Execute qualquer Skill no Manus
com um clique

Execute qualquer Skill no Manus com um clique

$pwd:

elasticsearch-authn

Name: Elasticsearch Authn
Author: aspectrr

// Authenticate to Elasticsearch using native, file-based, LDAP/AD, SAML, OIDC, Kerberos, JWT, or certificate realms. Use when connecting with credentials, choosing a realm, or managing API keys.

Executar no Manus

$ git log --oneline --stat

stars:405

forks:11

updated:19 de abril de 2026 às 16:18

SKILL.md

readonly

name	elasticsearch-authn
description	Authenticate to Elasticsearch using native, file-based, LDAP/AD, SAML, OIDC, Kerberos, JWT, or certificate realms. Use when connecting with credentials, choosing a realm, or managing API keys.
metadata	{"author":"elastic","version":"0.1.0","source":"elastic/agent-skills//skills/elasticsearch/elasticsearch-authn"}

Elasticsearch Authentication

Authenticate to an Elasticsearch cluster using any supported authentication realm that is already configured. Covers all built-in realms, credential verification, and the full API key lifecycle.

For roles, users, role assignment, and role mappings, see the elasticsearch-authz skill.

Critical principles

Never ask for credentials in chat. Secrets must not appear in conversation history.
Always use environment variables. Instruct the user to set them in a .env file in the project root.

Authentication Realms

Elasticsearch evaluates realms in a configured order (the realm chain). The first realm that can authenticate the request wins.

Internal realms

Native (username and password)

curl -u "${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" "${ELASTICSEARCH_URL}/_security/_authenticate"

File

Users defined in flat files on each cluster node. Always active regardless of license state. Self-managed only.

curl -u "${FILE_USER}:${FILE_PASSWORD}" "${ELASTICSEARCH_URL}/_security/_authenticate"

External realms

LDAP / Active Directory

Self-managed only. Combined with role mappings to translate LDAP/AD groups to Elasticsearch roles.

curl -u "${LDAP_USER}:${LDAP_PASSWORD}" "${ELASTICSEARCH_URL}/_security/_authenticate"

PKI (TLS client certificates)

Requires PKI realm and TLS on HTTP layer.

curl --cert "${CLIENT_CERT}" --key "${CLIENT_KEY}" --cacert "${CA_CERT}" \
  "${ELASTICSEARCH_URL}/_security/_authenticate"

SAML / OIDC

Primarily for Kibana SSO. Browser-based redirect flow, not for REST clients. Configure another realm alongside for programmatic API access.

JWT

Accepts JWTs as bearer tokens.

curl -H "Authorization: Bearer ${JWT_TOKEN}" "${ELASTICSEARCH_URL}/_security/_authenticate"

Kerberos

Self-managed only. Requires KDC infrastructure, DNS, and time synchronization.

kinit "${KERBEROS_PRINCIPAL}"
curl --negotiate -u : "${ELASTICSEARCH_URL}/_security/_authenticate"

API keys

Preferred for programmatic and automated access.

curl -H "Authorization: ApiKey ${ELASTICSEARCH_API_KEY}" "${ELASTICSEARCH_URL}/_security/_authenticate"

Manage API Keys

Create an API key

curl -X POST "${ELASTICSEARCH_URL}/_security/api_key" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "name": "'"${KEY_NAME}"'",
    "expiration": "30d",
    "role_descriptors": {
      "'"${ROLE_NAME}"'": {
        "cluster": [],
        "indices": [
          {
            "names": ["'"${INDEX_PATTERN}"'"],
            "privileges": ["read"]
          }
        ]
      }
    }
  }'

The response contains id, api_key, and encoded. Store encoded securely — it cannot be retrieved again.

Limitation: An API key cannot create another API key with privileges. Use POST /_security/api_key/grant with user credentials instead.

Get and invalidate API keys

curl "${ELASTICSEARCH_URL}/_security/api_key?name=${KEY_NAME}" <auth_flags>
curl -X DELETE "${ELASTICSEARCH_URL}/_security/api_key" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{"name": "'"${KEY_NAME}"'"}'

Deployment Compatibility

Realm	Self-managed	ECH	Serverless
Native	Yes	Yes	Not available
File	Yes	Not available	Not available
LDAP / AD	Yes	Not available	Not available
PKI	Yes	Limited	Not available
SAML	Yes	Yes (deployment config)	Organization-level
OIDC	Yes	Yes (deployment config)	Not available
JWT	Yes	Yes (deployment config)	Not available
Kerberos	Yes	Not available	Not available
API keys	Yes	Yes	Yes

Guidelines

Prefer API keys for automated workflows — they support fine-grained scoping and independent expiration.
Never use the elastic superuser for day-to-day operations.
Always set expiration on API keys. Avoid indefinite keys in production.
Never receive, echo, or log passwords, API keys, or any credentials in chat.

related-skills.json

mesmo repositório

elasticsearch-audit.md

from "aspectrr/deer"

Enable, configure, and query Elasticsearch security audit logs. Use when the task involves audit logging setup, event filtering, or investigating security incidents like failed logins.

2026-04-19405

elasticsearch-authz.md

from "aspectrr/deer"

Manage Elasticsearch RBAC: native users, roles, role mappings, document- and field-level security. Use when creating users or roles, assigning privileges, or mapping external realms like LDAP/SAML.

2026-04-19405

elasticsearch-esql.md

from "aspectrr/deer"

Execute ES|QL (Elasticsearch Query Language) queries, use when the user wants to query Elasticsearch data, analyze logs, aggregate metrics, explore data, or create charts and dashboards from ES|QL results.

2026-04-19405

elasticsearch-file-ingest.md

from "aspectrr/deer"

Ingest and transform data files (CSV/JSON/Parquet/Arrow IPC) into Elasticsearch with stream processing and custom transforms. Use when loading files or batch importing data.

2026-04-19405

elasticsearch-security-troubleshooting.md

from "aspectrr/deer"

Diagnose and resolve Elasticsearch security errors: 401/403 failures, TLS problems, expired API keys, role mapping mismatches, and Kibana login issues. Use when the user reports a security error.

2026-04-19405

find-skills.md

from "aspectrr/deer"

Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", or express interest in extending capabilities.

2026-04-19405

package.json

"author": "aspectrr"

"repository": "aspectrr/deer"

Abrir repositório GitHub Ver repositórios do creator

$ install --global

$ download --local

Executar no Manus

$ useful --forSOC

Analistas de segurança da informaçãoInformática e Matemática15-1212L4

name	elasticsearch-authn
description	Authenticate to Elasticsearch using native, file-based, LDAP/AD, SAML, OIDC, Kerberos, JWT, or certificate realms. Use when connecting with credentials, choosing a realm, or managing API keys.
metadata	{"author":"elastic","version":"0.1.0","source":"elastic/agent-skills//skills/elasticsearch/elasticsearch-authn"}

Elasticsearch Authentication

Authenticate to an Elasticsearch cluster using any supported authentication realm that is already configured. Covers all built-in realms, credential verification, and the full API key lifecycle.

For roles, users, role assignment, and role mappings, see the elasticsearch-authz skill.

Critical principles

Never ask for credentials in chat. Secrets must not appear in conversation history.
Always use environment variables. Instruct the user to set them in a .env file in the project root.

Authentication Realms

Elasticsearch evaluates realms in a configured order (the realm chain). The first realm that can authenticate the request wins.

Internal realms

Native (username and password)

curl -u "${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" "${ELASTICSEARCH_URL}/_security/_authenticate"

File

Users defined in flat files on each cluster node. Always active regardless of license state. Self-managed only.

curl -u "${FILE_USER}:${FILE_PASSWORD}" "${ELASTICSEARCH_URL}/_security/_authenticate"

External realms

LDAP / Active Directory

Self-managed only. Combined with role mappings to translate LDAP/AD groups to Elasticsearch roles.

curl -u "${LDAP_USER}:${LDAP_PASSWORD}" "${ELASTICSEARCH_URL}/_security/_authenticate"

PKI (TLS client certificates)

Requires PKI realm and TLS on HTTP layer.

curl --cert "${CLIENT_CERT}" --key "${CLIENT_KEY}" --cacert "${CA_CERT}" \
  "${ELASTICSEARCH_URL}/_security/_authenticate"

SAML / OIDC

Primarily for Kibana SSO. Browser-based redirect flow, not for REST clients. Configure another realm alongside for programmatic API access.

JWT

Accepts JWTs as bearer tokens.

curl -H "Authorization: Bearer ${JWT_TOKEN}" "${ELASTICSEARCH_URL}/_security/_authenticate"

Kerberos

Self-managed only. Requires KDC infrastructure, DNS, and time synchronization.

kinit "${KERBEROS_PRINCIPAL}"
curl --negotiate -u : "${ELASTICSEARCH_URL}/_security/_authenticate"

API keys

Preferred for programmatic and automated access.

curl -H "Authorization: ApiKey ${ELASTICSEARCH_API_KEY}" "${ELASTICSEARCH_URL}/_security/_authenticate"

Manage API Keys

Create an API key

curl -X POST "${ELASTICSEARCH_URL}/_security/api_key" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "name": "'"${KEY_NAME}"'",
    "expiration": "30d",
    "role_descriptors": {
      "'"${ROLE_NAME}"'": {
        "cluster": [],
        "indices": [
          {
            "names": ["'"${INDEX_PATTERN}"'"],
            "privileges": ["read"]
          }
        ]
      }
    }
  }'

The response contains id, api_key, and encoded. Store encoded securely — it cannot be retrieved again.

Limitation: An API key cannot create another API key with privileges. Use POST /_security/api_key/grant with user credentials instead.

Get and invalidate API keys

curl "${ELASTICSEARCH_URL}/_security/api_key?name=${KEY_NAME}" <auth_flags>
curl -X DELETE "${ELASTICSEARCH_URL}/_security/api_key" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{"name": "'"${KEY_NAME}"'"}'

Deployment Compatibility

Realm	Self-managed	ECH	Serverless
Native	Yes	Yes	Not available
File	Yes	Not available	Not available
LDAP / AD	Yes	Not available	Not available
PKI	Yes	Limited	Not available
SAML	Yes	Yes (deployment config)	Organization-level
OIDC	Yes	Yes (deployment config)	Not available
JWT	Yes	Yes (deployment config)	Not available
Kerberos	Yes	Not available	Not available
API keys	Yes	Yes	Yes

Guidelines

Prefer API keys for automated workflows — they support fine-grained scoping and independent expiration.
Never use the elastic superuser for day-to-day operations.
Always set expiration on API keys. Avoid indefinite keys in production.
Never receive, echo, or log passwords, API keys, or any credentials in chat.

elasticsearch-authn

Elasticsearch Authentication

Critical principles

Authentication Realms

Internal realms

Native (username and password)

File

External realms

LDAP / Active Directory

PKI (TLS client certificates)

SAML / OIDC

JWT

Kerberos

API keys

Manage API Keys

Create an API key

Get and invalidate API keys

Deployment Compatibility

Guidelines

Mais deste repositório

Mais deste repositório

Elasticsearch Authentication

Critical principles

Authentication Realms

Internal realms

Native (username and password)

File

External realms

LDAP / Active Directory

PKI (TLS client certificates)

SAML / OIDC

JWT

Kerberos

API keys

Manage API Keys

Create an API key

Get and invalidate API keys

Deployment Compatibility

Guidelines