Elasticsearch security
1. Cluster security
1. Security-related settings in Nuix Workstation
1. About configurating X-Pack settings
  1. Configure REST settings
  1. X-Pack user configuration
1. Debug testing
1. Index-level access control
1. Field and document-level access control

Elasticsearch security

Nuix Workstation v8.x and above support X-Pack Security, an Elastic Stack extension that bundles security, alerting, monitoring, reporting, and graph capabilities into one install package.

Cluster security

Note: If you create a case on an unsecured cluster and enable X-Pack on the cluster, you can no longer access the case. The security credentials are part of the case metadata in the fbi2 file. Avoid this by creating a new case with the appropriate X-Pack credentials and by copying the elasticSearchSettings entry from the new case.fbi2 file to the old one in the case folder.

Security-related settings in Nuix Workstation

When creating an Elasticsearch case, the Advanced Settings window in Nuix Workstation displays settings for X-Pack by default. However, they are only a subset of the possible settings you can add or remove as needed.

About configurating X-Pack settings

Enter the xpack.security.user and xpack.security.password in Nuix Workstation Advanced Settings as previously detailed in Create and configure an Elasticsearch case.

X-Pack has tools that generate all the required keys and certificates that are necessary for nodes.

The Nuix Workstation client requires a client certificate and key to be generated to use the same tool. This must be signed by the cluster's trusted key.

Nuix Workstation requires a Certificate Authority (CA) in PEM format. To learn more on X-Pack's certutil tool, refer to, https://www.elastic.co/guide/en/elasticsearch/reference/6.8/certutil.html.

The SSL settings in the Advanced Settings window use PEM files for keys and certificates. Settings that use JKS files (that can be optionally password protected) are also available. Then add them to this window manually.

Configure REST settings

Configure settings for REST as follows in the Advanced Settings window.

xpack.security.http.ssl.enabled: true

xpack.security.http.ssl.certificate_authorities: pem>

X-Pack user configuration

The user account used to access Nuix Workstation needs to be able to monitor cluster health, and must be able to read and write to its indices at a minimum. Use the following code to define typical minimum permissions for this user, or do so by configuring this through the Kibana UI. See Use Kibana with Elasticsearch for details.

POST /_xpack/security/role/nuix_all

{

"run_as": [ ],

"cluster": [ "monitor" ], "indices": [

{

"names": [ "nuix-*" ],

"privileges": [ "all" ]

}

]

}

POST /_xpack/security/user/nuix_all

{

"password" : "changeme", "roles" : ["nuix_all"],

"full_name" : "Nuix User - all permissions to nuix stuff", "email" : "dev@nuix.com",

"enabled": true

}

Debug testing

To check if a user has the correct permissions, perform the following:

Update the user account to include the role kibana_user in addition to their existing roles.

Log into Kibana as the user, and run the following commands to verify if there are any errors:

GET _cluster/health

PUT nuix-my-new-case;item

GET nuix-my-new-case;item=

Index-level access control

Where a Nuix Workstation user only has access to certain case indices, it is important to understand Nuix case-to-index mapping. Nuix cases have four (4) indices, each named according to a convention. You must grant or restrict access to all four indices as a unit. A failure to do so will break Nuix Workstation.

Each index begins with nuix- and then has the GUID of the case (as found in the .fbi case file). Following that are four suffixes for the four indices:

;item;schema-version=2

;annotation;schema-version=2

;history;schema-version=2

;named-entity;schema-version=2

Some aliases omit ; schema-version=2.

Finally, there is an alias for each of these indices that replaces the case GUID in the last set of aliases with case-<safe case name>. The safe name is the case name but with certain characters replaced with URI-encoded versions. For example, the item index has three forms:

nuix-1cebb984f8ec414681be486a82ad44d0;item;schema-version=2 (actual index name)

nuix-1cebb984f8ec414681be486a82ad44d0;item (first alias)

nuix-case-Case%201;item (second alias for a case called Case 1)

Nuix Workstation uses the first alias to access the case.

Field and document-level access control

While X-Pack supports it, Nuix Workstation is neutral but not incompatible on support for field-level and document-level security. However, you must ensure the role allows access to all the fields that Nuix Workstation requires to operate correctly.

Only index-level restrictions are applicable for Nuix cases. Adding restrictions to Nuix-defined fields or documents could cause Nuix Workstation to fail in unexpected ways.