Caching in Elastic shield

security

#1

Elastic shield documentation mentions that it can cache users for authentication However there's no clear explanation or an example on how to achieve this.

I have a native realm user and a file realm user (for file realm user I configured following)

shield:
authc:
realms:
native_name:
type: native
order: 0
file_name:
type: file
order: 1
cache.ttl: 20m
cache.max_users: 100000

For Instance

When I make a rest call using rest client or curl

I would need to pass username/password with each request

curl -u filerealmusername:password -XGET'http://localhost:9600/_shield/user/username?pretty'

1 . How do I avoid passing username:password in subsequent requests ?

  1. I'm trying to achieve this in elasticsearch python client , essentially I need to avoid passing username password in each request explicitly. For Instance following

es = Elasticsearch(
['localhost',],
http_auth=('filerealmuser', 'secret'),
port=9200,
)


(Jay Modi) #2

Currently, Shield and X-Pack only support basic authentication. The caching is an internal mechanism to improve performance but your requests still need to provide the username and password every time.

Tokens and/or sessions are something we are currently looking at but these will only be available in X-Pack.


#3

I see, I have integrated kibana through shield with elastic search and I have noticed that this requires username/password to be logged in once and maintained for session.

Kibana creates a session. May I know how is it able to achieve the same, as sessions are not supported in shield ?

Is there by any other means I can achieve a session like functionality in python ? For instance cookies or something similar ?


(Jay Modi) #4

The session is at the Kibana layer only; Kibana still needs to pass the authentication credentials to elasticsearch.


#5

Does the official python client elasticsearch-py client facilitates similar capabilities for maintaining a session or cookies etc. ?


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.