correct security settings

correct and adjust the security settings

Issue-ID: CLAMP-483

Change-Id: Id94672580ade132a7ff16241f44d8a4403b49383
Signed-off-by: osgn422w <gervais-martial.ngueko@intl.att.com>

4 files changed, 134 insertions, 10 deletions

diff --git a/src/main/docker/elasticsearch/Dockerfile b/src/main/docker/elasticsearch/Dockerfile
index bc2dd74..5e25e56 100644
--- a/src/main/docker/elasticsearch/Dockerfile
+++ b/src/main/docker/elasticsearch/Dockerfile
@@ -1,4 +1,3 @@
-<!--
 ### 
 # ============LICENSE_START======================================================= 
 # ONAP CLAMP 
@@ -19,8 +18,23 @@
 # limitations under the License. 
 # ============LICENSE_END============================================ 
 # =================================================================== 
-# 
+#
 ###
--->
 
 FROM amazon/opendistro-for-elasticsearch:1.3.0
+
+# Default clamp certificates for ES communication
+COPY config/ca-certs.pem /usr/share/elasticsearch/config/root-ca.pem
+COPY config/clamp.pem /usr/share/elasticsearch/config/esnode.pem
+COPY config/clamp-key.pem /usr/share/elasticsearch/config/esnode-key.pem
+COPY config/clamp.pem /usr/share/elasticsearch/config/kirk.pem
+COPY config/clamp-key.pem /usr/share/elasticsearch/config/kirk-key.pem
+
+# replace default elasticsearch.yml conf file
+COPY config/elasticsearch.yml /usr/share/elasticsearch/config/elasticsearch.yml
+
+# replace default security roles and initial users
+COPY securityconfig/roles.yml /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml
+COPY securityconfig/internal_users.yml /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
+
+
diff --git a/src/main/docker/elasticsearch/bin/init_sg.sh b/src/main/docker/elasticsearch/bin/init_sg.sh
deleted file mode 100644
index 1c4e607..0000000
--- a/src/main/docker/elasticsearch/bin/init_sg.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-plugins/search-guard-6/tools/sgadmin.sh \
-	-cd config/sg/ \
-	-ts config/sg/truststore.jks \
-	-ks config/sg/kirk-keystore.jks \
-	-nhnv \
-	-icl
\ No newline at end of file
diff --git a/src/main/docker/elasticsearch/securityconfig/internal_users.yml b/src/main/docker/elasticsearch/securityconfig/internal_users.yml
new file mode 100644
index 0000000..8808dd9
--- /dev/null
+++ b/src/main/docker/elasticsearch/securityconfig/internal_users.yml
@@ -0,0 +1,67 @@
+---
+# This is the internal user database
+# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
+
+_meta:
+  type: "internalusers"
+  config_version: 2
+
+# Define your internal users here
+# clampadmin has same deafult pwd as kibanaro
+clampadmin:
+  hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
+  reserved: false
+  opendistro_security_roles:
+  - "clamp_admin_role"
+  backend_roles:
+  - "kibanauser"
+  - "readall"
+
+## Demo users
+
+admin:
+  hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"
+  reserved: true
+  backend_roles:
+  - "admin"
+  description: "Demo admin user"
+
+kibanaserver:
+  hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
+  reserved: true
+  description: "Demo kibanaserver user"
+
+kibanaro:
+  hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
+  reserved: false
+  backend_roles:
+  - "kibanauser"
+  - "readall"
+  attributes:
+    attribute1: "value1"
+    attribute2: "value2"
+    attribute3: "value3"
+  description: "Demo kibanaro user"
+
+logstash:
+  hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
+  reserved: false
+  opendistro_security_roles:
+  - "clamp_admin_role"
+  backend_roles:
+  - "logstash"
+  description: "Demo logstash user"
+
+readall:
+  hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
+  reserved: false
+  backend_roles:
+  - "readall"
+  description: "Demo readall user"
+
+snapshotrestore:
+  hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
+  reserved: false
+  backend_roles:
+  - "snapshotrestore"
+  description: "Demo snapshotrestore user"
\ No newline at end of file
diff --git a/src/main/docker/elasticsearch/securityconfig/roles.yml b/src/main/docker/elasticsearch/securityconfig/roles.yml
new file mode 100644
index 0000000..327464b
--- /dev/null
+++ b/src/main/docker/elasticsearch/securityconfig/roles.yml
@@ -0,0 +1,50 @@
+_meta:
+  type: "roles"
+  config_version: 2
+
+# Restrict users so they can only view visualization and dashboard on kibana
+kibana_read_only:
+  reserved: true
+
+# The security REST API access role is used to assign specific users access to change the security settings through the REST API.
+security_rest_api_access:
+  reserved: true
+ 
+# Allows users to view alerts
+alerting_view_alerts:
+  reserved: true
+  index_permissions:
+    - index_patterns:
+      - ".opendistro-alerting-alert*"
+      allowed_actions:
+        - read 
+
+# Allows users to view and acknowledge alerts
+alerting_crud_alerts:
+  reserved: true
+  index_permissions:
+    - index_patterns:
+      - ".opendistro-alerting-alert*"
+      allowed_actions:
+       - crud 
+
+# Allows users to use all alerting functionality
+alerting_full_access:
+  reserved: true
+  index_permissions:
+    - index_patterns:
+      - ".opendistro-alerting-config"
+      - ".opendistro-alerting-alert*"
+      allowed_actions:
+        - crud 
+
+clamp_admin_role:
+  reserved: false
+  index_permissions:
+    - index_patterns:
+      - "events*"
+      - "errors*"
+      - "dmaap*"
+      allowed_actions:
+        - crud 
+        - create_index
\ No newline at end of file