This could be a sensitive topic, so I hope I'm able to address it tactfully.
Can we please get basic authentication integrated into the open source version of Elasticsearch? And it should be turned on by default.
Has this discussion occurred before? If so, I wasn't able to find it when searching.
The reason I bring this up is a recent article about an unsecured Elasticsearch instance leading to data about millions of people being leaked on Hacker News.
A quick Google search for
unsecured Elasticsearch data breach returned multiple stories about unsecured Elasticsearch instances leading to peoples data being exposed.
Just to be clear, the fault of these breaches does NOT lie with Elasticsearch, the owners of those instances are at fault for not properly securing ES. Whenever anyone works with data, they should be making sure that it is secure. ES's lack of basic security is very obvious, so not plugging that hole is very incompetent.
That said, if ES had basic authentication turned on by default, there would have been far fewer of these breaches over the years. Simply because it would take someone turning OFF security, instead of not turning it on.
One final question, has anyone ever documented why basic authentication isn't part of OSS ES, and isn't turned on by default? Most any service I've worked with that assumes it will be exposed to a network, requires a username and password. So ES not doing so has always made me wonder about it...
Thanks for taking the time to read and consider this post.