diff options
Diffstat (limited to 'src/main/docker/elasticsearch/config')
-rw-r--r-- | src/main/docker/elasticsearch/config/elasticsearch.yml | 33 | ||||
-rw-r--r-- | src/main/docker/elasticsearch/config/sg/kirk-keystore.jks | bin | 4525 -> 0 bytes | |||
-rw-r--r-- | src/main/docker/elasticsearch/config/sg/node-0-keystore.jks | bin | 4593 -> 0 bytes | |||
-rw-r--r-- | src/main/docker/elasticsearch/config/sg/sg_action_groups.yml | 153 | ||||
-rw-r--r-- | src/main/docker/elasticsearch/config/sg/sg_config.yml | 148 | ||||
-rw-r--r-- | src/main/docker/elasticsearch/config/sg/sg_internal_users.yml | 45 | ||||
-rw-r--r-- | src/main/docker/elasticsearch/config/sg/sg_roles.yml | 300 | ||||
-rw-r--r-- | src/main/docker/elasticsearch/config/sg/sg_roles_mapping.yml | 34 | ||||
-rw-r--r-- | src/main/docker/elasticsearch/config/sg/truststore.jks | bin | 1096 -> 0 bytes |
9 files changed, 0 insertions, 713 deletions
diff --git a/src/main/docker/elasticsearch/config/elasticsearch.yml b/src/main/docker/elasticsearch/config/elasticsearch.yml deleted file mode 100644 index 4d46ca01e..000000000 --- a/src/main/docker/elasticsearch/config/elasticsearch.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- -## Default Elasticsearch configuration from elasticsearch-docker. -## from https://github.com/elastic/elasticsearch-docker/blob/master/.tedi/template/elasticsearch.yml -# -cluster.name: "docker-cluster" -network.host: 0.0.0.0 - -# minimum_master_nodes need to be explicitly set when bound on a public IP -# set to 1 to allow single node clusters -# Details: https://github.com/elastic/elasticsearch/pull/17288 -discovery.zen.minimum_master_nodes: 1 - -## Use single node discovery in order to disable production mode and avoid bootstrap checks -## see https://www.elastic.co/guide/en/elasticsearch/reference/current/bootstrap-checks.html -# -discovery.type: single-node - -## X-Pack settings -## see https://www.elastic.co/guide/en/elasticsearch/reference/current/setup-xpack.html -# -#xpack.license.self_generated.type: basic -#xpack.security.enabled: false - -## Search Guard -# -searchguard.enterprise_modules_enabled: false - -searchguard.ssl.transport.keystore_filepath: sg/node-0-keystore.jks -searchguard.ssl.transport.truststore_filepath: sg/truststore.jks -searchguard.ssl.transport.enforce_hostname_verification: false - -searchguard.authcz.admin_dn: - - "CN=kirk,OU=client,O=client,l=tEst,C=De" diff --git a/src/main/docker/elasticsearch/config/sg/kirk-keystore.jks b/src/main/docker/elasticsearch/config/sg/kirk-keystore.jks Binary files differdeleted file mode 100644 index dd7562ef8..000000000 --- a/src/main/docker/elasticsearch/config/sg/kirk-keystore.jks +++ /dev/null diff --git a/src/main/docker/elasticsearch/config/sg/node-0-keystore.jks b/src/main/docker/elasticsearch/config/sg/node-0-keystore.jks Binary files differdeleted file mode 100644 index 5693b7bf8..000000000 --- a/src/main/docker/elasticsearch/config/sg/node-0-keystore.jks +++ /dev/null diff --git a/src/main/docker/elasticsearch/config/sg/sg_action_groups.yml b/src/main/docker/elasticsearch/config/sg/sg_action_groups.yml deleted file mode 100644 index 38ffef024..000000000 --- a/src/main/docker/elasticsearch/config/sg/sg_action_groups.yml +++ /dev/null @@ -1,153 +0,0 @@ -UNLIMITED: - readonly: true - permissions: - - "*" - -###### INDEX LEVEL ###### - -INDICES_ALL: - readonly: true - permissions: - - "indices:*" - -# for backward compatibility -ALL: - readonly: true - permissions: - - INDICES_ALL - -MANAGE: - readonly: true - permissions: - - "indices:monitor/*" - - "indices:admin/*" - -CREATE_INDEX: - readonly: true - permissions: - - "indices:admin/create" - - "indices:admin/mapping/put" - -MANAGE_ALIASES: - readonly: true - permissions: - - "indices:admin/aliases*" - -INDEX_OWNER: - - CREATE_INDEX - - CRUD - -# for backward compatibility -MONITOR: - readonly: true - permissions: - - INDICES_MONITOR - -INDICES_MONITOR: - readonly: true - permissions: - - "indices:monitor/*" - -DATA_ACCESS: - readonly: true - permissions: - - "indices:data/*" - - CRUD - -WRITE: - readonly: true - permissions: - - "indices:data/write*" - - "indices:admin/mapping/put" - -READ: - readonly: true - permissions: - - "indices:data/read*" - - "indices:admin/mappings/fields/get*" - -DELETE: - readonly: true - permissions: - - "indices:data/write/delete*" - -CRUD: - readonly: true - permissions: - - READ - - WRITE - -SEARCH: - readonly: true - permissions: - - "indices:data/read/search*" - - "indices:data/read/msearch*" - - SUGGEST - -SUGGEST: - readonly: true - permissions: - - "indices:data/read/suggest*" - -INDEX: - readonly: true - permissions: - - "indices:data/write/index*" - - "indices:data/write/update*" - - "indices:admin/mapping/put" - - "indices:data/write/bulk*" - -GET: - readonly: true - permissions: - - "indices:data/read/get*" - - "indices:data/read/mget*" - -###### CLUSTER LEVEL ###### - -CLUSTER_ALL: - readonly: true - permissions: - - "cluster:*" - -CLUSTER_MONITOR: - readonly: true - permissions: - - "cluster:monitor/*" - -CLUSTER_COMPOSITE_OPS_RO: - readonly: true - permissions: - - "indices:data/read/mget" - - "indices:data/read/msearch" - - "indices:data/read/mtv" - - "indices:admin/aliases/exists*" - - "indices:admin/aliases/get*" - - "indices:data/read/scroll" - -CLUSTER_COMPOSITE_OPS: - readonly: true - permissions: - - "indices:data/write/bulk" - - "indices:admin/aliases*" - - "indices:data/write/reindex" - - CLUSTER_COMPOSITE_OPS_RO - -MANAGE_SNAPSHOTS: - readonly: true - permissions: - - "cluster:admin/snapshot/*" - - "cluster:admin/repository/*" - -# CLAMPDASHBOARD ELASTICSEARCH ENTRYPOINT -GET_TEMPLATE: - - "indices:admin/template/get" -PUT_TEMPLATE: - - "indices:admin/template/put" -TEMPLATE_OWNER: - - GET_TEMPLATE - - PUT_TEMPLATE -ES_INPUT: - - TEMPLATE_OWNER - - WRITE - - MONITOR diff --git a/src/main/docker/elasticsearch/config/sg/sg_config.yml b/src/main/docker/elasticsearch/config/sg/sg_config.yml deleted file mode 100644 index 9a16a8239..000000000 --- a/src/main/docker/elasticsearch/config/sg/sg_config.yml +++ /dev/null @@ -1,148 +0,0 @@ -# This is the main Search Guard configuration file where authentication -# and authorization is defined. -# -# You need to configure at least one authentication domain in the authc of this file. -# An authentication domain is responsible for extracting the user credentials from -# the request and for validating them against an authentication backend like Active Directory for example. -# -# If more than one authentication domain is configured the first one which succeeds wins. -# If all authentication domains fail then the request is unauthenticated. -# In this case an exception is thrown and/or the HTTP status is set to 401. -# -# After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect -# the roles from a given backend for the authenticated user. -# -# Both, authc and auth can be enabled/disabled separately for REST and TRANSPORT layer. Default is true for both. -# http_enabled: true -# transport_enabled: true -# -# 5.x Migration: "enabled: true/false" will also be respected currently but only to provide backward compatibility. -# -# For HTTP it is possible to allow anonymous authentication. If that is the case then the HTTP authenticators try to -# find user credentials in the HTTP request. If credentials are found then the user gets regularly authenticated. -# If none can be found the user will be authenticated as an "anonymous" user. This user has always the username "sg_anonymous" -# and one role named "sg_anonymous_backendrole". -# If you enable anonymous authentication all HTTP authenticators will not challenge. -# -# -# Note: If you define more than one HTTP authenticators make sure to put non-challenging authenticators like "proxy" or "clientcert" -# first and the challenging one last. -# Because it's not possible to challenge a client with two different authentication methods (for example -# Kerberos and Basic) only one can have the challenge flag set to true. You can cope with this situation -# by using pre-authentication, e.g. sending a HTTP Basic authentication header in the request. -# -# Default value of the challenge flag is true. -# -# -# HTTP -# basic (challenging) -# proxy (not challenging, needs xff) -# clientcert (not challenging, needs https) -# host (not challenging) #DEPRECATED, will be removed in a future version. -# host based authentication is configurable in sg_roles_mapping - -# Authc -# internal -# noop - -# Authz -# noop -# -# Some SearchGuard functionality is licensed under Apache-2.0, while other functionality is non-free; -# see https://github.com/floragunncom/search-guard. The functionality enabled in this configuration -# file only include those that are licensed under Apache-2.0. Please use care and review SearchGuard's -# license details before enabling any additional features here. - - -searchguard: - dynamic: - # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index - # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default) - # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently - #filtered_alias_mode: warn - #kibana: - # see https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md - # To make this work you need to install https://github.com/floragunncom/search-guard-module-kibana-multitenancy/wiki - #multitenancy_enabled: true - #server_username: kibanaserver - #index: '.kibana' - #do_not_fail_on_forbidden: false - http: - anonymous_auth_enabled: false - xff: - enabled: false - internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern - #internalProxies: '.*' # trust all internal proxies, regex pattern - remoteIpHeader: 'x-forwarded-for' - proxiesHeader: 'x-forwarded-by' - #trustedProxies: '.*' # trust all external proxies, regex pattern - ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help - ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For - ###### and here https://tools.ietf.org/html/rfc7239 - ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve - authc: - basic_internal_auth_domain: - http_enabled: true - transport_enabled: true - order: 4 - http_authenticator: - type: basic - challenge: true - authentication_backend: - type: intern - proxy_auth_domain: - http_enabled: false - transport_enabled: false - order: 3 - http_authenticator: - type: proxy - challenge: false - config: - user_header: "x-proxy-user" - roles_header: "x-proxy-roles" - authentication_backend: - type: noop - jwt_auth_domain: - http_enabled: false - transport_enabled: false - order: 0 - http_authenticator: - type: jwt - challenge: false - config: - signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key" - jwt_header: "Authorization" - jwt_url_parameter: null - roles_key: null - subject_key: null - authentication_backend: - type: noop - clientcert_auth_domain: - http_enabled: false - transport_enabled: false - order: 2 - http_authenticator: - type: clientcert - config: - username_attribute: cn #optional, if omitted DN becomes username - challenge: false - authentication_backend: - type: noop - authz: -# auth_failure_listeners: -# ip_rate_limiting: -# type: ip -# allowed_tries: 10 -# time_window_seconds: 3600 -# block_expiry_seconds: 600 -# max_blocked_clients: 100000 -# max_tracked_clients: 100000 -# internal_authentication_backend_limiting: -# type: username -# authentication_backend: intern -# allowed_tries: 10 -# time_window_seconds: 3600 -# block_expiry_seconds: 600 -# max_blocked_clients: 100000 -# max_tracked_clients: 100000 -
\ No newline at end of file diff --git a/src/main/docker/elasticsearch/config/sg/sg_internal_users.yml b/src/main/docker/elasticsearch/config/sg/sg_internal_users.yml deleted file mode 100644 index 1712d3792..000000000 --- a/src/main/docker/elasticsearch/config/sg/sg_internal_users.yml +++ /dev/null @@ -1,45 +0,0 @@ -# This is the internal user database -# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh - -#password is: admin -admin: - readonly: true - hash: $2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG - roles: - - admin - attributes: - #no dots allowed in attribute names - attribute1: value1 - attribute2: value2 - attribute3: value3 - -#password is: logstash -logstash: - hash: $2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2 - roles: - - logstash - -#password is: kibanaserver -kibanaserver: - readonly: true - hash: $2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H. - -#password is: kibanaro -kibanaro: - hash: $2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC - roles: - - kibanauser - - readall - -#password is: readall -readall: - hash: $2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2 - #password is: readall - roles: - - readall - -#password is: snapshotrestore -snapshotrestore: - hash: $2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W - roles: - - snapshotrestore
\ No newline at end of file diff --git a/src/main/docker/elasticsearch/config/sg/sg_roles.yml b/src/main/docker/elasticsearch/config/sg/sg_roles.yml deleted file mode 100644 index 1a3a80ce5..000000000 --- a/src/main/docker/elasticsearch/config/sg/sg_roles.yml +++ /dev/null @@ -1,300 +0,0 @@ -#<sg_role_name>: -# cluster: -# - '<permission>' -# indices: -# '<indexname or alias>': -# '<type>': -# - '<permission>' -# _dls_: '<dls query>' -# _fls_: -# - '<field>' -# - '<field>' - -# When a user make a request to Elasticsearch then the following roles will be evaluated to see if the user has -# permissions for the request. A request is always associated with an action and is executed against and index (or alias) -# and a type. If a request is executed against all indices (or all types) then the asterix ('*') is needed. -# Every role a user has will be examined if it allows the action against an index (or type). At least one role must match -# for the request to be successful. If no role match then the request will be denied. Currently a match must happen within -# one single role - that means that permissions can not span multiple roles. - -# For <permission>, <indexname or alias> and <type> simple wildcards and regular expressions are possible. -# A asterix (*) will match any character sequence (or an empty sequence) -# A question mark (?) will match any single character (but NOT empty character) -# Example: '*my*index' will match 'my_first_index' as well as 'myindex' but not 'myindex1' -# Example: '?kibana' will match '.kibana' but not 'kibana' - -# To use a full blown regex you have to pre- and apend a '/' to use regex instead of simple wildcards -# '/<java regex>/' -# Example: '/\S*/' will match any non whitespace characters - -# Important: -# Index, alias or type names can not contain dots (.) in the <indexname or alias> or <type> expression. -# Reason is that we currently parse the config file into a elasticsearch settings object which cannot cope with dots in keys. -# Workaround: Just configure something like '?kibana' instead of '.kibana' or 'my?index' instead of 'my.index' -# This limitation will likely removed with Search Guard 6 -# -# Some SearchGuard functionality is licensed under Apache-2.0, while other functionality is non-free; -# see https://github.com/floragunncom/search-guard. The functionality enabled in this configuration -# file only include those that are licensed under Apache-2.0. Please use care and review SearchGuard's -# license details before enabling any additional features here. - -# Allows everything, but no changes to searchguard configuration index -sg_all_access: - readonly: true - cluster: - - UNLIMITED - indices: - '*': - '*': - - UNLIMITED - tenants: - admin_tenant: RW - -# Read all, but no write permissions -sg_readall: - readonly: true - cluster: - - CLUSTER_COMPOSITE_OPS_RO - indices: - '*': - '*': - - READ - -# Read all and monitor, but no write permissions -sg_readall_and_monitor: - cluster: - - CLUSTER_MONITOR - - CLUSTER_COMPOSITE_OPS_RO - indices: - '*': - '*': - - READ - -# For users which use kibana, access to indices must be granted separately -sg_kibana_user: - readonly: true - cluster: - - INDICES_MONITOR - - CLUSTER_COMPOSITE_OPS - indices: - '?kibana': - '*': - - MANAGE - - INDEX - - READ - - DELETE - '?kibana-6': - '*': - - MANAGE - - INDEX - - READ - - DELETE - '?kibana_*': - '*': - - MANAGE - - INDEX - - READ - - DELETE - '?tasks': - '*': - - INDICES_ALL - '?management-beats': - '*': - - INDICES_ALL - '*': - '*': - - indices:data/read/field_caps* - - indices:data/read/xpack/rollup* - - indices:admin/mappings/get* - - indices:admin/get - -# For the kibana server -sg_kibana_server: - readonly: true - cluster: - - CLUSTER_MONITOR - - CLUSTER_COMPOSITE_OPS - - cluster:admin/xpack/monitoring* - - indices:admin/template* - - indices:data/read/scroll* - indices: - '?kibana': - '*': - - INDICES_ALL - '?kibana-6': - '*': - - INDICES_ALL - '?kibana_*': - '*': - - INDICES_ALL - '?reporting*': - '*': - - INDICES_ALL - '?monitoring*': - '*': - - INDICES_ALL - '?tasks': - '*': - - INDICES_ALL - '?management-beats*': - '*': - - INDICES_ALL - '*': - '*': - - "indices:admin/aliases*" - -# For logstash and beats -sg_logstash: - cluster: - - ES_INPUT - - CLUSTER_MONITOR - - CLUSTER_COMPOSITE_OPS - - indices:admin/template/get - - indices:admin/template/put - indices: - 'logstash-*': - '*': - - INDEX_OWNER - '*beat*': - '*': - - INDEX_OWNER - 'dmaap*': - '*': - - INDEX_OWNER - 'events*': - '*': - - INDEX_OWNER - 'errors*': - '*': - - INDEX_OWNER - -# Allows adding and modifying repositories and creating and restoring snapshots -sg_manage_snapshots: - cluster: - - MANAGE_SNAPSHOTS - indices: - '*': - '*': - - "indices:data/write/index" - - "indices:admin/create" - -# Allows each user to access own named index -sg_own_index: - cluster: - - CLUSTER_COMPOSITE_OPS - indices: - '${user_name}': - '*': - - INDICES_ALL - -### X-Pack COMPATIBILITY -sg_xp_monitoring: - readonly: true - cluster: - - cluster:monitor/xpack/info - - cluster:monitor/main - - cluster:admin/xpack/monitoring/bulk - indices: - '?monitor*': - '*': - - INDICES_ALL - -sg_xp_alerting: - readonly: true - cluster: - - indices:data/read/scroll - - cluster:admin/xpack/watcher* - - cluster:monitor/xpack/watcher* - indices: - '?watches*': - '*': - - INDICES_ALL - '?watcher-history-*': - '*': - - INDICES_ALL - '?triggered_watches': - '*': - - INDICES_ALL - '*': - '*': - - READ - - indices:admin/aliases/get - -sg_xp_machine_learning: - readonly: true - cluster: - - cluster:admin/persistent* - - cluster:internal/xpack/ml* - - indices:data/read/scroll* - - cluster:admin/xpack/ml* - - cluster:monitor/xpack/ml* - indices: - '*': - '*': - - READ - - indices:admin/get* - '?ml-*': - '*': - - "*" - - -### LEGACY ROLES, FOR COMPATIBILITY ONLY -### WILL BE REMOVED IN SG7, DO NOT USE ANYMORE - -sg_readonly_and_monitor: - cluster: - - CLUSTER_MONITOR - - CLUSTER_COMPOSITE_OPS_RO - indices: - '*': - '*': - - READ - -# Make xpack monitoring work -sg_monitor: - cluster: - - cluster:admin/xpack/monitoring/* - - cluster:admin/ingest/pipeline/put - - cluster:admin/ingest/pipeline/get - - indices:admin/template/get - - indices:admin/template/put - - CLUSTER_MONITOR - - CLUSTER_COMPOSITE_OPS - indices: - '?monitor*': - '*': - - INDICES_ALL - '?marvel*': - '*': - - INDICES_ALL - '?kibana*': - '*': - - READ - '*': - '*': - - indices:data/read/field_caps - -# Make xpack alerting work -sg_alerting: - cluster: - - indices:data/read/scroll - - cluster:admin/xpack/watcher/watch/put - - cluster:admin/xpack/watcher* - - CLUSTER_MONITOR - - CLUSTER_COMPOSITE_OPS - indices: - '?kibana*': - '*': - - READ - '?watches*': - '*': - - INDICES_ALL - '?watcher-history-*': - '*': - - INDICES_ALL - '?triggered_watches': - '*': - - INDICES_ALL - '*': - '*': - - READ diff --git a/src/main/docker/elasticsearch/config/sg/sg_roles_mapping.yml b/src/main/docker/elasticsearch/config/sg/sg_roles_mapping.yml deleted file mode 100644 index 45bb77556..000000000 --- a/src/main/docker/elasticsearch/config/sg/sg_roles_mapping.yml +++ /dev/null @@ -1,34 +0,0 @@ -# In this file users, backendroles and hosts can be mapped to Search Guard roles. -# Permissions for Search Guard roles are configured in sg_roles.yml - -sg_all_access: - readonly: true - backendroles: - - admin - -sg_logstash: - backendroles: - - logstash - -sg_kibana_server: - readonly: true - users: - - kibanaserver - -sg_kibana_user: - backendroles: - - kibanauser - -sg_readall: - readonly: true - backendroles: - - readall - -sg_manage_snapshots: - readonly: true - backendroles: - - snapshotrestore - -sg_own_index: - users: - - '*'
\ No newline at end of file diff --git a/src/main/docker/elasticsearch/config/sg/truststore.jks b/src/main/docker/elasticsearch/config/sg/truststore.jks Binary files differdeleted file mode 100644 index 7a1b59a8d..000000000 --- a/src/main/docker/elasticsearch/config/sg/truststore.jks +++ /dev/null |