We run inside a servlet container by implementing our own RestChannel.
This lets us intercept every call and run custom security logic before
handing it off to elasticsearch and we don't have to reimplement every
endpoint via the Java API.
In terms of Jetty, what I mean is that we don't produce a WAR, rather we
embed an instance of Jetty inside the app. So we embed elasticsearch inside
our app along side of Jetty. We debated of over using servlets but we
decided Spring Security was worth it. We're using Servlet 3.0 (async) and
we're happy with the choice because it gives us a lot of capability.
On Friday, April 12, 2013 9:28:46 AM UTC-4, AlexR wrote:
Could you elaborate a bit. You say you embed elastic rather than using
plugin strategy. Do you run it within a servlet container and replicate
complete API with your ACL checks before making the same elastic call? Do
you call elastic via java API or pass http request on to elastic http
endpoint. Also you said you use embedded jetty. I am confused a bit what's
embedded in what - elastic or jetty?
On Wednesday, April 10, 2013 6:22:30 PM UTC-4, egaumer wrote:
We built an OAuth2 layer with full index level ACL support on top of
elasticsearch (opposed to using the plugin architecture). This allows us to
control every aspect and elasticsearch embeds really well. We restrict
access to the transport though so you have to use HTTPS (no TCP). We
support SPDY and use an embedded instance of Jetty with async servlets (to
support Spring Security).
On Wednesday, April 10, 2013 4:30:38 PM UTC-4, Chris Berry wrote:
We are in the process of building out an Elasticsearch cluster, and we
need security. (it's too easy to do scary things to the cluster)
Currently we use OAuth2 for Service-to-service security in our SOA
(although only 2-legged instead of 3).
And we need to add this functionality for elasticsearch.
We understand that we can pretty easily secure the HTTP port (9200) --
teh jetty plugin, etc.
But we will be using the TCP port (9300), and need to secure it as well
(or it defeats the purpose).
First, obviously -- has anyone out there already done this?? And if so,
is the code out there in the wild...
Second, my goggling says that we'll probably need to build this
Is creating/wiring in a Transport Plugin the correct approach??
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to email@example.com.
For more options, visit https://groups.google.com/groups/opt_out.