All Projects → fabric8io → Openshift Elasticsearch Plugin

fabric8io / Openshift Elasticsearch Plugin

Licence: apache-2.0

Programming Languages

java
68154 projects - #9 most used programming language

Projects that are alternatives of or similar to Openshift Elasticsearch Plugin

Awesome Elasticsearch
A curated list of the most important and useful resources about elasticsearch: articles, videos, blogs, tips and tricks, use cases. All about Elasticsearch!
Stars: ✭ 4,168 (+15930.77%)
Mutual labels:  elasticsearch, kibana
Kibi
PLEASE READ: Kibi is now "Siren Investigate", part of the Siren Platform. This code repository is only provided to facilitate code review and integration by Siren customers and cannot be successfully compiled. The code also requires Siren Federate to be installed in Elasticsearch.
Stars: ✭ 489 (+1780.77%)
Mutual labels:  elasticsearch, kibana
Pfelk
pfSense/OPNsense + ELK
Stars: ✭ 417 (+1503.85%)
Mutual labels:  elasticsearch, kibana
Kbn network
Network Plugin for Kibana
Stars: ✭ 339 (+1203.85%)
Mutual labels:  elasticsearch, kibana
Elasticsearch Readonlyrest Plugin
Free Elasticsearch security plugin and Kibana security plugin: super-easy Kibana multi-tenancy, Encryption, Authentication, Authorization, Auditing
Stars: ✭ 917 (+3426.92%)
Mutual labels:  elasticsearch, kibana
Elk Docker
Docker configuration for ELK monitoring stack with Curator and Beats data shippers support
Stars: ✭ 342 (+1215.38%)
Mutual labels:  elasticsearch, kibana
Docker monitoring logging alerting
Docker host and container monitoring, logging and alerting out of the box using cAdvisor, Prometheus, Grafana for monitoring, Elasticsearch, Kibana and Logstash for logging and elastalert and Alertmanager for alerting.
Stars: ✭ 479 (+1742.31%)
Mutual labels:  elasticsearch, kibana
Ansible Elk
📊 Ansible playbook for setting up an ELK/EFK stack and clients.
Stars: ✭ 284 (+992.31%)
Mutual labels:  elasticsearch, kibana
Docker Kibana
Kibana Docker image including search-guard
Stars: ✭ 22 (-15.38%)
Mutual labels:  elasticsearch, kibana
Gem
💎 GUI for Data Modeling with Elasticsearch
Stars: ✭ 654 (+2415.38%)
Mutual labels:  elasticsearch, kibana
Cryptotracker
A complete open source system for tracking and visualizing cryptocurrency price movements on leading exchanges
Stars: ✭ 336 (+1192.31%)
Mutual labels:  elasticsearch, kibana
Datastream.io
An open-source framework for real-time anomaly detection using Python, ElasticSearch and Kibana
Stars: ✭ 814 (+3030.77%)
Mutual labels:  elasticsearch, kibana
Sysmonsearch
Investigate suspicious activity by visualizing Sysmon's event log
Stars: ✭ 302 (+1061.54%)
Mutual labels:  elasticsearch, kibana
Awesome Monitoring
INFRASTRUCTURE、OPERATION SYSTEM and APPLICATION monitoring tools for Operations.
Stars: ✭ 356 (+1269.23%)
Mutual labels:  elasticsearch, kibana
Kibana
Your window into the Elastic Stack
Stars: ✭ 16,820 (+64592.31%)
Mutual labels:  elasticsearch, kibana
Es2csv
Export from an Elasticsearch into a CSV file
Stars: ✭ 465 (+1688.46%)
Mutual labels:  elasticsearch, kibana
Helk
The Hunting ELK
Stars: ✭ 3,097 (+11811.54%)
Mutual labels:  elasticsearch, kibana
K8s Tew
Kubernetes - The Easier Way
Stars: ✭ 269 (+934.62%)
Mutual labels:  elasticsearch, kibana
Docker Compose Elasticsearch Kibana
Docker Compose for Elasticsearch and Kibana
Stars: ✭ 584 (+2146.15%)
Mutual labels:  elasticsearch, kibana
Elk
搭建ELK日志分析平台。
Stars: ✭ 688 (+2546.15%)
Mutual labels:  elasticsearch, kibana

OpenShift ElasticSearch plugin

This is an OpenShift plugin to ElasticSearch to:

  • Dynamically update the SearchGuard ACL based on a user's name
  • Transform kibana index requests to support multitenant deployments for non-operations users when so configured.

Note: Previous versions of this plugin created a Kibana profile for each user regardless of their role, which is still the default mode of operation. It is now possible to configure the Kibana index mode to allow operations users to share the Kibana index to store dashboards and visualizations. It is highly recommended that operations teams establish agreements and naming conventions so users do not overwrite each others work.

Configuring the Authorization Backend

searchguard:
  dynamic:
  ...
    authc:
      openshift_domain:
        enabled: true
        order: 0
        http_authenticator:
          challenge: false
          type: io.fabric8.elasticsearch.plugin.auth.OpenShiftTokenAuthentication
        authentication_backend:
          type: io.fabric8.elasticsearch.plugin.auth.OpenShiftTokenAuthentication
          config:
            note: The following is optional and adds the group 'prometheus' to the user if SAR is satisfied
            subjectAccessReviews:
              prometheus:
                namespace: openshift-logging
                verb: view
                resource: prometheus
                resourceAPIGroup: metrics.openshift.io

Configuring your initial ACLs

The OpenShift-Elasticsearch-Plugin assumes the initial ACLs are seeded when the cluster is started.

Action Groups

This plugin will produce role and role mappings that assume certain action groups are defined with the base SearchGuard ACL documents. Samples of the generated roles and role mappings are found in the unit tests. Additional sample ACL document configurations are here. The generated roles and role mappings are periodically expired to reduce the possibility of a mismatch between the allowed permissions and a user's Openshift projects. See the 'Additional Configuration Parameters' to modify the period.

As with sgadmin, the plugin needs to use the certificate with a DN that matches the searchguard.authcz.admin_dn as defined in the ES config to be able to update the Searchguard index. You can specify the certificate and truststore information for the esClient with the following properties:

Property Description
openshift.searchguard.keystore.path The certificate that contains the cert and key for the admin_dn. Default: /usr/share/elasticsearch/config/admin.jks
openshift.searchguard.truststore.path The truststore that contains the certificate for Elasticsearch. Default: /usr/share/elasticsearch/config/logging-es.truststore.jks
openshift.searchguard.keystore.password The password to open the keystore. Default: kspass
openshift.searchguard.truststore.password The password to open the truststore. Default: tspass
openshift.searchguard.keystore.type The file type for the keystore. JKS or PKCS12 are accepted. Default: JKS
openshift.searchguard.truststore.type The file type for the truststore. JKS or PKCS12 are accepted. Default: JKS

Configure the projects for '.operations'

You can configure which projects are deemed part of the .operations index for ACL configuration.

In your config file:

openshift.operations.project.names: ["default", "openshift", "openshift-infra"]

The defaults must all be in lower-case to be properly matched.

Additional Configuration Parameters

The following additional parameters can be set in set in elasticsearch.yml:

Property Description
io.fabric8.elasticsearch.acl.user_profile_prefix The prefix to use to store Kibana user visualizations (default: .kibana.USERUUID)
io.fabric8.elasticsearch.kibana.mapping.app Absolute file path to a JSON document that defines the index mapping for applications
io.fabric8.elasticsearch.kibana.mapping.ops Absolute file path to a JSON document that defines the index mapping for operations
io.fabric8.elasticsearch.kibana.mapping.empty Absolute file path to a JSON document that defines the index mapping for blank indexes
openshift.acl.expire_in_millis The delay in milliseconds before generated ACLs are removed from
openshift.config.project_index_prefix The string value that project/namespace indices use as their prefix (default: ``) for example, with the common data model, if the namespace is test, the index name will be `project.test.$uuid.YYYY.MM.DD`. In this case, use `"project"` as the prefix - do not include the trailing `.`.
openshift.kibana.index.mode The setting that determines the kibana index is used by users. Valid values are one of the following:
  • unique (Default) - Each user gets a unique index for kibana visualizations (e.g. .kibana.USER_UUID)
  • ops_shared - Users who are in an ops role will share an index (e.g. kibana) while non ops users will have a unique index (e.g. .kibana.USER_UUID)

Note: The io.fabric8.elasticsearch.kibana.mapping.* properties are required and must be defined for the plugin to function. A sample file may be found in the samples folder.

Removed Configuration Parameters

The following config parameters were removed:

Property Version
io.fabric8.elasticsearch.acl.user_profile_prefix
openshift.acl.dynamic.enabled 5.6.10.4
openshift.kibana.rewrite.enabled 5.6.10.4

Development

Manually install custom version of SearchGuard

  • $ mvn install:install-file -Dfile=lib/search-guard-5-5.6.10-19.2-rh.jar -Dpackaging=jar

Following are the dependencies

Remote Debugging deployed to Openshift

  • Edit the Elasticsearch deployment config:
$oc edit dc/$ES_DCNAME

  • Add environment variable:
...
    spec:
      containers:
      - env:
        - name: ES_JAVA_OPTS
          value: -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=4021
...
  • Forward the debug port
oc port-forward $ES_PODNAME 4000:4021
  • Attach Eclipse debugger to forwarded port Debug args

Debugging and running from Eclipse

Note: Mileage may vary here as this has not been verified since the plugin was compatible with ES1.7x

  • Install ES

  • Create a run configuration

  • Main Class Main class

  • VM args:

-Des.path.home=${env_var:ES_HOME} -Delasticsearch -Des.foreground=yes -Dfile.encoding=UTF-8 -Delasticsearch -Xms256m -Xmx1g -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -XX:+DisableExplicitGC

VM Args

  • Environment Variables:

Environment Variables

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].