Siren Platform User Guide

X-Pack security integration

Create a investigate_system role with the following definition and map it to a sirenserver user:

{
  "investigate_system": {
    "cluster": [
      "cluster:internal/federate/*",
      "cluster:admin/federate/*",
      "cluster:monitor/*"
    ],
    "indices": [
      {
        "names": [
          "/\\.siren.*/"
        ],
        "privileges": [
          "all"
        ]
      },
      {
        "names": [
          "*"
        ],
        "privileges": [
          "indices:data/read*",
          "indices:admin/aliases/get",
          "indices:admin/aliases/exists",
          "indices:admin/get",
          "indices:admin/exists",
          "indices:admin/mappings/fields/get*",
          "indices:admin/mappings/get*",
          "indices:admin/mappings/federate/connector/get*",
          "indices:admin/mappings/federate/connector/fields/get*",
          "indices:admin/types/exists",
          "indices:admin/validate/query",
          "indices:monitor/settings/get"
        ]
      }
    ]
  }
}

If using a custom configuration, replace the configuration index name (.siren by default) and access control index name (.sirenaccess by default) with the correct names.

Set elasticsearch.username and elasticsearch.password to the credentials of the sirenserver user, for example:

elasticsearch.username: sirenserver
elasticsearch.password: password

If HTTPS is enabled for the Elasticsearch REST API, ensure that the elasticsearch.url setting contains a URL starting with https, for example:

elasticsearch.url: 'https://localhost:9220'

If the certificate is not signed by a public authority, you will also need to set the elasticsearch.ssl.certificateAuthorities to the path of the CA chain bundle in PEM format, for example:

elasticsearch.ssl.certificateAuthorities: 'pki/searchguard/ca.pem'

To enable certificate verification, set elasticsearch.ssl.verificationMode to full, for example:

elasticsearch.ssl.verificationMode: full

Set the investigate_core.elasticsearch.auth_plugin option to xpack:

investigate_core:
  elasticsearch:
    auth_plugin: xpack

Then, set the backend parameter of the investigate_access_control section of the investigate.yml to xpack:

investigate_access_control:
  enabled: true
  backend: xpack
  acl:
    enabled: true
  cookie:
    secure: true
    password: '12345678123456781234567812345678'

For a complete description of the options, see .

All users with access to Siren Investigate should have the following role definition:

Example standard user role with access to all indices starting with data- and to all virtual indices starting with db-

{
  "investigate_user": {
    "cluster": [
      "cluster:internal/federate/*"
    ],
    "indices": [
      {
        "names": [
          "data-*", "db-*"
        ],
        "privileges": [
          "indices:data/read*",
          "indices:admin/aliases/get",
          "indices:admin/aliases/exists",
          "indices:admin/get",
          "indices:admin/exists",
          "indices:admin/mappings/fields/get*",
          "indices:admin/mappings/get*",
          "indices:admin/mappings/federate/connector/get*",
          "indices:admin/mappings/federate/connector/fields/get*",
          "indices:admin/types/exists",
          "indices:admin/validate/query",
          "indices:monitor/settings/get",
          "indices:admin/template/get"
        ]
      }
    ]
  }
}

For administrative user, ensure you have admin_role configured in the investigate_access_control section in investigate.yml. e.g

investigate_access_control:
  admin_role: investigate_admin

Example administrative user with access to all indices starting with data-, to all virtual indices starting with db-, license management, and permission to manage external datasources and virtual indices starting with db-

{
  "investigate_admin": {
    "cluster": [
      "cluster:internal/federate/*",
      "cluster:admin/federate/*",
      "cluster:monitor/*",
      "cluster:admin/xpack/security/*"
    ],
    "indices": [
      {
        "names": [
          "data-*", "db-*"
        ],
        "privileges": [
          "indices:monitor/*",
          "indices:admin/*",
          "indices:data/read*"
        ]
      }
    ]
  }
}

For additional information on datasources configuration, check the section.

Search results

    No results found