Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication & Authorization #1379

Closed
karussell opened this issue Oct 7, 2011 · 9 comments
Closed

Authentication & Authorization #1379

karussell opened this issue Oct 7, 2011 · 9 comments

Comments

@karussell
Copy link

There are several points regarding security:

  1. make sure that one can authenticate into ElasticSearch
  2. make sure that sensitive data is encrypted when sending over the network and also between nodes
  3. make sure that an authenticated user can see and change only his own 'things' (indices, data, node info)

Point 1 and 2 are already requested in issue #664. What I'm after is point 3. I wanted to ask you how you would implement point 1 and 3 (point 2 can be handled by someone else ;))

I've thought one could simply store user and password (as updateable settings) while creating an index. And when searching or indexing one needs to provide the user and pw. To keep it simple there is only one admin user which has access to the node and cluster health information etc. All other users are normal user and can only perform "CRUD" actions for indices and its data.

Now my problem is that when I intercept every request to authenticate & authorize I would have to touch over 10 Request classes implementing ActionRequest.validate() for the transport client. Also there are no settings stored for those Requests.

Or how would you implement this?

And then for the rest client it looks a bit simpler because the settings are already in the request and I could then change the BaseRestHandler only to implement a validation within handleRequest. Is this correct?

Or is there a simpler or more powerful scenarios to implement my feature requests?
@starfishmod
Copy link

+1 for this. Would great to be able to configure the access to various API's on a per index level

@bryangreen
Copy link

+1

1 similar comment
@asafdav2
Copy link

+1

@tarunjangra
Copy link

Absolutely +1. Really waiting for these features. Do we have any progresses on any of above?

@karussell
Copy link
Author

see https://github.com/sonian/elasticsearch-jetty

@tarunjangra
Copy link

@karussell: Cool feature. Thank you for that.

@pulkitsinghal
Copy link

For those using the jetty plugin:
https://github.com/sonian/elasticsearch-jetty

You can also utilize the Chef cookbook to speed-up your AWS deployments:
https://github.com/pulkitsinghal/cookbook-elasticsearch

@pannous
Copy link

pannous commented Sep 25, 2012

+1

@thejohnfreeman
Copy link

OP's needs may be addressed, but the general issue remains. The Java API communicates through the transport module which I'm guessing implements some custom protocol, unencrypted, over TCP.

Is there a setting to disallow Java API clients? That is, can a node disallow TCP connections from outside the cluster?

Is there a setting to encrypt network traffic among the cluster?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@clintongormley @karussell @tarunjangra @asafdav2 @pannous @bryangreen @starfishmod @pulkitsinghal @thejohnfreeman