Enabling elasticsearch-readonlyrest-plugin

1. Install the plugin

export ES_VERSION=2.3.0
bin/plugin install https://github.com/sscarduzio/elasticsearch-readonlyrest-plugin/releases/download/v1.10.0_es-v$ES_VERSION/elasticsearch-readonlyrest-v1.10.0_es-v$ES_VERSION.zip

2. Configuration

Append either of these snippets to conf/elasticsearch.yml

# remember to set the right CORS origin (or disable it, if you're brave). See https://github.com/elastic/kibana/issues/6719
http.cors.enabled: true
http.cors.allow-origin: /https?:\/\/localhost(:[0-9]+)?/

readonlyrest:
    enable: true

    response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin

    access_control_rules:

    - name: "Logstash can write and create its own indices"
      # auth_key is good for testing, but replace it with `auth_key_sha1`!
      auth_key: logstash:logstash
      type: allow
      actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
      indices: ["logstash-*", "<no-index>"]

    - name: Kibana Server (we trust this server side component, full access granted via HTTP authentication)
      # auth_key is good for testing, but replace it with `auth_key_sha1`!
      auth_key: admin:passwd3
      type: allow

    - name: Developer (reads only logstash indices, but can create new charts/dashboards)
      # auth_key is good for testing, but replace it with `auth_key_sha1`!
      auth_key: dev:dev
      type: allow
      kibana_access: ro+
      indices: ["<no-index>", ".kibana*", "logstash*", "default"]

Now activate authentication in Kibana server: let the Kibana daemon connect to ElasticSearch in privileged mode.

edit the kibana configuration file: kibana.yml and add the following:


elasticsearch.username: "admin"
elasticsearch.password: "passwd3"


This is secure because the users connecting from their browsers will be asked to login separately anyways

4. restart elastic search