Example of configuring Search Guard

This example implements the generic concepts presented in Configuring security for Siren Federate using Search Guard.

Before you begin, ensure that Search Guard is installed in your cluster, and that you know how to configure users, roles, and permissions.

For more information, see the Search Guard documentation and the introduction in Configuring security for Siren Federate.

Enabling custom headers

Search Guard requires plugins to declare thread headers used. In order for the Federate plugin to work properly, the following node-level setting must be set:

searchguard.allow_custom_headers: "_siren_.*"

Configuring action groups

The sg_action_groups.yml file contains named groups of permissions that can be referred to in the definition of roles. The following are the action groups that are suitable for Siren Federate.

sg_action_groups.yml
###### INDEX LEVEL ######

INDICES_ALL:
  allowed_actions:
  - "indices:*"

MANAGE:
  allowed_actions:
  - "indices:monitor/*"
  - "indices:admin/*"

WRITE:
  allowed_actions:
  - "indices:data/write*"
  - "indices:admin/mapping/put"

READ:
  allowed_actions:
  - "indices:data/read*"

VIEW_INDEX_METADATA:
  allowed_actions:
  - "indices:admin/aliases/get"
  - "indices:admin/aliases/exists"
  - "indices:admin/get"
  - "indices:admin/exists"
  - "indices:admin/mappings/fields/get*"
  - "indices:admin/mappings/get*"
  - "indices:admin/mappings/federate/connector/get*"
  - "indices:admin/mappings/federate/connector/fields/get*"
  - "indices:admin/types/exists"
  - "indices:admin/validate/query"
  - "indices:monitor/settings/get"

###### CLUSTER LEVEL ######

CLUSTER_ALL:
  allowed_actions:
  - "cluster:*"

CLUSTER_MONITOR:
  allowed_actions:
  - "cluster:monitor/*"

CLUSTER_COMPOSITE_OPS:
  allowed_actions:
  -  CLUSTER_COMPOSITE_OPS_RO
  - "indices:data/write/bulk"

CLUSTER_COMPOSITE_OPS_RO:
  allowed_actions:
  - "indices:data/read/mget"
  - "indices:data/read/msearch"
  - "indices:data/read/mtv"
  - "indices:data/read/open_point_in_time"
  - "indices:data/read/close_point_in_time"

CLUSTER_MANAGE:
  allowed_actions:
  - CLUSTER_INTERNAL_FEDERATE
  - "cluster:admin/federate/*"
  - "indices:admin/aliases*"

CLUSTER_INTERNAL_FEDERATE:
  allowed_actions:
  - "cluster:internal/federate/*"

Configuring role-based access control

The sg_roles.yml file contains a list of user roles. Each role contains a set of permissions at the cluster level and for individual indices.

For example, to define the Admin role and the User role for the companies index, open the sg_roles.yml file and specify the following:

sg_roles.yml
federate_admin:
  cluster_permissions:
    - CLUSTER_MANAGE
    - CLUSTER_MONITOR
  index_permissions:
    - index_patterns:
      - 'companies'
      allowed_actions:
        - MANAGE
        - READ
        - VIEW_INDEX_METADATA

federate_user:
  cluster_permissions:
    - CLUSTER_INTERNAL_FEDERATE
  index_permissions:
    - index_patterns:
      - 'company'
      allowed_actions:
        - READ
        - VIEW_INDEX_METADATA

The System role

The following is an example of a System role that can manage internal Siren Federate indices.

sg_roles.yml
federate_system:
  index_permissions:
    - index_patterns:
      - '?siren-federate-*'
      allowed_actions:
        - INDICES_ALL

The Admin role

The following is an example of an Admin role called connector_admin that can manage the index db_mysql.

sg_roles.yml
connector_admin:
  cluster_permissions:
    - CLUSTER_MANAGE
    - CLUSTER_MONITOR
  index_permissions:
    - index_patterns:
      - 'db_mysql'
      allowed_actions:
        - READ
        - VIEW_INDEX_METADATA
        - MANAGE

The User role

The following is an example of a User role called connector_user with read-only access to the index called db_mysql.

sg_roles.yml
connector_user:
  cluster:
    - CLUSTER_INTERNAL_FEDERATE
  index_permissions:
    - index_patterns:
      - 'db_mysql'
      allowed_actions:
        - READ
        - VIEW_INDEX_METADATA

The following is an example of a User role called logs_viewer that can read-only multiple indices that are prefixed with logstash-.

sg_roles.yml
logs_viewer:
  index_permissions:
    - index_patterns:
      - 'logstash-*'
      allowed_actions:
        - READ
        - VIEW_INDEX_METADATA