What is Open Distro for Elasticsearch?
Open Distro for Elasticsearch, the community-driven, 100% open source distribution of Elasticsearch and Kibana. The distribution also provides few plugins to support different features. This distribution does not include Logstash or any of the Beats components.
Open Distro for Elasticsearch combines the OSS distributions of Elasticsearch and Kibana with a large number of open-source plugins. You can use these plugins individually as well. Open Distro for Elasticsearch is supported by Amazon Web Services.
Why it is in news?
Elastic has done significant changes in its Licensing mechanism recently. They have moved from the Open Source licensing to the dual licensing model of Elastic License and SSPL 1.0, from 7.11 onwards. So for customers who were using the Open Source Version of the ELK stack may need to assess what they can use and what they can not.
Open Distro for Elasticsearch Security Plugin?
Open Distro Security plugin is an Elasticsearch plugin that offers encryption, authentication, and authorization. The plugin repository is Apache 2.0 license. The main features provided by this plugin are -
- Audit Logging
- Multi-tenancy in Kibana
This Plugin stores the configuration information in a dedicated Elasticsearch index itself. Changes to the configuration are pushed to this index via the command-line tool. This will trigger a reload of the configuration on all nodes automatically.
What we are going to do in this post?
We will deploy standard Elasticsearch OSS deployment and top it up with the Open Distro Security plugin. By default, Elasticsearch OSS distribution does not come with any security features so the plugin will help us to achieve the required security setup required.
Please note: When installing the Elastic Stack, you must use the same version across the entire stack. We are using 7.10.2 here. Refer to this post for quick details to set up a cluster.
Deploying ELK Stack for Apache Logs Analysis
In today’s world log analysis plays an important role. ELK Stack comes to the rescue for this requirement. ELK is a popular…
Let’s have a peek at the standard configuration file.
$ cat elasticsearch.yml
discovery.seed_hosts: ["127.0.0.1", "[::1]"]
Our Elasticsearch is ready to use now. Let’s move on to deploying the Open Distro Security plugin.
$ sudo bin/elasticsearch-plugin install https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/opendistro-security/opendistro-security-126.96.36.199.zip
You can list the deployed plugin as well.
$ ./elasticsearch-plugin list -v
Plugins directory: /home/arun/elasticsearch/elasticsearch-7.10.2/plugins
- Plugin information:
Description: Provide access control related features for Elasticsearch 7
Elasticsearch Version: 7.10.2
Java Version: 1.8
Native Controller: false
Extended Plugins: 
* Classname: com.amazon.opendistroforelasticsearch.security.OpenDistroSecurityPlugin
After installing the security plugin, you can run
sudo sh plugins/opendistro_security/tools/install_demo_configuration.sh to quickly get started with demo configuration and certificates. Otherwise, you must configure it manually and run securityadmin.sh. In this post, we will use the demo configuration.
Move to the plugins directory
arun@controller:~/elasticsearch-oss/elasticsearch-7.10.2/plugins/opendistro_security/tools$ lsaudit_config_migrater.bat hash.bat install_demo_configuration.sh securityadmin.sh
audit_config_migrater.sh hash.sh securityadmin.bat
arun@controller:~/elasticsearch-oss/elasticsearch-7.10.2/plugins/opendistro_security/tools$ sudo chmod 775 install_demo_configuration.sh
arun@controller:~/elasticsearch-oss/elasticsearch-7.10.2/plugins/opendistro_security/tools$ sudo ./install_demo_configuration.sh
When you run the
install_demo_configuration.sh It deploys the demo configuration and certificates. The demo configuration includes certificates, configuration, users, roles, role mapping etc. This utility load this configuration from
plugins/opendistro_security/securityconfig folder. This folder contains few YAML files with demo configuration. You can update these files as per the requirement. Please note it creates few users as well which can be utilized to connect the cluster. Ex: admin user with admin password.
Once this utility stops running or finished you may find a number of open distro settings have been added in your
######## Start OpenDistro for Elasticsearch Security Demo Configuration ######### WARNING: revise all the lines below before you go into production
- CN=kirk,OU=client,O=client,L=test, C=deopendistro_security.audit.type: internal_elasticsearch
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
opendistro_security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opendistro-asynchronous-search-response*"]
node.max_local_storage_nodes: 3######## End OpenDistro for Elasticsearch Security Demo Configuration ########
If you notice closely then you will find two sets of SSL settings. Each Elasticsearch node has two different network interfaces. Clients send requests to Elasticsearch’s REST APIs using its HTTP interface, but nodes communicate with other nodes using the transport interface. These settings provide SSL config for REST and Transport interface.
Please note we have disabled the SSL for this demo using following setting
That’s all for the Elasticsearch part. Now we will deploy this plugin for Kibana. The mechanism is almost the same.
arun@controller:~/elasticsearch-oss/kibana-7.10.2-linux-x86_64$ bin/kibana-plugin list
In Kibana there is nothing like demo configuration. You have to update the configuration in
kibana.yml as mentioned below.
Update the config file required -
$ cat kibana.yml
That’s it, restart your Kibana service and access the cluster now using the default URL on port 5601. You can see the login page provided by the plugin. The important fact is that similar security is at the Elasticsearch level too. This plugin provides most of the missing X-Pack features on OSS distribution of Elasticsearch.
What if I don't want to use the default demo configuration?
Then you must go into
securityconfig folder of the plugin directory and update the files as per your requirement. After changing any of the configuration files in
plugins/opendistro_security/securityconfig, however, you must run
plugins/opendistro_security/tools/securityadmin.sh to load these new settings into the index. You must also run this script at least once to initialize the
.opendistro_security index and configure your authentication and authorization methods.
How can I update the default admin password?
If you want to update the password for default demo users then you need to generate the hash of the new password first and update this value in
chmod 775 hash.sh
./hash.sh -p NewPassword
Once done, run the
securityadmin.sh for updating the configuration on the cluster as explained above.
That’s it for the post, I will be publishing few more posts on the Open Distro security plugin in the upcoming weeks. Till then Stay safe and Keep Learning!
🧰 Open Distro for Elasticsearch Build Scripts. Contribute to opendistro-for-elasticsearch/opendistro-build development…
Apply Changes with securityadmin.sh
The security plugin stores its configuration-including users, roles, and permissions-in an index on the Elasticsearch…
Open Distro for Elasticsearch Security is an Elasticsearch plugin that offers encryption, authentication, and…
Doubling down on open, Part II
We are moving our Apache 2.0-licensed source code in Elasticsearch and Kibana to be dual licensed under Server Side…
We Opened X-Pack
We love a good query. Here are a few common ones to get you started. Are Elasticsearch, Kibana, Beats, and Logstash…