Documentation

Security Access Control

For Legacy Support Purposes Only

Selecting the security plugin when creating an Elasticsearch cluster gives richer access control as well as TLS for both transport and rest ports. Hence when using clients including cURL, java, python or C# to use Elasticsearch REST API, you will need to specify the CA files(cluster-ca-certificate.pem, truststore.jks). The following are few API examples calls

Create User:

The following cURL command shows you how to create a user with username my_user and password ChangeMe. Make sure to change cluster-ca-certificate.pem to your own path for the CA file you downloaded from the connection info page.

curl -X PUT -u icelasticsearch:<Password> --cacert cluster-ca-certificate.pem https://3.221.251.98:9200/_opendistro/_security/api/internalusers/my_user -H 'Content-Type: application/json' -d'

{

    "password": "ChangeMe",

    "backend_roles": [],

    "attributes":{}

}'

curl -X PUT -u icelasticsearch:<Password> --cacert cluster-ca-certificate.pem https://3.221.251.98:9200/_opendistro/_security/api/internalusers/my_user -H 'Content-Type: application/json' -d'

{

"password": "ChangeMe",

"backend_roles": [],

"attributes":{}

Changing Password

The following cURL command shows you how to change a user’s password. The cluster-ca-certificate.pem is the same as the above example.

curl -X PUT -u icelasticsearch:<Password> --cacert cluster-ca-certificate.pem https://35.170.174.172:9200/_opendistro/_security/api/internalusers/my_user -H 'Content-Type: application/json' -d'

{

    "password": "my_new_password"

}'

curl -X PUT -u icelasticsearch:<Password> --cacert cluster-ca-certificate.pem https://35.170.174.172:9200/_opendistro/_security/api/internalusers/my_user -H 'Content-Type: application/json' -d'

{

"password": "my_new_password"

Create Role

The following cURL command shows you how to add a new role named my_role. You can specify what index the role has access to with index_permissions.index_patterns and what action is allowed with index_permissions.allowed_actions.

curl -X PUT -u icelasticsearch:<Password> --cacert cluster-ca-certificate.pem https://35.170.174.172:9200/_opendistro/_security/api/roles/my_role -H 'Content-Type: application/json' -d'

'{

  "cluster_permissions": [

    "cluster_composite_ops",

    "indices_monitor"

  ],

  "index_permissions": [{

    "index_patterns": [

      "*"

    ],

    "dls": "",

    "fls": [],

    "masked_fields": [],

    "allowed_actions": [

      "read"

    ]

  }],

}'

curl -X PUT -u icelasticsearch:<Password> --cacert cluster-ca-certificate.pem https://35.170.174.172:9200/_opendistro/_security/api/roles/my_role -H 'Content-Type: application/json' -d'

"cluster_permissions": [

"cluster_composite_ops",

"indices_monitor"

"index_permissions": [{

"index_patterns": [

"*"

"dls": "",

"fls": [],

"masked_fields": [],

"allowed_actions": [

"read"

]

}],

Create role mapping

The following cURL command shows you how to map the role my_role we created above to the user we created in the previous example.

curl -X PUT -u icelasticsearch:<Password> --cacert cluster-ca-certificate.pem https://35.170.174.172:9200/_opendistro/_security/api/rolesmapping/my_role -H 'Content-Type: application/json' -d'

{

    "users" : [ "my_user" ]

}'

curl -X PUT -u icelasticsearch:<Password> --cacert cluster-ca-certificate.pem https://35.170.174.172:9200/_opendistro/_security/api/rolesmapping/my_role -H 'Content-Type: application/json' -d'

{

"users" : [ "my_user" ]

By Instaclustr Support

Previous Article Elasticsearch Connecting to a Cluster Next Article Kibana

Need Support?

Learn More

Experiencing difficulties on the website or console?

Status page for known incidents

Already have an account?

Need help with your cluster?

Contact Support

Why sign up?

To experience the ease of creating and managing clusters via the Instaclustr Console

Spin up a cluster in minutes

Free Trial