Wataru Takase, Tomoaki Nakamura, Yoshiyuki Watase, Takashi Sasaki

Slides:



Advertisements
Similar presentations
Implementing Tableau Server in an Enterprise Environment
Advertisements

Kentico CMS 5.5 R2 What’s New. Highlights Intranet Solution Document management package – WebDAV support – Project & task management – Document libraries.
Lesson 17: Configuring Security Policies
Passage Three Introduction to Microsoft SQL Server 2000.
SQL Server Management Studio Introduction
Capacity Planning in SharePoint Capacity Planning Process of evaluating a technology … Deciding … Hardware … Variety of Ways Different Services.
SAP on windows server 2012 hyper-v documentation
August 25, SSO with Microsoft Active Directory Presented by: Craig Larrabee.
© 2010 VMware Inc. All rights reserved Access Control Module 8.
Access Control Module 8. Module You Are Here VMware vSphere 4.1: Install, Configure, Manage – Revision A vSphere Environment Introduction to VMware.
OM. Brad Gall Senior Consultant
Module 12: Designing an AD LDS Implementation. AD LDS Usage AD LDS is most commonly used as a solution to the following requirements: Providing an LDAP-based.
Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.
Business Solutions Using Microsoft ® Office SharePoint ® Server ROADSHOW.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Pakiti.
Module 7: Fundamentals of Administering Windows Server 2008.
20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.
ArcGIS Server for Administrators
CensorNet Ltd An introduction to CensorNet Professional On-premise web filtering & management An introduction to CensorNet Professional On-premise web.
Module 4: Managing Recipients. Overview Introduction to Exchange Recipients Creating, Deleting, and Modifying Users and Contacts Managing Mailboxes Managing.
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved. Search Overview Search Features: WSS and Office Search Architecture Content Sources and.
HP PPM Center release 8 Helping IT answer the tough questions
CERN IT Department CH-1211 Geneva 23 Switzerland t CF Computing Facilities Agile Infrastructure Monitoring CERN IT/CF.
Intro to Datazen.
Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.
INFSO-RI Enabling Grids for E-sciencE ARDA Experiment Dashboard Ricardo Rocha (ARDA – CERN) on behalf of the Dashboard Team.
ESG-CET Meeting, Boulder, CO, April 2008 Gateway Implementation 4/30/2008.
11 Why tune relevance Because we want to find the one single best item, among a large group of possible candidates….
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Wataru Takase Computing Research Center, KEK 10th February, 2016
Software collaboration tools as a stack of services Borja Aparicio Cotarelo IT-PES-IS 2HEPiX Fall 2015 Workshop.
Unlocking the Secrets of Alfresco Authentication Mehdi BELMEKKI, Consultancy Team Alfresco.
Fermilab supports several authentication mechanisms for user and computer authentication. This talk will cover our authentication systems, design considerations,
Interstage BPM v11.2 1Copyright © 2010 FUJITSU LIMITED ADMINISTRATION.
GHRC Dashboard *** work in progress *** Ajinkya Kulkarni Rahul Ramachandran Helen Conover.
19 Copyright © 2008, Oracle. All rights reserved. Security.
October 2014 HYBRIS ARCHITECTURE & TECHNOLOGY 01 OVERVIEW.
A presentation on ElasticSearch
datalibweb – Stata module to access micro data
Nithyamoorthy S Core Mind Technologies
Backdooring enemies with a Proxy …..
Scalable Web Apps Target this solution to brand leaders responsible for customer engagement and roll-out of global marketing campaigns. Implement scenarios.
WinCC-OA Log Analysis SCADA Application Service - Reporting
Module Overview Installing and Configuring a Network Policy Server
Outline Benchmarking in ATLAS Performance scaling
Using a Gateway to Leverage On-Premises data in Power BI
New features and customization options
Open Source distributed document DB for an enterprise
StratusLab Final Periodic Review
StratusLab Final Periodic Review
BBMRI Competence Centre Status Report
Logo here Module 3 Microsoft Azure Web App. Logo here Module Overview Introduction to App Service Overview of Web Apps Hosting Web Applications in Azure.
Deploying and Configuring SSIS Packages
Scalable Web Apps Target this solution to brand leaders responsible for customer engagement and roll-out of global marketing campaigns. Implement scenarios.
SERVICENOW ADMIN & ADVANCED ONLINE TRAINING
IBM Certified WAS 8.5 Administrator
Oracle Architecture Overview
Elasticsearch and SQL Server Integration
Ashutosh Rana Rahul Nori 7/17/2018
Cloud Web Filtering Platform
Proactive Management of Federation using ELK
敦群數位科技有限公司(vanGene Digital Inc.) 游家德(Jade Yu.)
Combining ArcGIS for Server & ArcGIS Online
Designing IIS Security (IIS – Internet Information Service)
Features Overview.
Indexing with ElasticSearch
Building Windows Store Apps with Windows Azure Mobile Services
ZORAN BARAC DATA ARCHITECT at CIN7
Presentation transcript:

A solution for secure use of Kibana and ElasticSearch in multi-user environment Wataru Takase, Tomoaki Nakamura, Yoshiyuki Watase, Takashi Sasaki Computing Research Center, KEK, Japan ISGC 2017

Kibana and ElasticSearch Open-sourced monitoring tools developed by Elastic ElasticSearch is a lucene based scalable search engine. Kibana is a visualization tool for ElasticSearch and provides a web interface with variety ways of visualization. Users: KEK, CERN, Facebook, GitHub, Stack Exchange, … Search Engine Visualization tool Dashboard Logs Elastic Search Kibana Metrics dashboards

Motivation Kibana + ElasticSearch lack access control feature Multiple users/groups use single Kibana + ElasticSearch Any user can access to all ElasticSearch data Need access control Kibana ElasticSearch User01 User01 dashboard User02 dashboard ・・・ Problem User01 SECRET data ・・・ User02

Example: Solution of CERN Cloud team Provided cloud utilization dashboard to each cloud user Developed an ES plugin which provides user specific filter User only gets own cloud tenants utilization Appends tenant_id=“1234567890” condition dashboards query query CERN SSO Httpd Kibana ES plugin ES Cloud utilizations user01 username user-tenant mapping file #userid admin_flag tenant_id user01 0 1234567890 ...

We Provide Alternative Solution Based on the CERN’s solution Enables access restriction on ElasticSearch and Kibana dashboard separation. CERN’s solution Our solution SSO integration Shibboleth Kerberos ElasticSearch plugin Homemade SearchGuard ElasticSearch Access restriction User based; Document level User/group based; Index, type, operation, document level Kibana Dashboard separation Per user Per user/group (Created Kibana plugin)

What we did Kerberos 5 authentication integration. Development of a Kibana plugin which makes it possible to separate Kibana dashboards based on user/group. User/group based access control on ElasticSearch by SearchGuard. Measurement on performance deterioration from using SearchGuard.

1. Kerberos 5 Authentication Integration Apache mod_auth_kerb module + reverse proxy Only authenticated users can access to ES and Kibana

2. Development of a Kibana plugin: Motivation Problem 1 Kibana instance uses only 1 Kibana index (1 database) All user’s dashboards are stored in the same index Separate the index for access control User02 dashboard User04 User01 User03 .kibana User02 dashboard .kibana_user02 User01 dashboard .kibana_user01

Development of a Kibana plugin: Motivation Group based Kibana index separation is useful Users can share a Kibana index among a group share group dashboards group01 dashboard02 group01 dashboard01 .kibana_group01 group01

Development of a Kibana plugin User01 dashboard .kibana_user01 Adds multi-tenancy User can switch Kibana index for personal or group shared use. group01 dashboard02 dashboard01 .kibana_group01 Developed

Kibana plugin: Own Home https://github.com/wtakase/kibana-own-home

3. User/group based Access control on ElasticSearch Need ElasticSearch index level access control. The Kibana plugin separates Kibana index, but still all users can access other’s index. User01 data02 data01 User01_secret_index User02 dashboard .kibana_user02 user01 User01 dashboard .kibana_user01 user02

Investigation of SearchGuard ElasticSearch plugin Flexible REST/transport layer access control based on user/group Index, type, operation, document level restrictions Node-to-node encryption Supported by Floragunn http://floragunn.com/searchguard https://github.com/floragunncom/search-guard

SearchGuard + LDAP Authorization SearchGuard supports multiple auth back-ends YAML files based configuration We use proxy based authentication and LDAP authorization features for user/group based access control. Proxy based authentication LDAP authorization

Development related to SearchGuard: Motivation Each user has a own Kibana index and each index allows access only from the owner. Admin has to define permissions for every user. Whenever new user is registered, admin has to add permission. sg_roles.yml sg_roles_mapping.yml kibana_user01_index: indices: ‘.kibana_user01’: ‘*’: - ALL kibana_user02_index: ‘.kibana_user02’: . . . kibana_user01_index: users: user01 kibana_user02_index: user02 . . . Permission for user01 Permission for user02

Development of a SearchGuard Patch Enables to set username variable in configuration file and releases the admin from the troublesome task Has been merged to upstream sg_roles.yml sg_roles_mapping.yml kibana_own_index: indices: ‘.kibana_${user_name}’: ‘*’: - ALL kibana_own_index: users: ‘*’

Contributions to SearchGuard for more flexible configurations Support configurable OID https://github.com/floragunncom/search-guard/pull/168 Use username variable at indices sections in sg_roles.yml https://github.com/floragunncom/search-guard/pull/169 Support and_backendroles https://github.com/floragunncom/search-guard/pull/247 Add skip_users option https://github.com/floragunncom/search-guard-authbackend-ldap/pull/1

Overview of Our Solution patch patch patch patch patch Developed

4. Measurement of SearchGuard-ed ElasticSearch Performance by Rally What is Rally? Benchmarking tool for ElasticSearch https://www.elastic.co/blog/announcing-rally-benchmarking-for-elasticsearch https://github.com/elastic/rally Measures indexing throughput, query latencies Provides a few default scenarios and user can define customized one

Test Scenario vs Used Rally default scenario named “geonames” Uses geographical dataset Data source: http://www.geonames.org/ Indexes 8.6M documents (total 2.8GB) and 5000 docs per bulk request against ElasticSearch Compared performance between normal ElasticSearch and SearchGuard-ed ElasticSearch Rally vs Rally

SearchGuard-ed ElasticSearch Test Environment ElasticSearch Rally 0.3.1 Normal ElasticSearch SearchGuard-ed ElasticSearch server01 and server02 OS CentOS 7 CPU AMD Opteron 6212 2.6GHz 8 cores RAM 8 GB ElasticSearch 2.3.4 SearchGuard

Results Document indexing throughput Query latencies Term matching query Phrase matching query “Group by” query 13% degradation 82ms 87ms 116ms 99%tile: 99% queries completed in under a given latency Overhead of each query can be estimated as 80〜120ms by 90% and 99% of queries completion lines. Kerberos authentication, Reverse proxy, LDAP lookup, Search Guard access control

Summary In multi-user environment, user/group based access restriction and dashboard separation are necessary for secure use of Kibana and ElasticSearch. We provided alternative solution based on the CERN cloud team’s one. Kerberos 5 authentication integration Kibana plugin separates Kibana dashboards based on user/group SearchGuard enables access control on ElasticSearch and patches for SearchGuard enabling flexible access control have been merged to the upstream We measured performance of SearchGuard-ed ElasticSearch and compared to the normal one: Overhead of indexing throughput: 13% Estimated overhead of each query: 80〜120ms