I am thinking of putting Nginx in front of the Elasticsearch cluster to implement a basic Authentication mechanism as well as load balancing. The core idea is to have a user who can create indices and put data in them (not read or delete). Then there will be an admin user who will have all the privileges.
While the idea is in infancy there is one immediate issue. Although I can deny certain requests sent to cluster via Nginx instance, there is no way I can prevent someone doing something wrong if he/she knows the names of the Elasticsearch nodes.
My understanding is that I can just send a curl request to actual node bypassing the proxy and maybe clean the indices. Or is there a way to make cluster nodes reject requests made directly to them and serve only requests coming from the proxy (loadbalancer)?
@rulanitee Yeah but the quote we got from Elasticsearch on xpack has made it a hard sell to management. Maybe once we start getting benefits they will be willing. But till then Elasticsearch remains a hard sell.
Buck stops with me on this project. And I want to atleast have user authentication and access rights on indices configured on this cluster.
Elasticsearch can maybe throw in at least user authentication in the free version. It is very difficult to introduce ELK into companies as things stand.
I'd just say that buying xpack is not just buying a security feature. It comes with other features and more than that it comes with a fantastic support team which will help you to design correctly your project (well like a remote member of your team) and help you to maintain it operational.
You have one month of trial.
You can ask your sales contact to extend it a bit I think.
You can also remove completely all the data dir and restart from scratch.
Or you can try to secure it yourself using 3rd party software like ngnix.
If you do that, just be careful with operations like bulk, msearch because headers can define whatever index they want to use.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
