searchguard_config_template.yml

#############################################################################################
#                                       SEARCH GUARD                                        #
#                                       Configuration                                       #
#############################################################################################
Note: All waffle related options are only valid if your ES node is running on windows OS


# Enable or disable the complete Searchguard plugin functionality
#searchguard.enabled: true

# Path where to write/read the searchguard master key file
#searchguard.key_path: .

# When using DLS or FLS and a get or mget is performed then rewrite it as search request
searchguard.rewrite_get_as_search: true

# The index name where Searchguard will store its configuration and various other informations related to Searchguard itself
# This index can only be access from localhost
#searchguard.config_index_name: searchguard

# Enable or disable HTTP session which caches the authentication and authorization informations in a cookie
#searchguard.http.enable_sessions: false

# Enable or disable audit logging
#searchguard.auditlog.enabled: true

# If this is true (default is false) then Searchguard will check if elasticsearch is running as root/windows admin and if so then abort.
#searchguard.check_for_root: false

# If this is true (default is false) then allow all HTTP REST requests from nodes loopback (e.g. localhost)
#searchguard.allow_all_from_loopback: false

# If this is true (default: false) then enable authenticated transports requests (e.g. TransportClient authentication)
# This can be done in that way (for example): 
# TransportClient.get(new GetRequest("marketing", "customer", "tp_3").putHeader("searchguard_transport_creds", "c2FseWg6c2VjcmV0"))
# Add a header "searchguard_transport_creds"
# base64(username":"password) is the credentials string
# base64(spock:secret) -> c3BvY2s6c2VjcmV0
#searchguard.transport_auth.enabled: false

#############################################################################################
# Transport layer SSL                                                                       #
#                                                                                           #
#############################################################################################
# Enable or disable node-to-node ssl encryption
#searchguard.ssl.transport.node.enabled: false
# JKS or PKCS12
#searchguard.ssl.transport.node.keystore_type: JKS
# Absolute path to the keystore file (this stores the server certificates)
#searchguard.ssl.transport.node.keystore_filepath: null
# Keystore password
#searchguard.ssl.transport.node.keystore_password: changeit
# Do other nodes have to authenticate themself to the cluster, default is true
#searchguard.ssl.transport.node.enforce_clientauth: true
# JKS or PKCS12
#searchguard.ssl.transport.node.truststore_type: JKS
# Absolute path to the truststore file (this stores the client certificates)
#searchguard.ssl.transport.node.truststore_filepath: null
# Truststore password
#searchguard.ssl.transport.node.truststore_password: changeit
# Enforce hostname verification
#searchguard.ssl.transport.node.encforce_hostname_verification: true
# If hostname verification specify if hostname should be resolved
#searchguard.ssl.transport.node.encforce_hostname_verification.resolve_host_name: true

#############################################################################################
# REST layer SSL                                                                            #
#                                                                                           #
#############################################################################################
# Enable or disable rest layer security (https)
#searchguard.ssl.transport.http.enabled: false
# JKS or PKCS12
#searchguard.ssl.transport.http.keystore_type: JKS
# Absolute path to the keystore file (this stores the server certificates)
#searchguard.ssl.transport.http.keystore_filepath: null
# Keystore password
#searchguard.ssl.transport.http.keystore_password: changeit
# Do the clients (typically the browser or the proxy) have to authenticate themself to the http server, default is false
#searchguard.ssl.transport.http.enforce_clientauth: false
# JKS or PKCS12
#searchguard.ssl.transport.http.truststore_type: JKS
# Absolute path to the truststore file (this stores the client certificates)
#searchguard.ssl.transport.http.truststore_filepath: null
# Truststore password
#searchguard.ssl.transport.http.truststore_password: changeit


#############################################################################################
# X-Forwarded-For (XFF) header                                                              #
#                                                                                           #
#############################################################################################
# X-Forwarded-For (XFF) header
# If you have a http proxy in front of elasticsearch you have to configure this options to handle XFF properly
#searchguard.http.xforwardedfor.header: X-Forwarded-For
#searchguard.http.xforwardedfor.trustedproxies: null
#searchguard.http.xforwardedfor.enforce: false

#############################################################################################
# Authentication backend                                                                    #
#                                                                                           #
#############################################################################################
# Validates the username and credentials
searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackend
#searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.ldap.LDAPAuthenticationBackend
#searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.AlwaysSucceedAuthenticationBackend
#searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.waffle.WaffleAuthenticationBackend
# If caching is enabled then the authentication succeed for 24 h since the first successful login without hitting the backend again and again
#searchguard.authentication.authentication_backend.cache.enable: true

#############################################################################################
# Authorization backend (authorizer)                                                        #
#                                                                                           #
#############################################################################################
searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.SettingsBasedAuthorizator
#searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.ldap.LDAPAuthorizator
#searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.waffle.WaffleAuthorizator
# If caching is enabled then the role informations will be cached for 24 h without hitting the backend again and again
#searchguard.authentication.authorizer.cache.enable: true

#############################################################################################
# HTTP authentication method                                                                #
#                                                                                           #
#############################################################################################
# Define HTTP authentication method. In future we will here have more like NTLM, SPNEGO/Kerberos and Digest.
searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator
# HTTPProxyAuthenticator assume there is kind of proxy in front of elasticsearch which handles the authentication and stores the
# username of the authenticated user in a http header 
#searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.proxy.HTTPProxyAuthenticator
# SSL mutual authentication (works only if searchguard.ssl.transport.http.enabled is 'true' with client auth enabled)
#searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.clientcert.HTTPSClientCertAuthenticator
# SPNEGO
#searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.spnego.HTTPSpnegoAuthenticator
# Absolute file path to jaas login config file
#searchguard.authentication.spnego.login_config_filepath: null
# Absolute file path to krb5 config file
#searchguard.authentication.spnego.krb5_config_filepath: null
# Name of the login entry in jaas login config file which represents the acceptor (server)
#searchguard.authentication.spnego.login_config_name: com.sun.security.jgss.krb5.accept
# Strip the realmname from username (hnelson@EXAMPLE.COM -> hnelson)
#searchguard.authentication.spnego.strip_realm: true
# Authenticates always a user with username 'searchguard_unauthenticated_user'
#searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.HTTPUnauthenticatedAuthenticator

# Waffle (Windows only, must be used with WaffleAuthorizator)
#searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.waffle.HTTPWaffleAuthenticator
# Strip domain name from user (COMPANY\spock -> spock)
#searchguard.authentication.waffle.strip_domain: true

#####################################################
# Settings based authentication (define users and password directly here in the settings. Note: this is per node)
#searchguard.authentication.settingsdb.user.<username>: password
searchguard.authentication.settingsdb.user.user1: password
searchguard.authentication.settingsdb.user.michaeljackson: neverland
# If plain text password should be hashed use this. Supported digests are: SHA1 SHA256 SHA384 SHA512 MD5
#searchguard.authentication.settingsdb.digest: SHA1
#searchguard.authentication.settingsdb.user.michaeljackson: 824d55e7a62b7ca8751dff346ffab845a8f26d08
#####################################################

#####################################################
# Settings based authorization (define users and their roles directly here in the settings. Note: this is per node)
#searchguard.authentication.authorization.settingsdb.roles.<username>: <array of roles>
searchguard.authentication.authorization.settingsdb.roles.user1: ["role1","role2","role3"]
searchguard.authentication.authorization.settingsdb.roles.michaeljackson: ["kingofpop","superstar"]
#####################################################

#####################################################
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
# The defaults are sufficient for Active Directory
#searchguard.authentication.ldap.host: ["localhost:389"]
#searchguard.authentication.ldap.ldaps.ssl.enabled: false
#searchguard.authentication.ldap.ldaps.starttls.enabled: false
# JKS or PKCS12
#searchguard.authentication.ldap.ldaps.truststore_type: JKS
#searchguard.authentication.ldap.ldaps.truststore_filepath: null
#searchguard.authentication.ldap.ldaps.truststore_password: null
#searchguard.authentication.ldap.bind_dn: null
#searchguard.authentication.ldap.password: null
# Default is root dse ("")
#searchguard.authentication.ldap.userbase: ""
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username 
#searchguard.authentication.ldap.usersearch: (sAMAccountName={0})
# Use this attribute from the user as username (if not set then DN is used)
#searchguard.authentication.ldap.username_attribute: null
#####################################################

#####################################################
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
# The defaults are sufficient for Active Directory
# Default is root dse ("")
#searchguard.authentication.authorization.ldap.rolebase: ""
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username 
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute 
#searchguard.authentication.authorization.ldap.rolesearch: (member={0})
# Specify the name of the attribute which value should be substituted with {2} above
#searchguard.authentication.authorization.ldap.userroleattribute: null
# Roles as an attribute of the user entry
#searchguard.authentication.authorization.ldap.userrolename: memberOf
# The attribute in a role entry containing the name of that role
#searchguard.authentication.authorization.ldap.rolename: name
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
#searchguard.authentication.authorization.ldap.resolve_nested_roles: false
#####################################################

#####################################################
# HTTP proxy authenticator configuration
# Header name which contains the username
#searchguard.authentication.proxy.header:X-Authenticated-User
# Array of trusted IP addresses (this are typically your proxy server(s))
#searchguard.authentication.proxy.trusted_ips: null
#####################################################

#####################################################
# HTTP SSL mutual authentication configuration
# Attribute of that attribute in the certificate dn which holds the username
#searchguard.authentication.https.clientcert.attributename: cn
#####################################################

##############################################################################################
# Below here you configure what authenticated and authorized users are allowed to do (or not)#
# This maps to the acl defined in the searchguard configuration index                        #
#############################################################################################

# Configure the restactionfilter to allow or forbid action 
#searchguard.restactionfilter.names: ["readonly"]
#searchguard.restactionfilter.readonly.allowed_actions: ["*SearchAction", "RestSearchScrollAction", "RestClearScrollAction", "RestGetAction", "RestGetSourceAction", "*MainAction", "RestValidateQueryAction", "RestMoreLikeThisAction", "RestPercolateAction"]
#searchguard.restactionfilter.readonly.forbidden_actions: [...]

# Configure the actionrequestfilter to allow or forbid action 
searchguard.actionrequestfilter.names: ["readonly"]
searchguard.actionrequestfilter.readonly.allowed_actions: ["indices:data/read/*", "*monitor*"]
searchguard.actionrequestfilter.readonly.forbidden_actions: ["cluster:admin*", "indices:admin*", "indices:data/write*"]

# Configure document level security (dls) filter
# Warning: All this (with the exception of "exists") only works with not_analyzed fields because a term filter is used internally
# http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl-term-filter.html
#searchguard.dlsfilter.names: ["a", "b", "c", "d", "e", "f", "g"]
#searchguard.dlsfilter.a: ["exists","field", "false"] # if field exists (or not) match -> false means field must exist
#searchguard.dlsfilter.b: ["term", "field","value", "false"] # if field==value (or not) match
#searchguard.dlsfilter.d: ["user_name","field", "false"] # if field==username (or not) match
#searchguard.dlsfilter.e: ["user_roles","field", "false"] # if field contaions a user role (or not) match
#searchguard.dlsfilter.f: ["ldap_user_attribute","field", "attribute", "false"] # if field==userldapattribute(attribute) (or not) match
#searchguard.dlsfilter.g: ["ldap_user_roles","field", "attribute", "false"] # if field contains ldaprole(attribute) (or not) match

# Configure the field level security (fls) filter to filter _source 
#searchguard.flsfilter.names: ["stripsensitive"]
#searchguard.flsfilter.stripsensitive.source_includes: []
#searchguard.flsfilter.stripsensitive.source_excludes: ["sensitive*", "public.sensitive*.sub"]

###### NO CHANGES BELOW THIS LINE ! ######

#############################################################################################
# Below there is list of all actionsrequests in elasticsearch 1.4 (for reference) .         #
# Do not uncomment them here, they are configured above: searchguard.actionrequestfilter    #
#############################################################################################
#cluster:monitor/health
#cluster:admin/nodes/restart
#cluster:admin/nodes/shutdown
#cluster:admin/repository/delete
#cluster:admin/repository/get
#cluster:admin/repository/put
#cluster:admin/repository/verify
#cluster:admin/reroute
#cluster:admin/settings/update
#cluster:admin/snapshot/create
#cluster:admin/snapshot/delete
#cluster:admin/snapshot/get
#cluster:admin/snapshot/restore
#cluster:admin/snapshot/status
#cluster:monitor/nodes/hot_threads
#cluster:monitor/nodes/info
#cluster:monitor/nodes/liveness
#cluster:monitor/nodes/stats
#cluster:monitor/state
#cluster:monitor/stats
#cluster:monitor/task
#indices:admin/aliases
#indices:admin/aliases/exists
#indices:admin/aliases/get
#indices:admin/analyze
#indices:admin/cache/clear
#indices:admin/close
#indices:admin/create
#indices:admin/delete
#indices:admin/exists
#indices:admin/flush
#indices:admin/get
#indices:admin/mapping/delete
#indices:admin/mapping/put
#indices:admin/mappings/fields/get
#indices:admin/mappings/get
#indices:admin/open
#indices:admin/optimize
#indices:admin/refresh
#indices:admin/settings/update
#indices:admin/shards/search_shards
#indices:admin/template/delete
#indices:admin/template/get
#indices:admin/template/put
#indices:admin/types/exists
#indices:admin/validate/query
#indices:admin/warmers/delete
#indices:admin/warmers/get
#indices:admin/warmers/put
#indices:data/benchmark/abort
#indices:data/benchmark/start
#indices:data/benchmark/status
#indices:data/read/count
#indices:data/read/exists
#indices:data/read/explain
#indices:data/read/get
#indices:data/read/mget
#indices:data/read/mlt
#indices:data/read/mpercolate
#indices:data/read/msearch
#indices:data/read/mtv
#indices:data/read/percolate
#indices:data/read/script/get
#indices:data/read/scroll
#indices:data/read/scroll/clear
#indices:data/read/search
#indices:data/read/suggest
#indices:data/read/tv
#indices:data/write/bulk
#indices:data/write/delete
#indices:data/write/delete/by_query
#indices:data/write/index
#indices:data/write/script/delete
#indices:data/write/script/put
#indices:data/write/update
#indices:monitor/recovery
#indices:monitor/segments
#indices:monitor/settings/get
#indices:monitor/stats

#############################################################################################
# Below there is list of all restactions in elasticsearch 1.4 (for reference) .             #
# Do not uncomment them here, they are configured above: searchguard.restactionfilter       #
#############################################################################################
#RestMainAction
#RestNodesInfoAction
#RestNodesStatsAction
#RestNodesHotThreadsAction
#RestNodesShutdownAction
#RestNodesRestartAction
#RestClusterStatsAction
#RestClusterStateAction
#RestClusterHealthAction
#RestClusterUpdateSettingsAction
#RestClusterGetSettingsAction
#RestClusterRerouteAction
#RestClusterSearchShardsAction
#RestPendingClusterTasksAction
#RestPutRepositoryAction
#RestGetRepositoriesAction
#RestDeleteRepositoryAction
#RestVerifyRepositoryAction
#RestGetSnapshotsAction
#RestCreateSnapshotAction
#RestRestoreSnapshotAction
#RestDeleteSnapshotAction
#RestSnapshotsStatusAction

#RestIndicesExistsAction
#RestTypesExistsAction
#RestGetIndicesAction
#RestIndicesStatsAction
#RestIndicesStatusAction
#RestIndicesSegmentsAction
#RestGetAliasesAction
#RestAliasesExistAction
#RestIndexDeleteAliasesAction
#RestIndexPutAliasAction
#RestIndicesAliasesAction
#RestGetIndicesAliasesAction
#RestCreateIndexAction
#RestDeleteIndexAction
#RestCloseIndexAction
#RestOpenIndexAction

#RestUpdateSettingsAction
#RestGetSettingsAction

#RestAnalyzeAction
#RestGetIndexTemplateAction
#RestPutIndexTemplateAction
#RestDeleteIndexTemplateAction
#RestHeadIndexTemplateAction

#RestPutWarmerAction
#RestDeleteWarmerAction
#RestGetWarmerAction

#RestPutMappingAction
#RestDeleteMappingAction
#RestGetMappingAction
#RestGetFieldMappingAction

#RestRefreshAction
#RestFlushAction
#RestOptimizeAction
#RestUpgradeAction
#RestClearIndicesCacheAction

#RestIndexAction
#RestGetAction
#RestGetSourceAction
#RestHeadAction
#RestMultiGetAction
#RestDeleteAction
#RestDeleteByQueryAction
#org.elasticsearch.rest.action.count.RestCountAction
#RestSuggestAction
#RestTermVectorAction
#RestMultiTermVectorsAction
#RestBulkAction
#RestUpdateAction
#RestPercolateAction
#RestMultiPercolateAction

#RestSearchAction
#RestSearchScrollAction
#RestClearScrollAction
#RestMultiSearchAction

#RestValidateQueryAction

#RestMoreLikeThisAction

#RestExplainAction

#RestRecoveryAction

### Templates API
#RestGetSearchTemplateAction
#RestPutSearchTemplateAction
#RestDeleteSearchTemplateAction

### Scripts API
#RestGetIndexedScriptAction
#RestPutIndexedScriptAction
#RestDeleteIndexedScriptAction


### Cat API
#RestAllocationAction
#RestShardsAction
#RestMasterAction
#RestNodesAction
#RestIndicesAction
#RestSegmentsAction
### Fully qualified to prevent interference with rest.action.count.RestCountAction
#org.elasticsearch.rest.action.cat.RestCountAction
### Fully qualified to prevent interference with rest.action.indices.RestRecoveryAction
#org.elasticsearch.rest.action.cat.RestRecoveryAction
#RestHealthAction
#org.elasticsearch.rest.action.cat.RestPendingClusterTasksAction
#RestAliasAction
#RestThreadPoolAction
#RestPluginsAction
#RestFielddataAction
#RestCatAction