Elastic Security

Mayank from YOUnite is working on Elastic + Security technology discovery.
- Kevin and Richard to team up with Mayank to create a Custome Realm to enable auto-login
We want to limit the scope of what a zone user can see in logstash to their zone and the zone's they have permission to.
Mayank has ELK running locally.
- He has Elastic Stack + X-Pack (latest versions) running locally and will update our docker containers accordingly
He has added a Shield plugin (now X-Pack Security) for security – the pricing is unclear (Mark TODO).
- Configuration
  - config/elasticsearch.yml
He is able to add rules to Shield (now Security)
Security - User/role mapping.
- Elastic user
  - config/elasticsearch/shield/users
    - Create a user for each zone
  - config/elasticsearch/shield/roles.yaml
    - Define a role for a zone
  - config/elasticsearch/sheild/user_roles
    - Map users to roles
  - config/elasticsearch/shield/role_mapping.yaml
    - Create groups of users
- Security user
  - POST API call for creating users for Kibana and Logstash
    - We can store the creds for the zone and any zone user with log zone settings == true can access the logs tied to the user/role
- Mayank: He can create a shield user via the API so it it feasible to add that to our POST /zone
- Can we create an access token for the zone so the UI user can select a button?
- Logstash profile – will capture entries based on zone-uuid – zone-uuid is stored in configuration
Do we create one log or one log for each user?
- One log with zone-uuid
HTTPS only
logstash.conf – set filters here
ELK security between services (Elasticsearch, Logstash, Kibana and Sheild) is Basic Auth/SSL - Shield adds an encryption key
BIG ISSUE: Can sheild user login to Kibana w/o knowing username/password (stored in zone table)
- Put creds in HTTP header
BIG ISSUE: Enforce filters so shield user can only see log entries tied to their zone