summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorosgn422w <gervais-martial.ngueko@intl.att.com>2020-02-03 17:08:11 +0100
committerosgn422w <gervais-martial.ngueko@intl.att.com>2020-02-03 17:08:11 +0100
commitb15dad0600c4888da658448b89e41d7f18262716 (patch)
treecd2492abe5b81f8977339aa02f2e7186d91aff9c
parent4abf1c966abcecfd42bcaaceeae6d2c197c69df3 (diff)
correct security settings
correct and adjust the security settings Issue-ID: CLAMP-483 Change-Id: Id94672580ade132a7ff16241f44d8a4403b49383 Signed-off-by: osgn422w <gervais-martial.ngueko@intl.att.com>
-rw-r--r--.gitreview14
-rw-r--r--extra/docker/elk/docker-compose.yml3
-rw-r--r--src/main/docker/elasticsearch/Dockerfile20
-rw-r--r--src/main/docker/elasticsearch/bin/init_sg.sh7
-rw-r--r--src/main/docker/elasticsearch/securityconfig/internal_users.yml67
-rw-r--r--src/main/docker/elasticsearch/securityconfig/roles.yml50
-rw-r--r--src/main/docker/kibana/conf/kibana.yml2
-rwxr-xr-xsrc/main/docker/kibana/startup.sh4
-rw-r--r--src/main/docker/logstash/Dockerfile5
-rw-r--r--src/main/docker/logstash/clamp-cert/ca-certs.pem32
-rw-r--r--src/main/docker/logstash/pipeline/logstash.conf9
11 files changed, 191 insertions, 22 deletions
diff --git a/.gitreview b/.gitreview
index 8c010a3..65ee4af 100644
--- a/.gitreview
+++ b/.gitreview
@@ -1,8 +1,6 @@
-
- [gerrit]
- host=gerrit.onap.org
- port=29418
- project=clamp/dashboard
- defaultbranch=master
- asd=asdf
- \ No newline at end of file
+[gerrit]
+host=gerrit.onap.org
+port=29418
+project=clamp/dashboard.git
+defaultbranch=master
+asd=asdf
diff --git a/extra/docker/elk/docker-compose.yml b/extra/docker/elk/docker-compose.yml
index fe7fa06..3800569 100644
--- a/extra/docker/elk/docker-compose.yml
+++ b/extra/docker/elk/docker-compose.yml
@@ -10,6 +10,8 @@ services:
- ../../../src/main/docker/elasticsearch/config/clamp.pem:/usr/share/elasticsearch/config/kirk.pem
- ../../../src/main/docker/elasticsearch/config/clamp-key.pem:/usr/share/elasticsearch/config/kirk-key.pem
- ../../../src/main/docker/elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
+ - ../../../src/main/docker/elasticsearch/securityconfig/roles.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml
+ - ../../../src/main/docker/elasticsearch/securityconfig/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
ports:
- 9200:9200
networks:
@@ -29,6 +31,7 @@ services:
volumes:
- ../../../src/main/docker/logstash/pipeline:/usr/share/logstash/pipeline
- ./logstash-input:/log-input
+ - ../../../src/main/docker/logstash/clamp-cert:/clamp-cert
depends_on:
- elasticsearch
networks:
diff --git a/src/main/docker/elasticsearch/Dockerfile b/src/main/docker/elasticsearch/Dockerfile
index bc2dd74..5e25e56 100644
--- a/src/main/docker/elasticsearch/Dockerfile
+++ b/src/main/docker/elasticsearch/Dockerfile
@@ -1,4 +1,3 @@
-<!--
###
# ============LICENSE_START=======================================================
# ONAP CLAMP
@@ -19,8 +18,23 @@
# limitations under the License.
# ============LICENSE_END============================================
# ===================================================================
-#
+#
###
--->
FROM amazon/opendistro-for-elasticsearch:1.3.0
+
+# Default clamp certificates for ES communication
+COPY config/ca-certs.pem /usr/share/elasticsearch/config/root-ca.pem
+COPY config/clamp.pem /usr/share/elasticsearch/config/esnode.pem
+COPY config/clamp-key.pem /usr/share/elasticsearch/config/esnode-key.pem
+COPY config/clamp.pem /usr/share/elasticsearch/config/kirk.pem
+COPY config/clamp-key.pem /usr/share/elasticsearch/config/kirk-key.pem
+
+# replace default elasticsearch.yml conf file
+COPY config/elasticsearch.yml /usr/share/elasticsearch/config/elasticsearch.yml
+
+# replace default security roles and initial users
+COPY securityconfig/roles.yml /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml
+COPY securityconfig/internal_users.yml /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
+
+
diff --git a/src/main/docker/elasticsearch/bin/init_sg.sh b/src/main/docker/elasticsearch/bin/init_sg.sh
deleted file mode 100644
index 1c4e607..0000000
--- a/src/main/docker/elasticsearch/bin/init_sg.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-plugins/search-guard-6/tools/sgadmin.sh \
- -cd config/sg/ \
- -ts config/sg/truststore.jks \
- -ks config/sg/kirk-keystore.jks \
- -nhnv \
- -icl \ No newline at end of file
diff --git a/src/main/docker/elasticsearch/securityconfig/internal_users.yml b/src/main/docker/elasticsearch/securityconfig/internal_users.yml
new file mode 100644
index 0000000..8808dd9
--- /dev/null
+++ b/src/main/docker/elasticsearch/securityconfig/internal_users.yml
@@ -0,0 +1,67 @@
+---
+# This is the internal user database
+# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
+
+_meta:
+ type: "internalusers"
+ config_version: 2
+
+# Define your internal users here
+# clampadmin has same deafult pwd as kibanaro
+clampadmin:
+ hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
+ reserved: false
+ opendistro_security_roles:
+ - "clamp_admin_role"
+ backend_roles:
+ - "kibanauser"
+ - "readall"
+
+## Demo users
+
+admin:
+ hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"
+ reserved: true
+ backend_roles:
+ - "admin"
+ description: "Demo admin user"
+
+kibanaserver:
+ hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
+ reserved: true
+ description: "Demo kibanaserver user"
+
+kibanaro:
+ hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
+ reserved: false
+ backend_roles:
+ - "kibanauser"
+ - "readall"
+ attributes:
+ attribute1: "value1"
+ attribute2: "value2"
+ attribute3: "value3"
+ description: "Demo kibanaro user"
+
+logstash:
+ hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
+ reserved: false
+ opendistro_security_roles:
+ - "clamp_admin_role"
+ backend_roles:
+ - "logstash"
+ description: "Demo logstash user"
+
+readall:
+ hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
+ reserved: false
+ backend_roles:
+ - "readall"
+ description: "Demo readall user"
+
+snapshotrestore:
+ hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
+ reserved: false
+ backend_roles:
+ - "snapshotrestore"
+ description: "Demo snapshotrestore user" \ No newline at end of file
diff --git a/src/main/docker/elasticsearch/securityconfig/roles.yml b/src/main/docker/elasticsearch/securityconfig/roles.yml
new file mode 100644
index 0000000..327464b
--- /dev/null
+++ b/src/main/docker/elasticsearch/securityconfig/roles.yml
@@ -0,0 +1,50 @@
+_meta:
+ type: "roles"
+ config_version: 2
+
+# Restrict users so they can only view visualization and dashboard on kibana
+kibana_read_only:
+ reserved: true
+
+# The security REST API access role is used to assign specific users access to change the security settings through the REST API.
+security_rest_api_access:
+ reserved: true
+
+# Allows users to view alerts
+alerting_view_alerts:
+ reserved: true
+ index_permissions:
+ - index_patterns:
+ - ".opendistro-alerting-alert*"
+ allowed_actions:
+ - read
+
+# Allows users to view and acknowledge alerts
+alerting_crud_alerts:
+ reserved: true
+ index_permissions:
+ - index_patterns:
+ - ".opendistro-alerting-alert*"
+ allowed_actions:
+ - crud
+
+# Allows users to use all alerting functionality
+alerting_full_access:
+ reserved: true
+ index_permissions:
+ - index_patterns:
+ - ".opendistro-alerting-config"
+ - ".opendistro-alerting-alert*"
+ allowed_actions:
+ - crud
+
+clamp_admin_role:
+ reserved: false
+ index_permissions:
+ - index_patterns:
+ - "events*"
+ - "errors*"
+ - "dmaap*"
+ allowed_actions:
+ - crud
+ - create_index \ No newline at end of file
diff --git a/src/main/docker/kibana/conf/kibana.yml b/src/main/docker/kibana/conf/kibana.yml
index 6726a74..eff84fa 100644
--- a/src/main/docker/kibana/conf/kibana.yml
+++ b/src/main/docker/kibana/conf/kibana.yml
@@ -3,7 +3,7 @@
server.name: kibana
server.host: "0"
-elasticsearch.hosts: http://elasticsearch:9200
+elasticsearch.hosts: https://elasticsearch:9200
server.ssl.enabled: true
server.ssl.key: /usr/share/kibana/config/keystore/org.onap.clamp.key.pem
server.ssl.certificate: /usr/share/kibana/config/keystore/org.onap.clamp.crt.pem
diff --git a/src/main/docker/kibana/startup.sh b/src/main/docker/kibana/startup.sh
index a232706..da289ae 100755
--- a/src/main/docker/kibana/startup.sh
+++ b/src/main/docker/kibana/startup.sh
@@ -23,7 +23,7 @@
###
KIBANA_CONF_FILE="/usr/share/kibana/config/kibana.yml"
SAVED_OBJECTS_ROOT="/saved-objects/"
-RESTORE_CMD="/usr/local/bin/restore.py -H http://127.0.0.1:5601/ -f"
+RESTORE_CMD="/usr/local/bin/restore.py -H https://127.0.0.1:5601/ -f"
BACKUP_BIN="/usr/local/bin/backup.py"
KIBANA_START_CMD="/usr/local/bin/kibana-docker"
LOG_FILE="/tmp/load.kibana.log"
@@ -40,7 +40,7 @@ then
echo "---- Waiting for elasticsearch to be up..."
RES=-1
PING_TIMEOUT=60
- elastic_url=$(grep elasticsearch.url /usr/share/kibana/config/kibana.yml | cut -d\ -f2)
+ elastic_url=$(grep elasticsearch.host /usr/share/kibana/config/kibana.yml | cut -d\ -f2)
while [ ! "$RES" -eq "0" ] && [ "$PING_TIMEOUT" -gt "0" ];
do
curl $elastic_url
diff --git a/src/main/docker/logstash/Dockerfile b/src/main/docker/logstash/Dockerfile
index 762479c..8d26473 100644
--- a/src/main/docker/logstash/Dockerfile
+++ b/src/main/docker/logstash/Dockerfile
@@ -28,7 +28,10 @@ LABEL Description="Logstash image with some plugins needed for the clamp dashboa
# Default aaf certificates
COPY certs /certs.d/
-# remove default pipeline first
+# Default clamp certificates for ES communication
+COPY clamp-cert /clamp-cert/
+
+# remove/replace default pipeline first
COPY pipeline/logstash.conf /usr/share/logstash/pipeline/logstash.conf
# add plugins needed by aggregation part of the pipeline
diff --git a/src/main/docker/logstash/clamp-cert/ca-certs.pem b/src/main/docker/logstash/clamp-cert/ca-certs.pem
new file mode 100644
index 0000000..70bb844
--- /dev/null
+++ b/src/main/docker/logstash/clamp-cert/ca-certs.pem
@@ -0,0 +1,32 @@
+Bag Attributes
+ friendlyName: CN=intermediateCA_9,OU=OSAAF,O=ONAP,C=US
+subject=C = US, O = ONAP, OU = OSAAF, CN = intermediateCA_9
+
+issuer=OU = OSAAF, O = ONAP, C = US
+
+-----BEGIN CERTIFICATE-----
+MIIEdTCCAl2gAwIBAgIBBzANBgkqhkiG9w0BAQsFADAsMQ4wDAYDVQQLDAVPU0FB
+RjENMAsGA1UECgwET05BUDELMAkGA1UEBhMCVVMwHhcNMTgwODE3MTg1MTM3WhcN
+MjMwODE3MTg1MTM3WjBHMQswCQYDVQQGEwJVUzENMAsGA1UECgwET05BUDEOMAwG
+A1UECwwFT1NBQUYxGTAXBgNVBAMMEGludGVybWVkaWF0ZUNBXzkwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv0HHUkba3uNtNI3jPKimUcd6RNwmhSCJL
+neMWpnjqp5/A+HCKyNsEaT4y177hNLmCm/aMm1u2JIfikc+8wEqLCSBBPz+P0h+d
+o+sZ7U+4oeQizdYYpEdzHJ2SieHHa8vtu80rU3nO2NEIkuYC20HcKSEtl8fFKsk3
+nqlhY+tGfYJPTXcDOQAO40BTcgat3C3uIJHkWJJ4RivunE4LEuRv9QyKgAw7rkJV
+v+f7guqpZlXy6dzAkuU7XULWcgo55MkZlssoiErMvEZJad5aWKvRY3g7qUjaQ6wO
+15wOAUoRBW96eeZZbytgn8kybcBy++Ue49gPtgm1MF/KlAsp0MD5AgMBAAGjgYYw
+gYMwHQYDVR0OBBYEFIH3mVsQuciM3vNSXupOaaBDPqzdMB8GA1UdIwQYMBaAFFNV
+M/JL69BRscF4msEoMXvv6u1JMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/
+BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
+AQsFAAOCAgEADxNymiCNr2e37iLReoaxKmZvwox0cTiNAaj7iafRzmwIoY3VXO8Q
+ix5IYcp4FaQ7fV1jyp/AmaSnyHf6Osl0sx8PxsQkO7ALttxKUrjfbvNSVUA2C/vl
+u5m7UVJLIUtFDZBWanzUSmkTsYLHpiANFQKd2c/cU1qXcyzgJVFEFVyyHNkF7Is+
++pjG9M1hwQHOoTnEuU013P7X1mHek+RXEfhJWwe7UsZnBKZaZKbQZu7hEtqKWYp/
+QsHgnjoLYXsh0WD5rz/mBxdTdDLGpFqWDzDqb8rsYnqBzoowvsasV8X8OSkov0Ht
+8Yka0ckFH9yf8j1Cwmbl6ttuonOhky3N/gwLEozuhy7TPcZGVyzevF70kXy7g1CX
+kpFGJyEHXoprlNi8FR4I+NFzbDe6a2cFow1JN19AJ9Z5Rk5m7M0mQPaQ4RcikjB3
+aoLsASCJTm1OpOFHfxEKiBW4Lsp3Uc5/Rb9ZNbfLrwqWZRM7buW1e3ekLqntgbky
+uKKISHqVJuw/vXHl1jNibEo9+JuQ88VNuAcm7WpGUogeCa2iAlPTckPZei+MwZ8w
+tpvxTyYlZEC8DWzY1VC29+W2N5cvh01e2E3Ql08W1zL63dqrgdEZ3VWjzooYi4ep
+BmMXTvouW+Flyvcw/0oTcfN0biDIt0mCkZ5CQVjfGL9DTOYteR5hw+k=
+-----END CERTIFICATE-----
diff --git a/src/main/docker/logstash/pipeline/logstash.conf b/src/main/docker/logstash/pipeline/logstash.conf
index 5c1d47d..24c8c9f 100644
--- a/src/main/docker/logstash/pipeline/logstash.conf
+++ b/src/main/docker/logstash/pipeline/logstash.conf
@@ -237,6 +237,9 @@ output {
if "error" in [tags] {
elasticsearch {
codec => "json"
+ ssl => true
+ cacert => "/clamp-cert/ca-certs.pem"
+ ssl_certificate_verification => false
hosts => ["${elasticsearch_base_url}"]
user => "${LOGSTASH_USR}"
password => "${LOGSTASH_PWD}"
@@ -247,6 +250,9 @@ output {
} else if "event-cl-aggs" in [tags] {
elasticsearch {
codec => "json"
+ ssl => true
+ cacert => "/clamp-cert/ca-certs.pem"
+ ssl_certificate_verification => false
hosts => ["${elasticsearch_base_url}"]
user => "${LOGSTASH_USR}"
password => "${LOGSTASH_PWD}"
@@ -259,6 +265,9 @@ output {
} else {
elasticsearch {
codec => "json"
+ ssl => true
+ cacert => "/clamp-cert/ca-certs.pem"
+ ssl_certificate_verification => false
hosts => ["${elasticsearch_base_url}"]
user => "${LOGSTASH_USR}"
password => "${LOGSTASH_PWD}"