A question on node configuration

pk.241011 · March 13, 2017, 6:48am

I am thinking of putting Nginx in front of the Elasticsearch cluster to implement a basic Authentication mechanism as well as load balancing. The core idea is to have a user who can create indices and put data in them (not read or delete). Then there will be an admin user who will have all the privileges.

While the idea is in infancy there is one immediate issue. Although I can deny certain requests sent to cluster via Nginx instance, there is no way I can prevent someone doing something wrong if he/she knows the names of the Elasticsearch nodes.

My understanding is that I can just send a curl request to actual node bypassing the proxy and maybe clean the indices. Or is there a way to make cluster nodes reject requests made directly to them and serve only requests coming from the proxy (loadbalancer)?

rulanitee · March 13, 2017, 9:20am

Hi pk,

Looks like you want to implement security on your cluster. Have you looked at X-Pack?

Regards

pk.241011 · March 13, 2017, 11:07am

@rulanitee Yeah but the quote we got from Elasticsearch on xpack has made it a hard sell to management. Maybe once we start getting benefits they will be willing. But till then Elasticsearch remains a hard sell.

Buck stops with me on this project. And I want to atleast have user authentication and access rights on indices configured on this cluster.

Elasticsearch can maybe throw in at least user authentication in the free version. It is very difficult to introduce ELK into companies as things stand.

dadoonet · March 13, 2017, 2:55pm

I'd just say that buying xpack is not just buying a security feature. It comes with other features and more than that it comes with a fantastic support team which will help you to design correctly your project (well like a remote member of your team) and help you to maintain it operational.

You have one month of trial.
You can ask your sales contact to extend it a bit I think.
You can also remove completely all the data dir and restart from scratch.

Or you can try to secure it yourself using 3rd party software like ngnix.
If you do that, just be careful with operations like bulk, msearch because headers can define whatever index they want to use.

Or leave it open and trust your team mates

system · April 10, 2017, 2:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.