Role-Based Access Control (RBAC) is essential for managing permissions and securing data in Elasticsearch and Kibana. It allows administrators to define roles with specific permissions and assign these roles to users, ensuring that only authorized individuals can access or modify certain data.

This article provides a comprehensive guide on setting up RBAC in Elasticsearch using Kibana, complete with examples and outputs. The guide is designed to be easy-to-understand and beginner-friendly.

Introduction to RBAC

RBAC helps organizations manage user permissions efficiently. By creating roles and assigning them to users, administrators can control access to indices, documents, and even specific fields within documents. This method enhances security, ensures data integrity, and complies with various regulatory requirements.

Prerequisites

Before setting up RBAC, ensure you have the following:

• Elasticsearch is installed and running.
• Kibana is installed and running.
• Basic knowledge of Elasticsearch and its REST API.

Enabling Security Features

By default, security features in Elasticsearch are disabled. To enable them, you need to modify the Elasticsearch configuration and restart the service.

Step 1: Update the Configuration

Open the elasticsearch.yml configuration file and add the following settings:

xpack.security.enabled: true

Step 2: Restart Elasticsearch

Restart Elasticsearch to apply the changes:

bin/elasticsearch

Setting Up Role-Based Access Control (RBAC)

Step 1: Define Roles

Roles define specific permissions for users. You can create and manage roles using Kibana or the Elasticsearch REST API.

Using Kibana

• Open Kibana and navigate to Management > Security > Roles.
• Click Create role.
• Define the role name and permissions, including index-level and field-level security.

For example, to create a role data_analyst with read access to specific fields in an index:

• Role name: data_analyst
• Index permissions: sales_data
  • Privileges: read
  • Granted fields: customer_name, purchase_date, amount

Using the REST API

Alternatively, you can create a role using the REST API:

curl -u elastic:password -X POST "localhost:9200/_security/role/data_analyst" -H 'Content-Type: application/json' -d'
{
  "cluster": ["monitor"],
  "indices": [
    {
      "names": ["sales_data"],
      "privileges": ["read"],
      "field_security": {
        "grant": ["customer_name", "purchase_date", "amount"]
      }
    }
  ]
}'

In this example, the role data_analyst has read access to the sales_data index, but only to the fields customer_name, purchase_date, and amount.

Step 2: Create Users and Assign Roles

Users can be created using Kibana or the Elasticsearch REST API, and roles can be assigned to these users.

Using Kibana

• Open Kibana and go to Management > Security > Users.
• Click Create user.
• Fill in the username, and password, and assign roles (e.g., data_analyst).

Using the REST API

Create a user and assign the role using the REST API:

curl -u elastic:password -X POST "localhost:9200/_security/user/jane_doe" -H 'Content-Type: application/json' -d'
{
  "password" : "password123",
  "roles" : [ "data_analyst" ],
  "full_name" : "Jane Doe",
  "email" : "[email protected]"
}'

Step 3: Field-Level Security

Field-level security controls access to individual fields within a document. You can specify which fields a role can read or write.

Example: Restricting Access to Sensitive Fields

Update the data_analyst role to restrict access to sensitive fields:

curl -u elastic:password -X PUT "localhost:9200/_security/role/data_analyst" -H 'Content-Type: application/json' -d'
{
  "cluster": ["monitor"],
  "indices": [
    {
      "names": ["sales_data"],
      "privileges": ["read"],
      "field_security": {
        "grant": ["customer_name", "purchase_date", "amount"],
        "except": ["credit_card_number"]
      }
    }
  ]
}'

In this example, the data_analyst role has access to all fields in the sales_data index except credit_card_number.

Testing Field-Level Security

To test our setup, let’s index some documents and query them as the data_analyst user.

Step 1: Index Documents

Index a document with sensitive fields:

curl -u elastic:password -X POST "localhost:9200/sales_data/_doc/1" -H 'Content-Type: application/json' -d'
{
  "customer_name": "John Doe",
  "purchase_date": "2023-05-01",
  "amount": 100,
  "credit_card_number": "4111111111111111"
}'

Step 2: Query Documents as data_analyst

Query the document as the data_analyst user:

curl -u jane_doe:password123 -X GET "localhost:9200/sales_data/_search" -H 'Content-Type: application/json' -d'
{
  "query": {
    "match_all": {}
  }
}'

Output

The response should exclude the credit_card_number field:

{
  "took": 15,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 1,
      "relation": "eq"
    },
    "max_score": 1.0,
    "hits": [
      {
        "_index": "sales_data",
        "_id": "1",
        "_score": 1.0,
        "_source": {
          "customer_name": "John Doe",
          "purchase_date": "2023-05-01",
          "amount": 100
        }
      }
    ]
  }
}

Notice that the credit_card_number field is not present in the output, demonstrating field-level security in action.

Managing Field-Level Security in Kibana

Kibana provides a user-friendly interface for managing security settings, including field-level security.

Step 1: Define Roles in Kibana

• Open Kibana and go to Management > Security > Roles.
• Click Create role.
• Define the role name, index patterns, and field-level security.

For example, create a role data_viewer with access to specific fields:

• Role name: data_viewer
• Indices: sales_data
• Privileges: read
• Field-level security: Grant access to customer_name, purchase_date, and amount.

Step 2: Assign Roles to Users in Kibana

• Open Kibana and go to Management > Security > Users.
• Edit the user and assign the data_viewer role.

Step 3: Query Data in Kibana

Log in to Kibana as the data_viewer user and navigate to Discover. You should see data from the sales_data index without the sensitive fields.

Additional Security Features

Password Policies

Enforcing password policies ensures that users use strong passwords. This can be configured in the elasticsearch.yml file:

xpack.security.authc.password_hashing.algorithm: bcrypt
xpack.security.authc.password_min_length: 8
xpack.security.authc.password_complexity: high

IP Filtering

Restrict access to your Elasticsearch cluster based on IP addresses. This can be configured using the xpack.security.http.filter settings in the elasticsearch.yml file:

xpack.security.http.filter.allow: ["192.168.1.0/24"]
xpack.security.http.filter.deny: ["0.0.0.0/0"]

Auditing

Enabling auditing allows you to track security-related events. Configure auditing in the elasticsearch.yml file:

xpack.security.audit.enabled: true
xpack.security.audit.logfile.events.emit_request_body: true

Audit logs can help in monitoring and troubleshooting security-related incidents.

Conclusion

Setting up Role-Based Access Control (RBAC) in Elasticsearch with Kibana is a crucial step in securing your data and ensuring that only authorized users can access or modify specific information. By following the steps outlined in this article, you can create roles, assign users, and configure field-level security to protect sensitive data.

This guide provided a comprehensive overview of enabling security features, defining roles, creating and assigning users, and testing the configuration. Additionally, it demonstrated managing RBAC using both the Elasticsearch REST API and the Kibana UI.

Implementing RBAC with field-level security enhances data protection, ensures compliance with security policies, and helps maintain data integrity, making your Elasticsearch and Kibana deployment more robust and secure.