diff options
author | osgn422w <gervais-martial.ngueko@intl.att.com> | 2020-02-03 17:08:11 +0100 |
---|---|---|
committer | osgn422w <gervais-martial.ngueko@intl.att.com> | 2020-02-03 17:08:11 +0100 |
commit | b15dad0600c4888da658448b89e41d7f18262716 (patch) | |
tree | cd2492abe5b81f8977339aa02f2e7186d91aff9c /src/main/docker/elasticsearch | |
parent | 4abf1c966abcecfd42bcaaceeae6d2c197c69df3 (diff) |
correct security settings
correct and adjust the security settings
Issue-ID: CLAMP-483
Change-Id: Id94672580ade132a7ff16241f44d8a4403b49383
Signed-off-by: osgn422w <gervais-martial.ngueko@intl.att.com>
Diffstat (limited to 'src/main/docker/elasticsearch')
4 files changed, 134 insertions, 10 deletions
diff --git a/src/main/docker/elasticsearch/Dockerfile b/src/main/docker/elasticsearch/Dockerfile index bc2dd74..5e25e56 100644 --- a/src/main/docker/elasticsearch/Dockerfile +++ b/src/main/docker/elasticsearch/Dockerfile @@ -1,4 +1,3 @@ -<!-- ### # ============LICENSE_START======================================================= # ONAP CLAMP @@ -19,8 +18,23 @@ # limitations under the License. # ============LICENSE_END============================================ # =================================================================== -# +# ### ---> FROM amazon/opendistro-for-elasticsearch:1.3.0 + +# Default clamp certificates for ES communication +COPY config/ca-certs.pem /usr/share/elasticsearch/config/root-ca.pem +COPY config/clamp.pem /usr/share/elasticsearch/config/esnode.pem +COPY config/clamp-key.pem /usr/share/elasticsearch/config/esnode-key.pem +COPY config/clamp.pem /usr/share/elasticsearch/config/kirk.pem +COPY config/clamp-key.pem /usr/share/elasticsearch/config/kirk-key.pem + +# replace default elasticsearch.yml conf file +COPY config/elasticsearch.yml /usr/share/elasticsearch/config/elasticsearch.yml + +# replace default security roles and initial users +COPY securityconfig/roles.yml /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml +COPY securityconfig/internal_users.yml /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml + + diff --git a/src/main/docker/elasticsearch/bin/init_sg.sh b/src/main/docker/elasticsearch/bin/init_sg.sh deleted file mode 100644 index 1c4e607..0000000 --- a/src/main/docker/elasticsearch/bin/init_sg.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/sh -plugins/search-guard-6/tools/sgadmin.sh \ - -cd config/sg/ \ - -ts config/sg/truststore.jks \ - -ks config/sg/kirk-keystore.jks \ - -nhnv \ - -icl
\ No newline at end of file diff --git a/src/main/docker/elasticsearch/securityconfig/internal_users.yml b/src/main/docker/elasticsearch/securityconfig/internal_users.yml new file mode 100644 index 0000000..8808dd9 --- /dev/null +++ b/src/main/docker/elasticsearch/securityconfig/internal_users.yml @@ -0,0 +1,67 @@ +--- +# This is the internal user database +# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh + +_meta: + type: "internalusers" + config_version: 2 + +# Define your internal users here +# clampadmin has same deafult pwd as kibanaro +clampadmin: + hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC" + reserved: false + opendistro_security_roles: + - "clamp_admin_role" + backend_roles: + - "kibanauser" + - "readall" + +## Demo users + +admin: + hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG" + reserved: true + backend_roles: + - "admin" + description: "Demo admin user" + +kibanaserver: + hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H." + reserved: true + description: "Demo kibanaserver user" + +kibanaro: + hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC" + reserved: false + backend_roles: + - "kibanauser" + - "readall" + attributes: + attribute1: "value1" + attribute2: "value2" + attribute3: "value3" + description: "Demo kibanaro user" + +logstash: + hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2" + reserved: false + opendistro_security_roles: + - "clamp_admin_role" + backend_roles: + - "logstash" + description: "Demo logstash user" + +readall: + hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2" + reserved: false + backend_roles: + - "readall" + description: "Demo readall user" + +snapshotrestore: + hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W" + reserved: false + backend_roles: + - "snapshotrestore" + description: "Demo snapshotrestore user"
\ No newline at end of file diff --git a/src/main/docker/elasticsearch/securityconfig/roles.yml b/src/main/docker/elasticsearch/securityconfig/roles.yml new file mode 100644 index 0000000..327464b --- /dev/null +++ b/src/main/docker/elasticsearch/securityconfig/roles.yml @@ -0,0 +1,50 @@ +_meta: + type: "roles" + config_version: 2 + +# Restrict users so they can only view visualization and dashboard on kibana +kibana_read_only: + reserved: true + +# The security REST API access role is used to assign specific users access to change the security settings through the REST API. +security_rest_api_access: + reserved: true + +# Allows users to view alerts +alerting_view_alerts: + reserved: true + index_permissions: + - index_patterns: + - ".opendistro-alerting-alert*" + allowed_actions: + - read + +# Allows users to view and acknowledge alerts +alerting_crud_alerts: + reserved: true + index_permissions: + - index_patterns: + - ".opendistro-alerting-alert*" + allowed_actions: + - crud + +# Allows users to use all alerting functionality +alerting_full_access: + reserved: true + index_permissions: + - index_patterns: + - ".opendistro-alerting-config" + - ".opendistro-alerting-alert*" + allowed_actions: + - crud + +clamp_admin_role: + reserved: false + index_permissions: + - index_patterns: + - "events*" + - "errors*" + - "dmaap*" + allowed_actions: + - crud + - create_index
\ No newline at end of file |