all dashboards and visualizations reserved to the searchexpert user
The tenants are declared and stored in the file [DATAFARI_HOME]/elk/elasticsearch/plugins/opendistro_security/securityconfig/tenants.yml
To modify or create a tenant you can either:
use the REST API: https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/multi-tenancy/
Modify the tenants.yml file then apply them by running the script [DATAFARI_HOME]/elk/elasticsearch/securityadmin_datafari.sh with the ‘datafari’ user
2. Users and roles
With OpenDistro users and roles are managed independently from Datafari.
a. The users
There are 3 users defined by default:
admin: this user has full access to the tenants and can perform any operation on them and this its purpose
searchadmin: this user has full access to the two tenants and can then read all the dashboards and visualization but can also modify them and create new ones
searchexpert: this user has full read access to the searchexpert_tenant, so can visualize any dashboard and visualization but cannot modify them or add new ones
These users are defined in the file [DATAFARI_HOME]/elk/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
They are also created with the “admin” default password. To change their password you need to:
Hash the wanted password using the tool provided by OpenDistro:
bash [DATAFARI_HOME]/elk/elasticsearch/plugins/opendistro_security/tools/hash.sh -p newpassword
Set the hashed password to the desired user in [DATAFARI_HOME]/elk/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
admin: hash: "newpasswordhashvalue"
Apply you modification thanks to the securityadmin_datafari.sh script:
sudo su datafari -c "[DATAFARI_HOME]/elk/elasticsearch/securityadmin_datafari.sh"
Datafari provides an admin UI to simply modify the password of the searchadmin and searchexpert users but not for the admin user. This UI is located under the User Management → Manage Datafari Services Users:
You can add new users by either using the Kibana UI or the REST API or through the file. Here is the official OpenDistro documentation concerning how to do with Kibana and the REST API: https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/users-roles/#kibana
b. The roles
OpenDistro roles allow users to have read and/or write access to either index patterns, or tenants, or both.
Index patterns are linked to Elasticsearch indexes and tell Kibana what Elasticsearch indexes to query to retrieve data and how to interpret the data/fields. So having read rights to an index pattern means that one can perform queries on the Elasticsearch indexes linked to the index pattern and retrieve the fields defined by the index pattern. Having write rights on an index pattern means that one can modify the index pattern to add or remove fields for example.
There are 4 index patterns defined by default by Datafari:
statistics : linked to the “statistics” Elasticsearch index, containing all the search statistics of Datafari
monitoring : linked to the “monitoring” Elasticsearch index, containing all the monitoring logs of Datafari
crawl : linked to the “crawl” Elasticsearch index, containing all the crawl logs of Datafari
logs-* : linked to all the logs Elasticsearch indexes (the is one logs-xxxx-xx-xx index for each day where there are crawl data, ex: logs-2020-02-19), containing all the monitoring logs of Datafari
Concerning roles, two specific roles are provided with Datafari:
search_expert:
search_admin: