i am working on Kerberos/NTLM and host/ip based coarse-grained and document
level security for elasticsearch (early dev stage but roughly working)
This plugin adds http/rest security functionality to Elasticsearch in kind
of separate modules. Instead of Netty a embedded Tomcat 7 is used to
process http/rest requests.
*Currently for user based authentication and authorization Kerberos and
NTLM are supported through 3rd party library waffle (only on windows
servers). * For UNIX servers Kerberos is supported through 3rd party library
tomcatspnegoad (Works with any kerberos implementation. For authorization
either Active Directory and generic LDAP is supported).
You can use this plugin also without Kerberos/NTLM but then only host
based authentication is available.
As of now two security modules are implemented:
Actionpathfilter: Restrict actions against Elasticsearch on a
coarse-grained level like who is allowed to to READ, WRITE or even ADMIN
rest api calls
Document level security (dls): Restrict actions on document level
like who is allowed to query for which fields within a document
Suggestions, corrections, improvements are very welcome!
Thanks and best regards
Hendrik
This plugin adds http/rest security functionality to Elasticsearch in
kind of separate modules. Instead of Netty a embedded Tomcat 7 is used to
process http/rest requests.
*Currently for user based authentication and authorization Kerberos and
NTLM are supported through 3rd party library waffle (only on windows
servers). * For UNIX servers Kerberos is supported through 3rd party library
tomcatspnegoad (Works with any kerberos implementation. For authorization
either Active Directory and generic LDAP is supported).
You can use this plugin also without Kerberos/NTLM but then only host
based authentication is available.
As of now two security modules are implemented:
Actionpathfilter: Restrict actions against Elasticsearch on a
coarse-grained level like who is allowed to to READ, WRITE or even ADMIN
rest api calls
Document level security (dls): Restrict actions on document level
like who is allowed to query for which fields within a document
Suggestions, corrections, improvements are very welcome!
Thanks and best regards
Hendrik
Is the plugin compatible with elasticsearch 1.2.1, cause when i tried
getting it running on ES 1.2.1, i was getting following error :
java.lang.IncompatibleClassChangeError: Implementing class
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:800)
at
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
at
org.elasticsearch.plugins.security.service.SecurityService.doStart(SecurityService.java:79)
at
org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:85)
at
org.elasticsearch.node.internal.InternalNode.start(InternalNode.java:217)
at org.elasticsearch.bootstrap.Bootstrap.start(Bootstrap.java:122)
at org.elasticsearch.bootstrap.Bootstrap.main(Bootstrap.java:206)
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:32)
Thanks and Regards
Srinath Kotu
On Tuesday, November 19, 2013 6:43:43 PM UTC-5, Hendrik wrote:
Hi,
i am working on Kerberos/NTLM and host/ip based coarse-grained and
document level security for elasticsearch (early dev stage but roughly
working)
This plugin adds http/rest security functionality to Elasticsearch in
kind of separate modules. Instead of Netty a embedded Tomcat 7 is used to
process http/rest requests.
*Currently for user based authentication and authorization Kerberos and
NTLM are supported through 3rd party library waffle (only on windows
servers). * For UNIX servers Kerberos is supported through 3rd party library
tomcatspnegoad (Works with any kerberos implementation. For authorization
either Active Directory and generic LDAP is supported).
You can use this plugin also without Kerberos/NTLM but then only host
based authentication is available.
As of now two security modules are implemented:
Actionpathfilter: Restrict actions against Elasticsearch on a
coarse-grained level like who is allowed to to READ, WRITE or even ADMIN
rest api calls
Document level security (dls): Restrict actions on document level
like who is allowed to query for which fields within a document
Suggestions, corrections, improvements are very welcome!
Thanks and best regards
Hendrik
The current master branch does not work with 1.2.1 out of the box but it
should be easy to fix this.
Just clone the repo and change ES version to 1.2.1 in pom.xml, then look
either in ES docs for breaking changes and/or fix the compile errors.
There is no official release of the security plugin as of now so you have
to build it yourself.
KR
Hendrik
Am Montag, 23. Juni 2014 19:54:02 UTC+2 schrieb sri:
Hello,
Is the plugin compatible with elasticsearch 1.2.1, cause when i tried
getting it running on ES 1.2.1, i was getting following error :
java.lang.IncompatibleClassChangeError: Implementing class
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:800)
at
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
at
org.elasticsearch.plugins.security.service.SecurityService.doStart(SecurityService.java:79)
at
org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:85)
at
org.elasticsearch.node.internal.InternalNode.start(InternalNode.java:217)
at org.elasticsearch.bootstrap.Bootstrap.start(Bootstrap.java:122)
at org.elasticsearch.bootstrap.Bootstrap.main(Bootstrap.java:206)
at
org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:32)
Thanks and Regards
Srinath Kotu
On Tuesday, November 19, 2013 6:43:43 PM UTC-5, Hendrik wrote:
Hi,
i am working on Kerberos/NTLM and host/ip based coarse-grained and
document level security for elasticsearch (early dev stage but roughly
working)
This plugin adds http/rest security functionality to Elasticsearch in
kind of separate modules. Instead of Netty a embedded Tomcat 7 is used to
process http/rest requests.
*Currently for user based authentication and authorization Kerberos and
NTLM are supported through 3rd party library waffle (only on windows
servers). * For UNIX servers Kerberos is supported through 3rd party library
tomcatspnegoad (Works with any kerberos implementation. For authorization
either Active Directory and generic LDAP is supported).
You can use this plugin also without Kerberos/NTLM but then only host
based authentication is available.
As of now two security modules are implemented:
Actionpathfilter: Restrict actions against Elasticsearch on a
coarse-grained level like who is allowed to to READ, WRITE or even ADMIN
rest api calls
Document level security (dls): Restrict actions on document level
like who is allowed to query for which fields within a document
Suggestions, corrections, improvements are very welcome!
Thanks and best regards
Hendrik
Can I just say this project looks really excellent. Thank you for doing it
and sharing it Henrik!
Best,
Emrul
On Monday, June 23, 2014 7:46:08 PM UTC+1, Hendrik Dev wrote:
The current master branch does not work with 1.2.1 out of the box but it
should be easy to fix this.
Just clone the repo and change ES version to 1.2.1 in pom.xml, then look
either in ES docs for breaking changes and/or fix the compile errors.
There is no official release of the security plugin as of now so you have
to build it yourself.
KR
Hendrik
Am Montag, 23. Juni 2014 19:54:02 UTC+2 schrieb sri:
Hello,
Is the plugin compatible with elasticsearch 1.2.1, cause when i tried
getting it running on ES 1.2.1, i was getting following error :
java.lang.IncompatibleClassChangeError: Implementing class
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:800)
at
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
at
org.elasticsearch.plugins.security.service.SecurityService.doStart(SecurityService.java:79)
at
org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:85)
at
org.elasticsearch.node.internal.InternalNode.start(InternalNode.java:217)
at org.elasticsearch.bootstrap.Bootstrap.start(Bootstrap.java:122)
at org.elasticsearch.bootstrap.Bootstrap.main(Bootstrap.java:206)
at
org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:32)
Thanks and Regards
Srinath Kotu
On Tuesday, November 19, 2013 6:43:43 PM UTC-5, Hendrik wrote:
Hi,
i am working on Kerberos/NTLM and host/ip based coarse-grained and
document level security for elasticsearch (early dev stage but roughly
working)
This plugin adds http/rest security functionality to Elasticsearch in
kind of separate modules. Instead of Netty a embedded Tomcat 7 is used to
process http/rest requests.
*Currently for user based authentication and authorization Kerberos and
NTLM are supported through 3rd party library waffle (only on windows
servers). * For UNIX servers Kerberos is supported through 3rd party library
tomcatspnegoad (Works with any kerberos implementation. For authorization
either Active Directory and generic LDAP is supported).
You can use this plugin also without Kerberos/NTLM but then only host
based authentication is available.
As of now two security modules are implemented:
Actionpathfilter: Restrict actions against Elasticsearch on a
coarse-grained level like who is allowed to to READ, WRITE or even ADMIN
rest api calls
Document level security (dls): Restrict actions on document level
like who is allowed to query for which fields within a document
Suggestions, corrections, improvements are very welcome!
Thanks and best regards
Hendrik
This plugin adds http/rest security functionality to Elasticsearch in
kind of separate modules. Instead of Netty a embedded Tomcat 7 is used to
process http/rest requests.
*Currently for user based authentication and authorization Kerberos and
NTLM are supported through 3rd party library waffle (only on windows
servers). * For UNIX servers Kerberos is supported through 3rd party library
tomcatspnegoad (Works with any kerberos implementation. For authorization
either Active Directory and generic LDAP is supported).
You can use this plugin also without Kerberos/NTLM but then only host
based authentication is available.
As of now two security modules are implemented:
Actionpathfilter: Restrict actions against Elasticsearch on a
coarse-grained level like who is allowed to to READ, WRITE or even ADMIN
rest api calls
Document level security (dls): Restrict actions on document level
like who is allowed to query for which fields within a document
Suggestions, corrections, improvements are very welcome!
Thanks and best regards
Hendrik
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.