Can we make basic authentication part of Open Source ES?

Hey all,

This could be a sensitive topic, so I hope I'm able to address it tactfully.

Can we please get basic authentication integrated into the open source version of Elasticsearch? And it should be turned on by default.

Has this discussion occurred before? If so, I wasn't able to find it when searching.

The reason I bring this up is a recent article about an unsecured Elasticsearch instance leading to data about millions of people being leaked on Hacker News.

A quick Google search for unsecured Elasticsearch data breach returned multiple stories about unsecured Elasticsearch instances leading to peoples data being exposed.

Just to be clear, the fault of these breaches does NOT lie with Elasticsearch, the owners of those instances are at fault for not properly securing ES. Whenever anyone works with data, they should be making sure that it is secure. ES's lack of basic security is very obvious, so not plugging that hole is very incompetent.

That said, if ES had basic authentication turned on by default, there would have been far fewer of these breaches over the years. Simply because it would take someone turning OFF security, instead of not turning it on.

One final question, has anyone ever documented why basic authentication isn't part of OSS ES, and isn't turned on by default? Most any service I've worked with that assumes it will be exposed to a network, requires a username and password. So ES not doing so has always made me wonder about it...

Thanks for taking the time to read and consider this post.

It is now part of the free basic license with the default distribution. Can you not run this?

This isn't a topic about how I might implement an instance of ES. It's an attempt to start a discussion about moving basic authentication into the OSS version.

My test instance of ES at work is running the free license, but I didn't realize I could use basic security when I initiated it. So it's sitting behind an Apache reverse proxy so I can use basic, and ldap, auth. If basic security (or just auth) was part of the OSS version, and turned on by default, I'd likely be using it.

Ultimately, I consider basic authentication a core part of any database tool. With core ES being OSS, then basic auth should be OSS as well.

The fact that it isn't baffles me, and has helped expose millions of people to data theft.

I understand the need to have some features require payment. But the Gold and Platinum subscriptions offer plenty of other features to be worth it. I don't see any need for basic authentication to be proprietary.

I'm hoping this topic will either prompt Elastic.co to make it part of OSS, or at least prompt them to explain why it isn't.