Home / Documentation / Security

Security

As an API extension plugin for Elasticsearch, zentity inherits the security settings from the cluster on which it is installed.

X-Pack Security

X-Pack is a commercial plugin from Elastic, the creators of Elasticsearch and the Elastic Stack. X-Pack Security is a subset of the plugin that secures an Elaticsearch cluster by encrypting communications with TLS and enforcing authentication and role-based access control for clients communicating with the cluster. Likewise, communications between the cluster and the node client used by zentity will be encrypted and any interactions with zentity must be authenticated and authorized.

Here is an example of a response from the cluster when an unauthorized user requests GET _zentity/models/{entity_model} to retrieve an entity model:

{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "action [indices:data/read/get] is unauthorized for user [USERNAME]"
      }
    ],
    "type": "security_exception",
    "reason": "action [indices:data/read/get] is unauthorized for user [USERNAME]"
  },
  "status": 403
}

All unauthorized interactions with zentity will produced an error response similar to the one above.

X-Pack Security Role Configuration

Below are the permission settings that can be configured for a "zentity" role with X-Pack Security. Roles can be managed in Kibana at https://KIBANA_HOST:KIBANA_PORT/app/kibana#/management/security/roles or through the Role Management APIs.

Setup API Permissions

These permission settings apply to the Setup API.

Index Privileges

Actions Granted

Models API Permissions

These permission settings apply to the Models API. A single role can be granted any or all of these permissions.

Create and update entity models

Index Privileges

Actions Granted

Read entity models

Index Privileges

Actions Granted

Delete entity models

Index Privileges

Actions Granted

Notes

Without security enabled, any user that interacts with the Models API will create the .zentity-models index automatically if it does not already exist. With security enabled, the user must have the create_index permission for the .zentity-models index to be created automatically. Otherwise the user will receive the following error message:

{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "action [indices:admin/create] is unauthorized for user [USERNAME]"
      }
    ],
    "type": "security_exception",
    "reason": "action [indices:admin/create] is unauthorized for user [USERNAME]"
  },
  "status": 403
}

An administrative user should request POST _zentity/_setup to create the index.

Resolution API Permissions

There are no permissions to be configured directly for the Resolution API endpoints GET _zentity/resolution or GET _zentity/resolution/{entity_type}. These endpoints construct and submit search queries using the Elasticsearch Search APIs. Therefore, permissions must be configured for each index that the user searches with zentity. Users can only perform entity resolution if they have the read privilege for every index included in the scope of the request.

Open Source Elasticsearch

Open source Elasticsearch clusters without an X-Pack Security license do not have any security mechanisms. Communications are unencrypted and any user can perform any action on the cluster. Likewise, any user can perform any action with zentity in an open source cluster that has not been configured with X-Pack Security.

 


Continue Reading

Resolution API
© 2018 Dave Moore.
Licensed under the Apache License, Version 2.0.
Elasticsearch is a trademark of Elasticsearch BV.
This website uses Google Analytics.