Credential management is imperative to tracking who and what has access to your cluster. At Bonsai, regardless of plan level, every request made to your cluster requires a username and password. Security is a default, not an upgrade.
With the Credential Management section of the cluster dashboard, you can add and remove access credentials. There are three types of credentials you can generate:
With custom auth controls you can specify things like:
- Which indices (or index patterns) are accessible.
- What Elasticsearch actions may be performed.
- Where requests are allowed to originate.
Read-only and custom credential management are in beta. If you have a Business or Enterprise cluster and would like to enable this feature, please reach out to support.
Read on to learn more about how to generate credentials, how to use those credentials to access your cluster, and auth management best practices.
How to Generate Credentials For Your Cluster
You can see your current credentials and generate new ones by logging into your cluster dashboard and navigating to the “Credentials” section. Every cluster has a Master credential that is created when the cluster is provisioned. The Master credential can never be revoked, only rotated.
Regenerating Your Master Credentials
You would want to regenerate your default credentials if your fully-qualified URL has been linked (say, if somehow was copy-pasted into an email, GitHub issue, or, perish the thought, StackOverflow). To do that, simply click the “Regenerate Credentials” button. This will instantly regenerate a new, randomized authentication pair.
The old credentials will remain active for two minutes or so. After that time the old keys are revoked. The purpose of the two minute warning is to give administrators the opportunity to update their application with the new credentials before the old ones expire.
Creating New Credentials
To create a new credential, click on the “Create Credential” button.
Choose one of the three types (full-access, read-only, or custom), give it a name, and then click “Generate"
We advise giving your credential a human-friendly name, like ACME_frontend, python_indexer, or docs_search_component. It’s an easy way to help you and your teammates remember how each credential is used. When you generate a new credential, Bonsai shows your credential details.
You can view who created your credential (in this example, Jane Li), the access key and secret (username and password), the allowed settings, and some quick links.
This displays what indices are accessible, which Elasticsearch actions are allowed, and if there are whitelisted IP’s or CIDR blocks. If your cluster is on the Business tier and above, these fields are customizable.
URL Quick Links
The Elasticsearch access url is excellent for pasting into a terminal and executing curl commands. Use Kibana access to launch your Bonsai-hosted instance Kibana, included with every Bonsai cluster. Read more about Bonsai hosted Kibana here.
Which Credential Type You Should Use
Full-access tokens are best used for back-end applications that handle indexing or act as a proxy for user’s input for querying.
When choosing this type, the form will pre-populate with the allowed action (or ‘privilege’) `indices:data/read/*`. This allowed read-only specific actions: count, explain, get, exists, mget, get indexed scripts, more like this, multi percolate/search/termvector), percolate, scroll, clear_scroll, search, suggest, tv.
If you have specific security needs, generate a custom credential. Increase your team’s security tolerance by using custom credentials for things like limiting index actions to only certain IP addresses, or making certain indices search-only. There are three fields for custom credentials: Indices, Actions, and IP/CIDRs.
This sections allowed you to list a set of indices that are permitted, or create a pattern such as `logs_2019-12-*`:
Leaving this blank will allow all indices present on the cluster accessible.
Specify access privileges from the searchable dropdown:
If you ever need help figuring out exactly which actions map to your needs, please email support and we’ll point you in the right direction. Leaving this blank will allow all access privileges.
IP Address or CIDR block
Use this section to control where you allow requests to be made from. Whitelist individual IP addresses for monitoring privileges, or write a CIDR block that only allows your company to access an internal-only index or cluster. Leaving this blank will allow any IP address by default.
What type of credential am I allowed to create?
If you receive a notice to upgrade for access to read-only or custom credential management, you’ll need to navigate to Manage tab and upgrade your cluster to Standard, Business, or Enterprise: