Can ElasticSearch Clients be authenticated using Shield

security

(shashank) #1

I happened to go through the below link in the shield documentation

https://www.elastic.co/guide/en/shield/shield-1.3/_using_elasticsearch_java_clients_with_shield.html#transport-client

where it says "Using the Java Node Client with Shield is not recommended or supported."

What does this actually mean ?

Requirement:
We have Elastic Search embedded in our application rather than as a service. We are using java node clients (I believe anything which we use to talk to Cluster apart from transport clients are referred as node clients...please correct me if i am wrong ) to talk to the ES Cluster from within our application. Now we have a requirement to authenticate access to indexes. I know Transport clients does this by setting authorisation headers. But what about the java node clients ? is is possible to authenticate the java node clients using HTTP Authentication against Search guard Internal Users Database ?

What exactly does "NodeClients are not supported by Search Guard" mean ?

Thanks


(Jay Modi) #2

A node client isn't supported for use with Shield since the client needs to join the cluster and would need the system key (if in use) and the setup is complicated since the files need to be in specific locations especially when embedding.

Now if you can use a transport client, that is fully supported. Or you maybe can use this approach https://www.elastic.co/guide/en/elasticsearch/client/java-api/current/client-connected-to-client-node.html

What version of elasticsearch do you use?

You seem to be asking about Search Guard, which is not developed by Elastic; I suggest you contact the makers of Search Guard for answers.


(shashank) #3

Thanks for your response.

Does that mean a nodeClient (Master or Data or Client node in ES Terminoloy) cannot be authenticated using Shield's Authenicaion capabilities ?
We wanted to have some username/password auhentication kind of access to the indexes using Shield?Is it possible with only the Java NodeClients around ?
The only way we have in our application to communicate with the ES Cluster to query indexes is Java Node Client.
What about the encryption ? Do you think using es node client reference to access the indexes could cause any problems ?


(Jay Modi) #4

You have not explained why you cannot use a transport client and why you must use a node client. If you are using a node client, then you should also be able to use a transport client.

As the documents state, we do not support the use of Shield with an embedded node client. It can work, but there are no instructions available on how to make it work and you won't be following our best security practices.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.