At Era Software, we serve enterprise customers from a wide range of industries. As an observability data management company, it’s crucial that our customers trust us with their data. We take that responsibility seriously and address security in many ways. 

SOC 2 Type 1 Certified

We’re thrilled to announce that Era Software is now SOC 2 Type1 certified. We can assure our customers that our software is designed and built to keep their data secure, confidential and available.

A SOC 2 assessment report provides detailed information and assurance about a service organization’s security, confidentiality, availability, processing integrity, and/or privacy controls, based on their assurance of compliance with the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria. This report will often be the primary document that security departments rely on to assess Era Software’s ability to maintain adequate security.

Achieving SOC 2 certification is part of our journey to improve information security practices. 

Role-based Access Control

Today, we’re also excited to release role-based access control (RBAC) to ensure that every user at your organization or tool you use has the correct level of permissions for accessing EraSearch resources and for performing actions within those resources.

RBAC is a new security feature that provides granular access controls for our customers. RBAC maximizes productivity by letting IT teams:

• Centrally manage authentication and authorization across EraSearch resources.

• Manage authorization at scale. EraSearch administrators can centrally manage access and permissions, as well as delegating that responsibility to different departments.

• Consistently verify the identity of every user and what they have access to do.

How RBAC works

EraSearch’s RBAC feature supports authentication and authorization for both users as well as agents at the database and/or index level. An RBAC user is someone whose identity has been authenticated by a third party, OAuth Identity Provider, making it quicker and easier to configure authentication and authorization for EraSearch resources. 

For tools and agents such as Fluentd and Logstash, we also support API key-based authentication.

Creating a role

Here’s how you can create an admin role in EraSearch. First, write the following content to era_admin_role.json:

{
  "name": "admin",
  "database": [
      "manage_security", "monitor"
  ],
  "indexes": [
    {
      "names": [
        "*"
      ],
      "permissions": [
        "read",
        "write",
        "delete"
      ]
    }
  ]
}

After this file is created, create the admin role definition in EraSearch with the following command:

curl -H "Content-Type: application/json" -H "Authorization: Bearer ${ADMIN_API_KEY}" --data-binary @era_admin_role.json ${ERA_URL}/v1/roles

The new admin role is now created with full permissions (read, write, delete) on all indexes plus the ability to administer the database as a whole (create/remove indexes, etc). 

Creating an API key

With the admin role created, we can now create a key for that role by writing the following to era_admin_key.json where:

• name is a name to use for this key

• role is the EraSearch role name that this key is applied to

{
  "name": "an example admin key",
  "role": "admin"
}

After the file is created, generate a new key with the following command:

curl -H "Content-Type: application/json" -H "Authorization: Bearer ${ADMIN_API_KEY}" --data-binary @era_admin_key.json  ${ERA_URL}/v1/api_keys > key.json

This command generates the API key value which will be needed to communicate with the RBAC endpoints going forward.

Mapping the role to an identity provider

With the EraSearch admin role and key created, we can now map the EraSearch role to a role in an external identity provider, such as Azure Active Directory (Azure AD) using OAuth. To create a role mapping, first write the following to era_admin_role_map.json, where:

• name is the name of the role mapping as it will be referenced by the external identity provider (Azure AD, in this case)

• roles is a list of EraSearch role names to apply to this role mapping (created in the sample above)

{  
  "name": "erasearch_admin",
  "roles": [
    "admin"
  ]
}

After creating the file, create the role mapping with the following command:

curl -H "Content-Type: application/json" -H "Authorization: Bearer ${ADMIN_API_KEY}" --data-binary @era_admin_role_map.json  ${ERA_URL}/v1/role_mappings

With the role mapping created, any Azure AD user assigned the “erasearch_admin” application role in Azure will automatically be granted the “admin” EraSearch role, automatically giving them administrative access to the database.

Lastly, you can list the RBAC roles in EraSearch with the following command. It will return all the roles currently registered in the system. 

curl -H "Content-Type: application/json" -H "Authorization: Bearer ${ADMIN_API_KEY}" ${ERA_URL}/v1/roles | jq .

What’s next

This release of RBAC is just the beginning. We are working on releasing the following improvements in the near future:

• RBAC UI in EraCloud

• Setting query limit ranges

• Support for different authentication mechanisms

Get started with RBAC in your EraSearch deployment today.