OpenShift ElasticSearch plugin

This is an OpenShift plugin to ElasticSearch to:

Note: Previous versions of this plugin created a Kibana profile for each user regardless of their role, which is still the default mode of operation. It is now possible to configure the Kibana index mode to allow operations users to share the Kibana index to store dashboards and visualizations. It is highly recommended that operations teams establish agreements and naming conventions so users do not overwrite each others work.

Configuring the Authorization Backend

searchguard:
  dynamic:
  ...
    authc:
      openshift_domain:
        enabled: true
        order: 0
        http_authenticator:
          challenge: false
          type: io.fabric8.elasticsearch.plugin.auth.OpenShiftTokenAuthentication
        authentication_backend:
          type: io.fabric8.elasticsearch.plugin.auth.OpenShiftTokenAuthentication
          config:
            note: The following is optional and adds the group 'prometheus' to the user if SAR is satisfied
            subjectAccessReviews:
              prometheus:
                namespace: openshift-logging
                verb: view
                resource: prometheus
                resourceAPIGroup: metrics.openshift.io

Configuring your initial ACLs

The OpenShift-Elasticsearch-Plugin assumes the initial ACLs are seeded when the cluster is started.

Action Groups

This plugin will produce role and role mappings that assume certain action groups are defined with the base SearchGuard ACL documents. Samples of the generated roles and role mappings are found in the unit tests. Additional sample ACL document configurations are here. The generated roles and role mappings are periodically expired to reduce the possibility of a mismatch between the allowed permissions and a user's Openshift projects. See the 'Additional Configuration Parameters' to modify the period.

As with sgadmin, the plugin needs to use the certificate with a DN that matches the searchguard.authcz.admin_dn as defined in the ES config to be able to update the Searchguard index. You can specify the certificate and truststore information for the esClient with the following properties:

Property Description
openshift.searchguard.keystore.path The certificate that contains the cert and key for the admindn. Default: */usr/share/elasticsearch/config/admin.jks_*
openshift.searchguard.truststore.path The truststore that contains the certificate for Elasticsearch. Default: /usr/share/elasticsearch/config/logging-es.truststore.jks
openshift.searchguard.keystore.password The password to open the keystore. Default: kspass
openshift.searchguard.truststore.password The password to open the truststore. Default: tspass
openshift.searchguard.keystore.type The file type for the keystore. JKS or PKCS12 are accepted. Default: JKS
openshift.searchguard.truststore.type The file type for the truststore. JKS or PKCS12 are accepted. Default: JKS

Configure the projects for '.operations'

You can configure which projects are deemed part of the .operations index for ACL configuration.

In your config file:

openshift.operations.project.names: ["default", "openshift", "openshift-infra"]

The defaults must all be in lower-case to be properly matched.

Additional Configuration Parameters

The following additional parameters can be set in set in elasticsearch.yml:

Property Description
_io.fabric8.elasticsearch.acl.user_profileprefix The prefix to use to store Kibana user visualizations (default: .kibana.USERUUID)
io.fabric8.elasticsearch.kibana.mapping.app Absolute file path to a JSON document that defines the index mapping for applications
io.fabric8.elasticsearch.kibana.mapping.ops Absolute file path to a JSON document that defines the index mapping for operations
io.fabric8.elasticsearch.kibana.mapping.empty Absolute file path to a JSON document that defines the index mapping for blank indexes
_openshift.acl.expire_inmillis The delay in milliseconds before generated ACLs are removed from
_openshift.config.project_indexprefix The string value that project/namespace indices use as their prefix (default: `) for example, with the common data model, if the namespace istest, the index name will beproject.test.$uuid.YYYY.MM.DD. In this case, use"project"as the prefix - do not include the trailing.`.
openshift.kibana.index.mode The setting that determines the kibana index is used by users. Valid values are one of the following:
  • unique (Default) - Each user gets a unique index for kibana visualizations (e.g. .kibana.USER_UUID)
  • ops_shared - Users who are in an ops role will share an index (e.g. kibana) while non ops users will have a unique index (e.g. .kibana.USER_UUID)

Note: The io.fabric8.elasticsearch.kibana.mapping.* properties are required and must be defined for the plugin to function. A sample file may be found in the samples folder.

Removed Configuration Parameters

The following config parameters were removed:

Property Version
_io.fabric8.elasticsearch.acl.user_profileprefix
openshift.acl.dynamic.enabled 5.6.10.4
openshift.kibana.rewrite.enabled 5.6.10.4

Development

Manually install custom version of SearchGuard

Following are the dependencies

Remote Debugging deployed to Openshift

* Add environment variable:

... spec: containers:

Debugging and running from Eclipse

Note: Mileage may vary here as this has not been verified since the plugin was compatible with ES1.7x

VM Args

Environment Variables