Elasticsearch: security concerns

We are using elasticsearch as back-end for our in-house logging and
monitoring system. We have multiple sites pouring in data to one ES cluster
but in different index. e.g. abc-us has data from US site, abc-india has it
from India site.
Now concerns are we need some security checks before pushing in data to
cluster.

  1. data coming to index is coming from right IP address
  2. incoming json request is of inserting new data and not delete/update
  3. while reading we want certain IP should not be able to read data of
    other index.

Kindly let me know if its possible to achieve using elasticsearch.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/b1ec03df-245a-4705-92ef-8c26002a7f82%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Hello Jigish ,

I dont think you can achieve all of these in Elasticsearch.
You can restrict the HTTP methods to GET and POST in Elasticsearch.
But for most of other tasks , Nginx would be a better option.
Elasticsearch jetty plugin might also help you -

Thanks
Vineeth

On Sat, Sep 13, 2014 at 9:03 AM, jigish thakar jigishpthakar@gmail.com
wrote:

We are using elasticsearch as back-end for our in-house logging and
monitoring system. We have multiple sites pouring in data to one ES cluster
but in different index. e.g. abc-us has data from US site, abc-india has it
from India site.
Now concerns are we need some security checks before pushing in data to
cluster.

  1. data coming to index is coming from right IP address
  2. incoming json request is of inserting new data and not delete/update
  3. while reading we want certain IP should not be able to read data of
    other index.

Kindly let me know if its possible to achieve using elasticsearch.

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/b1ec03df-245a-4705-92ef-8c26002a7f82%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/b1ec03df-245a-4705-92ef-8c26002a7f82%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAGdPd5kjhd2C6Jrgy6RmRjsW_-C-rN85yKBiYbnCyAGdb8h3Ag%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Thanks Vineeth. I will look into suggested plugin.

On Saturday, September 13, 2014 9:10:10 AM UTC+5:30, vineeth mohan wrote:

Hello Jigish ,

I dont think you can achieve all of these in Elasticsearch.
You can restrict the HTTP methods to GET and POST in Elasticsearch.
But for most of other tasks , Nginx would be a better option.
Elasticsearch jetty plugin might also help you -
https://github.com/sonian/elasticsearch-jetty

Thanks
Vineeth

On Sat, Sep 13, 2014 at 9:03 AM, jigish thakar <jigish...@gmail.com
<javascript:>> wrote:

We are using elasticsearch as back-end for our in-house logging and
monitoring system. We have multiple sites pouring in data to one ES cluster
but in different index. e.g. abc-us has data from US site, abc-india has it
from India site.
Now concerns are we need some security checks before pushing in data to
cluster.

  1. data coming to index is coming from right IP address
  2. incoming json request is of inserting new data and not
    delete/update
  3. while reading we want certain IP should not be able to read data
    of other index.

Kindly let me know if its possible to achieve using elasticsearch.

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearc...@googlegroups.com <javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/b1ec03df-245a-4705-92ef-8c26002a7f82%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/b1ec03df-245a-4705-92ef-8c26002a7f82%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/e7d86fe3-4bcb-49fc-9e18-dc8b1cd51eba%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

  1. The "right IP address" can be achieved with secure sockets between
    hosts. You have to write your own service for this, this is not possible on
    port 9200/9300. Use HTTPS on port 443 at a reverse proxy for this. Use
    only private subnets for ES cluster, i.e. block it from internet access.

  2. You must use the create endpoint or add parameter create=true to all
    indexing requests:
    http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/docs-index
    .html#operation-type

  3. You must add to your HTTP reverse proxy a dispatcher which accepts only
    requests on certain endpoints and can translate endpoints to index aliases
    (your "certain IP" has exactly on index alias).

With nginx, these tasks are simple.

Jörg

On Sat, Sep 13, 2014 at 5:33 AM, jigish thakar jigishpthakar@gmail.com
wrote:

We are using elasticsearch as back-end for our in-house logging and
monitoring system. We have multiple sites pouring in data to one ES cluster
but in different index. e.g. abc-us has data from US site, abc-india has it
from India site.
Now concerns are we need some security checks before pushing in data to
cluster.

  1. data coming to index is coming from right IP address
  2. incoming json request is of inserting new data and not delete/update
  3. while reading we want certain IP should not be able to read data of
    other index.

Kindly let me know if its possible to achieve using elasticsearch.

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/b1ec03df-245a-4705-92ef-8c26002a7f82%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/b1ec03df-245a-4705-92ef-8c26002a7f82%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAKdsXoFgVGce9M7A7c-VEcEFRMugGryATR54HvFczv%3DOBMfUWw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.