Migrating the security settings from version 10.1.x to version 10.2.x
Search Guard and X-Pack roles have been renamed to reflect new action names. As a sirenadmin, you must update these roles.
Note
Siren Platform version 10.2.3 supports the use of Elasticsearch 6.8.0 and also Elasticsearch 6.5.4. The following procedure assumes Elasticsearch 6.8.0 is being used.
To upgrade from Siren Platform version 10.1.x with Elasticsearch 6.3.2 to Siren Platform version 10.2.3 with Elasticsearch 6.8.0, complete the following steps:
Back up the Search Guard configuration from Elasticsearch 6.3.2 by running the following command from the Elasticsearch 6.3.2 home directory:
./plugins/search-guard-6/tools/sgadmin.sh \ --retrieve \ -cn siren-distribution \ -ts config/truststore.jks \ -tspass password \ -ks ../siren-investigate/pki/searchguard/CN\=sgadmin-keystore.jks \ -kspass password \ -h localhost \ -p 9330 \ -nhnv
Modify the
sg_action_groups.yml
andsg_roles.yml
files. Ensure that all action groups as well as the actions listed below are included. Existing action groups and actions can be kept or added.UNLIMITED: - "*" INDICES_ALL: - "indices:*" ALL: - "INDICES_ALL" MANAGE: - "indices:monitor/*" - "indices:admin/*" MONITOR: - MANAGE CREATE_INDEX: - "indices:admin/create" - "indices:admin/mapping/put" MANAGE_ALIASES: - "indices:admin/aliases*" INDICES_MONITOR: - "indices:monitor/*" DATA_ACCESS: - "indices:data/*" - "CRUD" WRITE: - "indices:data/write*" - "indices:admin/mapping/put" READ: - "indices:data/read*" VIEW_INDEX_METADATA: - "indices:admin/aliases/get" - "indices:admin/aliases/exists" - "indices:admin/get" - "indices:admin/exists" - "indices:admin/mappings/fields/get*" - "indices:admin/mappings/get*" - "indices:admin/mappings/federate/connector/get*" - "indices:admin/mappings/federate/connector/fields/get*" - "indices:admin/types/exists" - "indices:admin/validate/query" - "indices:monitor/settings/get" DELETE: - "indices:data/write/delete*" CRUD: - "READ" - "WRITE" SEARCH: - "indices:data/read/search*" - "indices:data/read/msearch*" - "indices:siren/plan*" - "indices:siren/mplan*" - "SUGGEST" SUGGEST: - "indices:data/read/suggest*" INDEX: - "indices:data/write/index*" - "indices:data/write/update*" - "indices:admin/mapping/put" - "indices:data/write/bulk*" GET: - "indices:data/read/get*" - "indices:data/read/mget*" CLUSTER_ALL: - "cluster:*" CLUSTER_MONITOR: - "cluster:monitor/*" CLUSTER_COMPOSITE_OPS_RO: - "indices:data/read/mget" - "indices:data/read/msearch" - "indices:data/read/mtv" - "indices:data/read/scroll*" - "indices:admin/template/get" CLUSTER_COMPOSITE_OPS: - "CLUSTER_COMPOSITE_OPS_RO" - "indices:data/write/bulk" - "indices:admin/template/put" CLUSTER_MANAGE: - CLUSTER_INTERNAL_FEDERATE - "cluster:admin/federate/*" - "indices:admin/aliases*" - "cluster:admin/ingest/*" CLUSTER_INTERNAL_FEDERATE: - "cluster:internal/federate/*"
Modify the
sg_roles.yml
file to replace the rolesfederateserver
,sirenserver
,sirenadmin
,sirenuser
,logstash
, andsg_all_access
as below.'INDEX_NAME'
must be replaced with the right index pattern name:federateserver: cluster: - "indices:admin/aliases" indices: '?siren-federate*': '*': - INDICES_ALL sirenserver: cluster: - "CLUSTER_COMPOSITE_OPS" - "CLUSTER_MANAGE" - "CLUSTER_MONITOR" indices: '?siren*': '*': - "INDICES_ALL" '?kibi*': '*': - "INDICES_ALL" 'watcher*': '*': - READ - VIEW_INDEX_METADATA - MANAGE - WRITE INDEX_NAME: '*': - READ - VIEW_INDEX_METADATA - "indices:monitor/stats" '*': '*': - 'indices:admin/aliases/get' sirenuser: cluster: - "CLUSTER_COMPOSITE_OPS_RO" - "CLUSTER_INTERNAL_FEDERATE" indices: 'INDEX_NAME': '*': - READ - VIEW_INDEX_METADATA sirenadmin: cluster: - - CLUSTER_COMPOSITE_OPS - CLUSTER_MANAGE - CLUSTER_MONITOR indices: '?siren*': '*': - READ - MANAGE - WRITE - VIEW_INDEX_METADATA watcher_alarms*: '*': - READ - MANAGE - WRITE - VIEW_INDEX_METADATA watcher: '*': - READ - MANAGE - WRITE - VIEW_INDEX_METADATA 'INDEX_NAME': #Replace INDEX_NAME with actual index pattern name '*': - READ - VIEW_INDEX_METADATA 'VIRTUAL_INDEX_NAME': #Replace 'VIRTUAL_INDEX_NAME' with actual virtual index pattern name for JDBC connector '*': - READ - VIEW_INDEX_METADATA - MANAGE - WRITE sg_all_access: cluster: - "*" indices: '*': '*': - "*" logstash: cluster: - "indices:data/write/bulk*" - "indices:admin/template/*" - "CLUSTER_MONITOR" - "SIREN_CLUSTER" indices: '*beat*': '*': - "CRUD" - "CREATE_INDEX" logstash-*: '*': - "CRUD" - "CREATE_INDEX"
Add the following actions to sirenalert. You can still keep the old actions:
sirenalert: cluster: - CLUSTER_INTERNAL_FEDERATE - CLUSTER_COMPOSITE_OPS - CLUSTER_MONITOR watcher_alarms*: '*': - INDICES_ALL watcher: '*': - INDICES_ALL '?siren': '*': - INDICES_ALL 'INDEX_NAME': '*': - READ - VIEW_INDEX_METADATA - 'indices:monitor/stats'
Add a new role for reflection as below; this will not be used until the user is mapped to this role:
# Role for any user that should be able to use reflection reflection_user: cluster: - 'cluster:admin/federate/connector/ingestion/search' # To fetch the list of ingestion configs - 'cluster:admin/federate/connector/ingestion/run' # To manually trigger an ingestion - 'cluster:admin/federate/connector/jobs/abort' # To abort a job - 'cluster:admin/federate/connector/ingestion/get' # To fetch an ingestion config. - 'cluster:admin/federate/connector/ingestion/put' # To create an ingestion config - 'cluster:admin/federate/connector/ingestion/delete' # To delete an ingestion config - 'cluster:admin/federate/connector/datasource/sample' # To sample a SQL query - 'cluster:admin/ingest/pipeline/simulate' # To test transform pipeline - 'cluster:admin/ingest/pipeline/put' # To put transform pipeline (Excel) - 'cluster:admin/ingest/pipeline/delete' # To delete a transform pipeline (Excel) (We need to clear temporary pipelines after import) indices: 'csv-*': # This can be limited to specific indices and such permissions would be regarded by Excel Import '*': - 'indices:admin/get' # To check if an index already exists, if received 403 then user cannot use excel import on that index - 'indices:admin/create' # Create an index (You may prevent it in case you want users to only append data to an existing index) - 'indices:admin/delete' # Delete an index (You may prevent it, in case you don't want users deleting stuff) - 'indices:admin/mapping/put' # Define mapping (You may prevent it in case you want users to only append to an existing index and modify mappings) - 'indices:data/write/index' # To write docs - 'indices:data/write/bulk[s]' # To write docs - READ # To see field capabilities on data model page - VIEW_INDEX_METADATA # Needed to create index patterns '?siren-excel-configs': '*': - 'indices:data/read/search' # List saved configs - 'indices:data/write/index' # Create a saved config - 'indices:data/write/bulk[s]' # Create a saved config - 'indices:data/read/get' # Use a saved config - 'indices:data/write/delete' # Delete a saved config
For the other roles defined, replace
SIREN_READONLY
with:- READ - VIEW_INDEX_METADATA
And replace
SIREN_READWRITE
with:- READ - WRITE - VIEW_INDEX_METADATA - MANAGE
Edit
sg_roles_mapping.yml
and add the username of the siren administrator to the reflection role. Any user who wants to use ingestion can be added to this role:reflection_user: users: - "sirenadmin"
Edit the
sg_roles_mapping.yml
file and add the username “sirenserver” to thesirenalert
role. Any user who wants to use ingestion can be added to this role:sirenalert: users: - "sirenalert" - "sirenserver"
Rename the files to
sg_internal_users.yml
, sg_config.yml,sg_action_groups.yml
,sg_roles.yml
, andsg_roles_mapping.yml
and copy them into the/ES6.8.0/config/sgconfig
folder.Stop Elasticsearch version 6.3.2.
Start Elasticsearch version 6.8.0.
Restore the Search Guard configuration on Elasticsearch version 6.8.0 by running the sgadmin command from the Elasticsearch 6.8.0 home directory:
bash plugins/search-guard-6/tools/sgadmin.sh \ -cd config/sgconfig \ -cn siren-distribution \ -ts config/truststore.jks \ -tspass password \ -ks ../siren-investigate/pki/searchguard/CN\=sgadmin-keystore.jks \ -kspass password \ -h localhost \ -p 9330 \ -nhnv
Modify the
investigate.yml
file by adding the following parameters under the investigate_access_control section:acl: enabled: true index: .sirenaccess admin_role: sirenadmin
Modify the
investigate.yml
file by adding the following parameters under the sentinl section to include the user_role assirenalert
:sentinl: app_name: 'Siren Alert' user_role: sirenalert
Finally, in the sentinl section of the
investigate.yml
file, add the following settings:sentinl: es: ignore_unavailable: true allow_no_indices: true
If further ingestion setup is required, please refer to the following document: Security setup.