From b15dad0600c4888da658448b89e41d7f18262716 Mon Sep 17 00:00:00 2001 From: osgn422w Date: Mon, 3 Feb 2020 17:08:11 +0100 Subject: correct security settings correct and adjust the security settings Issue-ID: CLAMP-483 Change-Id: Id94672580ade132a7ff16241f44d8a4403b49383 Signed-off-by: osgn422w --- src/main/docker/elasticsearch/Dockerfile | 20 ++++++- src/main/docker/elasticsearch/bin/init_sg.sh | 7 --- .../securityconfig/internal_users.yml | 67 ++++++++++++++++++++++ .../docker/elasticsearch/securityconfig/roles.yml | 50 ++++++++++++++++ src/main/docker/kibana/conf/kibana.yml | 2 +- src/main/docker/kibana/startup.sh | 4 +- src/main/docker/logstash/Dockerfile | 5 +- src/main/docker/logstash/clamp-cert/ca-certs.pem | 32 +++++++++++ src/main/docker/logstash/pipeline/logstash.conf | 9 +++ 9 files changed, 182 insertions(+), 14 deletions(-) delete mode 100644 src/main/docker/elasticsearch/bin/init_sg.sh create mode 100644 src/main/docker/elasticsearch/securityconfig/internal_users.yml create mode 100644 src/main/docker/elasticsearch/securityconfig/roles.yml create mode 100644 src/main/docker/logstash/clamp-cert/ca-certs.pem (limited to 'src/main') diff --git a/src/main/docker/elasticsearch/Dockerfile b/src/main/docker/elasticsearch/Dockerfile index bc2dd74..5e25e56 100644 --- a/src/main/docker/elasticsearch/Dockerfile +++ b/src/main/docker/elasticsearch/Dockerfile @@ -1,4 +1,3 @@ - FROM amazon/opendistro-for-elasticsearch:1.3.0 + +# Default clamp certificates for ES communication +COPY config/ca-certs.pem /usr/share/elasticsearch/config/root-ca.pem +COPY config/clamp.pem /usr/share/elasticsearch/config/esnode.pem +COPY config/clamp-key.pem /usr/share/elasticsearch/config/esnode-key.pem +COPY config/clamp.pem /usr/share/elasticsearch/config/kirk.pem +COPY config/clamp-key.pem /usr/share/elasticsearch/config/kirk-key.pem + +# replace default elasticsearch.yml conf file +COPY config/elasticsearch.yml /usr/share/elasticsearch/config/elasticsearch.yml + +# replace default security roles and initial users +COPY securityconfig/roles.yml /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml +COPY securityconfig/internal_users.yml /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml + + diff --git a/src/main/docker/elasticsearch/bin/init_sg.sh b/src/main/docker/elasticsearch/bin/init_sg.sh deleted file mode 100644 index 1c4e607..0000000 --- a/src/main/docker/elasticsearch/bin/init_sg.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/sh -plugins/search-guard-6/tools/sgadmin.sh \ - -cd config/sg/ \ - -ts config/sg/truststore.jks \ - -ks config/sg/kirk-keystore.jks \ - -nhnv \ - -icl \ No newline at end of file diff --git a/src/main/docker/elasticsearch/securityconfig/internal_users.yml b/src/main/docker/elasticsearch/securityconfig/internal_users.yml new file mode 100644 index 0000000..8808dd9 --- /dev/null +++ b/src/main/docker/elasticsearch/securityconfig/internal_users.yml @@ -0,0 +1,67 @@ +--- +# This is the internal user database +# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh + +_meta: + type: "internalusers" + config_version: 2 + +# Define your internal users here +# clampadmin has same deafult pwd as kibanaro +clampadmin: + hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC" + reserved: false + opendistro_security_roles: + - "clamp_admin_role" + backend_roles: + - "kibanauser" + - "readall" + +## Demo users + +admin: + hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG" + reserved: true + backend_roles: + - "admin" + description: "Demo admin user" + +kibanaserver: + hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H." + reserved: true + description: "Demo kibanaserver user" + +kibanaro: + hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC" + reserved: false + backend_roles: + - "kibanauser" + - "readall" + attributes: + attribute1: "value1" + attribute2: "value2" + attribute3: "value3" + description: "Demo kibanaro user" + +logstash: + hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2" + reserved: false + opendistro_security_roles: + - "clamp_admin_role" + backend_roles: + - "logstash" + description: "Demo logstash user" + +readall: + hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2" + reserved: false + backend_roles: + - "readall" + description: "Demo readall user" + +snapshotrestore: + hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W" + reserved: false + backend_roles: + - "snapshotrestore" + description: "Demo snapshotrestore user" \ No newline at end of file diff --git a/src/main/docker/elasticsearch/securityconfig/roles.yml b/src/main/docker/elasticsearch/securityconfig/roles.yml new file mode 100644 index 0000000..327464b --- /dev/null +++ b/src/main/docker/elasticsearch/securityconfig/roles.yml @@ -0,0 +1,50 @@ +_meta: + type: "roles" + config_version: 2 + +# Restrict users so they can only view visualization and dashboard on kibana +kibana_read_only: + reserved: true + +# The security REST API access role is used to assign specific users access to change the security settings through the REST API. +security_rest_api_access: + reserved: true + +# Allows users to view alerts +alerting_view_alerts: + reserved: true + index_permissions: + - index_patterns: + - ".opendistro-alerting-alert*" + allowed_actions: + - read + +# Allows users to view and acknowledge alerts +alerting_crud_alerts: + reserved: true + index_permissions: + - index_patterns: + - ".opendistro-alerting-alert*" + allowed_actions: + - crud + +# Allows users to use all alerting functionality +alerting_full_access: + reserved: true + index_permissions: + - index_patterns: + - ".opendistro-alerting-config" + - ".opendistro-alerting-alert*" + allowed_actions: + - crud + +clamp_admin_role: + reserved: false + index_permissions: + - index_patterns: + - "events*" + - "errors*" + - "dmaap*" + allowed_actions: + - crud + - create_index \ No newline at end of file diff --git a/src/main/docker/kibana/conf/kibana.yml b/src/main/docker/kibana/conf/kibana.yml index 6726a74..eff84fa 100644 --- a/src/main/docker/kibana/conf/kibana.yml +++ b/src/main/docker/kibana/conf/kibana.yml @@ -3,7 +3,7 @@ server.name: kibana server.host: "0" -elasticsearch.hosts: http://elasticsearch:9200 +elasticsearch.hosts: https://elasticsearch:9200 server.ssl.enabled: true server.ssl.key: /usr/share/kibana/config/keystore/org.onap.clamp.key.pem server.ssl.certificate: /usr/share/kibana/config/keystore/org.onap.clamp.crt.pem diff --git a/src/main/docker/kibana/startup.sh b/src/main/docker/kibana/startup.sh index a232706..da289ae 100755 --- a/src/main/docker/kibana/startup.sh +++ b/src/main/docker/kibana/startup.sh @@ -23,7 +23,7 @@ ### KIBANA_CONF_FILE="/usr/share/kibana/config/kibana.yml" SAVED_OBJECTS_ROOT="/saved-objects/" -RESTORE_CMD="/usr/local/bin/restore.py -H http://127.0.0.1:5601/ -f" +RESTORE_CMD="/usr/local/bin/restore.py -H https://127.0.0.1:5601/ -f" BACKUP_BIN="/usr/local/bin/backup.py" KIBANA_START_CMD="/usr/local/bin/kibana-docker" LOG_FILE="/tmp/load.kibana.log" @@ -40,7 +40,7 @@ then echo "---- Waiting for elasticsearch to be up..." RES=-1 PING_TIMEOUT=60 - elastic_url=$(grep elasticsearch.url /usr/share/kibana/config/kibana.yml | cut -d\ -f2) + elastic_url=$(grep elasticsearch.host /usr/share/kibana/config/kibana.yml | cut -d\ -f2) while [ ! "$RES" -eq "0" ] && [ "$PING_TIMEOUT" -gt "0" ]; do curl $elastic_url diff --git a/src/main/docker/logstash/Dockerfile b/src/main/docker/logstash/Dockerfile index 762479c..8d26473 100644 --- a/src/main/docker/logstash/Dockerfile +++ b/src/main/docker/logstash/Dockerfile @@ -28,7 +28,10 @@ LABEL Description="Logstash image with some plugins needed for the clamp dashboa # Default aaf certificates COPY certs /certs.d/ -# remove default pipeline first +# Default clamp certificates for ES communication +COPY clamp-cert /clamp-cert/ + +# remove/replace default pipeline first COPY pipeline/logstash.conf /usr/share/logstash/pipeline/logstash.conf # add plugins needed by aggregation part of the pipeline diff --git a/src/main/docker/logstash/clamp-cert/ca-certs.pem b/src/main/docker/logstash/clamp-cert/ca-certs.pem new file mode 100644 index 0000000..70bb844 --- /dev/null +++ b/src/main/docker/logstash/clamp-cert/ca-certs.pem @@ -0,0 +1,32 @@ +Bag Attributes + friendlyName: CN=intermediateCA_9,OU=OSAAF,O=ONAP,C=US +subject=C = US, O = ONAP, OU = OSAAF, CN = intermediateCA_9 + +issuer=OU = OSAAF, O = ONAP, C = US + +-----BEGIN CERTIFICATE----- +MIIEdTCCAl2gAwIBAgIBBzANBgkqhkiG9w0BAQsFADAsMQ4wDAYDVQQLDAVPU0FB +RjENMAsGA1UECgwET05BUDELMAkGA1UEBhMCVVMwHhcNMTgwODE3MTg1MTM3WhcN +MjMwODE3MTg1MTM3WjBHMQswCQYDVQQGEwJVUzENMAsGA1UECgwET05BUDEOMAwG +A1UECwwFT1NBQUYxGTAXBgNVBAMMEGludGVybWVkaWF0ZUNBXzkwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv0HHUkba3uNtNI3jPKimUcd6RNwmhSCJL +neMWpnjqp5/A+HCKyNsEaT4y177hNLmCm/aMm1u2JIfikc+8wEqLCSBBPz+P0h+d +o+sZ7U+4oeQizdYYpEdzHJ2SieHHa8vtu80rU3nO2NEIkuYC20HcKSEtl8fFKsk3 +nqlhY+tGfYJPTXcDOQAO40BTcgat3C3uIJHkWJJ4RivunE4LEuRv9QyKgAw7rkJV +v+f7guqpZlXy6dzAkuU7XULWcgo55MkZlssoiErMvEZJad5aWKvRY3g7qUjaQ6wO +15wOAUoRBW96eeZZbytgn8kybcBy++Ue49gPtgm1MF/KlAsp0MD5AgMBAAGjgYYw +gYMwHQYDVR0OBBYEFIH3mVsQuciM3vNSXupOaaBDPqzdMB8GA1UdIwQYMBaAFFNV +M/JL69BRscF4msEoMXvv6u1JMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/ +BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B +AQsFAAOCAgEADxNymiCNr2e37iLReoaxKmZvwox0cTiNAaj7iafRzmwIoY3VXO8Q +ix5IYcp4FaQ7fV1jyp/AmaSnyHf6Osl0sx8PxsQkO7ALttxKUrjfbvNSVUA2C/vl +u5m7UVJLIUtFDZBWanzUSmkTsYLHpiANFQKd2c/cU1qXcyzgJVFEFVyyHNkF7Is+ ++pjG9M1hwQHOoTnEuU013P7X1mHek+RXEfhJWwe7UsZnBKZaZKbQZu7hEtqKWYp/ +QsHgnjoLYXsh0WD5rz/mBxdTdDLGpFqWDzDqb8rsYnqBzoowvsasV8X8OSkov0Ht +8Yka0ckFH9yf8j1Cwmbl6ttuonOhky3N/gwLEozuhy7TPcZGVyzevF70kXy7g1CX +kpFGJyEHXoprlNi8FR4I+NFzbDe6a2cFow1JN19AJ9Z5Rk5m7M0mQPaQ4RcikjB3 +aoLsASCJTm1OpOFHfxEKiBW4Lsp3Uc5/Rb9ZNbfLrwqWZRM7buW1e3ekLqntgbky +uKKISHqVJuw/vXHl1jNibEo9+JuQ88VNuAcm7WpGUogeCa2iAlPTckPZei+MwZ8w +tpvxTyYlZEC8DWzY1VC29+W2N5cvh01e2E3Ql08W1zL63dqrgdEZ3VWjzooYi4ep +BmMXTvouW+Flyvcw/0oTcfN0biDIt0mCkZ5CQVjfGL9DTOYteR5hw+k= +-----END CERTIFICATE----- diff --git a/src/main/docker/logstash/pipeline/logstash.conf b/src/main/docker/logstash/pipeline/logstash.conf index 5c1d47d..24c8c9f 100644 --- a/src/main/docker/logstash/pipeline/logstash.conf +++ b/src/main/docker/logstash/pipeline/logstash.conf @@ -237,6 +237,9 @@ output { if "error" in [tags] { elasticsearch { codec => "json" + ssl => true + cacert => "/clamp-cert/ca-certs.pem" + ssl_certificate_verification => false hosts => ["${elasticsearch_base_url}"] user => "${LOGSTASH_USR}" password => "${LOGSTASH_PWD}" @@ -247,6 +250,9 @@ output { } else if "event-cl-aggs" in [tags] { elasticsearch { codec => "json" + ssl => true + cacert => "/clamp-cert/ca-certs.pem" + ssl_certificate_verification => false hosts => ["${elasticsearch_base_url}"] user => "${LOGSTASH_USR}" password => "${LOGSTASH_PWD}" @@ -259,6 +265,9 @@ output { } else { elasticsearch { codec => "json" + ssl => true + cacert => "/clamp-cert/ca-certs.pem" + ssl_certificate_verification => false hosts => ["${elasticsearch_base_url}"] user => "${LOGSTASH_USR}" password => "${LOGSTASH_PWD}" -- cgit 1.2.3-korg