Elasticsearch-security-plugin : Kerberos, NTLM and host/ip based coarse-grained and document level security for elasticsearch

Hi,

i am working on Kerberos/NTLM and host/ip based coarse-grained and document
level security for elasticsearch (early dev stage but roughly working)

This plugin adds http/rest security functionality to Elasticsearch in kind
of separate modules. Instead of Netty a embedded Tomcat 7 is used to
process http/rest requests.

*Currently for user based authentication and authorization Kerberos and
NTLM are supported through 3rd party library waffle (only on windows
servers). *
For UNIX servers Kerberos is supported through 3rd party library
tomcatspnegoad (Works with any kerberos implementation. For authorization
either Active Directory and generic LDAP is supported).

You can use this plugin also without Kerberos/NTLM but then only host
based authentication is available.

As of now two security modules are implemented:

  • Actionpathfilter: Restrict actions against Elasticsearch on a
    coarse-grained level like who is allowed to to READ, WRITE or even ADMIN
    rest api calls
  • Document level security (dls): Restrict actions on document level
    like who is allowed to query for which fields within a document

Suggestions, corrections, improvements are very welcome!
Thanks and best regards
Hendrik

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Now the elasticsearch-security-pluginhttps://github.com/salyh/elasticsearch-security-plugin also
support SSL/TLS and SSL client authentication (mutual client
authentication).

Download the preview release 0.0.2.Beta3 here:

Suggestions, corrections, improvements are very welcome!
Thanks and best regards
Hendrik

Am Mittwoch, 20. November 2013 00:43:43 UTC+1 schrieb Hendrik:

Hi,

i am working on Kerberos/NTLM and host/ip based coarse-grained and
document level security for elasticsearch (early dev stage but roughly
working)

https://github.com/salyh/elasticsearch-security-plugin

This plugin adds http/rest security functionality to Elasticsearch in
kind of separate modules. Instead of Netty a embedded Tomcat 7 is used to
process http/rest requests.

*Currently for user based authentication and authorization Kerberos and
NTLM are supported through 3rd party library waffle (only on windows
servers). *
For UNIX servers Kerberos is supported through 3rd party library
tomcatspnegoad (Works with any kerberos implementation. For authorization
either Active Directory and generic LDAP is supported).

You can use this plugin also without Kerberos/NTLM but then only host
based authentication is available.

As of now two security modules are implemented:

  • Actionpathfilter: Restrict actions against Elasticsearch on a
    coarse-grained level like who is allowed to to READ, WRITE or even ADMIN
    rest api calls
  • Document level security (dls): Restrict actions on document level
    like who is allowed to query for which fields within a document

Suggestions, corrections, improvements are very welcome!
Thanks and best regards
Hendrik

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/15e5a369-b052-4d01-9f54-d4834b2a904a%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Hello,

Is the plugin compatible with elasticsearch 1.2.1, cause when i tried
getting it running on ES 1.2.1, i was getting following error :
java.lang.IncompatibleClassChangeError: Implementing class
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:800)
at
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
at
org.elasticsearch.plugins.security.service.SecurityService.doStart(SecurityService.java:79)
at
org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:85)
at
org.elasticsearch.node.internal.InternalNode.start(InternalNode.java:217)
at org.elasticsearch.bootstrap.Bootstrap.start(Bootstrap.java:122)
at org.elasticsearch.bootstrap.Bootstrap.main(Bootstrap.java:206)
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:32)

Thanks and Regards
Srinath Kotu

On Tuesday, November 19, 2013 6:43:43 PM UTC-5, Hendrik wrote:

Hi,

i am working on Kerberos/NTLM and host/ip based coarse-grained and
document level security for elasticsearch (early dev stage but roughly
working)

https://github.com/salyh/elasticsearch-security-plugin

This plugin adds http/rest security functionality to Elasticsearch in
kind of separate modules. Instead of Netty a embedded Tomcat 7 is used to
process http/rest requests.

*Currently for user based authentication and authorization Kerberos and
NTLM are supported through 3rd party library waffle (only on windows
servers). *
For UNIX servers Kerberos is supported through 3rd party library
tomcatspnegoad (Works with any kerberos implementation. For authorization
either Active Directory and generic LDAP is supported).

You can use this plugin also without Kerberos/NTLM but then only host
based authentication is available.

As of now two security modules are implemented:

  • Actionpathfilter: Restrict actions against Elasticsearch on a
    coarse-grained level like who is allowed to to READ, WRITE or even ADMIN
    rest api calls
  • Document level security (dls): Restrict actions on document level
    like who is allowed to query for which fields within a document

Suggestions, corrections, improvements are very welcome!
Thanks and best regards
Hendrik

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/cee091bf-b01e-49ce-95d8-cf4518d474af%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

The current master branch does not work with 1.2.1 out of the box but it
should be easy to fix this.
Just clone the repo and change ES version to 1.2.1 in pom.xml, then look
either in ES docs for breaking changes and/or fix the compile errors.

There is no official release of the security plugin as of now so you have
to build it yourself.

KR
Hendrik

Am Montag, 23. Juni 2014 19:54:02 UTC+2 schrieb sri:

Hello,

Is the plugin compatible with elasticsearch 1.2.1, cause when i tried
getting it running on ES 1.2.1, i was getting following error :
java.lang.IncompatibleClassChangeError: Implementing class
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:800)
at
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
at
org.elasticsearch.plugins.security.service.SecurityService.doStart(SecurityService.java:79)
at
org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:85)
at
org.elasticsearch.node.internal.InternalNode.start(InternalNode.java:217)
at org.elasticsearch.bootstrap.Bootstrap.start(Bootstrap.java:122)
at org.elasticsearch.bootstrap.Bootstrap.main(Bootstrap.java:206)
at
org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:32)

Thanks and Regards
Srinath Kotu

On Tuesday, November 19, 2013 6:43:43 PM UTC-5, Hendrik wrote:

Hi,

i am working on Kerberos/NTLM and host/ip based coarse-grained and
document level security for elasticsearch (early dev stage but roughly
working)

https://github.com/salyh/elasticsearch-security-plugin

This plugin adds http/rest security functionality to Elasticsearch in
kind of separate modules. Instead of Netty a embedded Tomcat 7 is used to
process http/rest requests.

*Currently for user based authentication and authorization Kerberos and
NTLM are supported through 3rd party library waffle (only on windows
servers). *
For UNIX servers Kerberos is supported through 3rd party library
tomcatspnegoad (Works with any kerberos implementation. For authorization
either Active Directory and generic LDAP is supported).

You can use this plugin also without Kerberos/NTLM but then only host
based authentication is available.

As of now two security modules are implemented:

  • Actionpathfilter: Restrict actions against Elasticsearch on a
    coarse-grained level like who is allowed to to READ, WRITE or even ADMIN
    rest api calls
  • Document level security (dls): Restrict actions on document level
    like who is allowed to query for which fields within a document

Suggestions, corrections, improvements are very welcome!
Thanks and best regards
Hendrik

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/25945945-6135-437d-abce-0edef371f38c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Can I just say this project looks really excellent. Thank you for doing it
and sharing it Henrik!

Best,

Emrul

On Monday, June 23, 2014 7:46:08 PM UTC+1, Hendrik Dev wrote:

The current master branch does not work with 1.2.1 out of the box but it
should be easy to fix this.
Just clone the repo and change ES version to 1.2.1 in pom.xml, then look
either in ES docs for breaking changes and/or fix the compile errors.

There is no official release of the security plugin as of now so you have
to build it yourself.

KR
Hendrik

Am Montag, 23. Juni 2014 19:54:02 UTC+2 schrieb sri:

Hello,

Is the plugin compatible with elasticsearch 1.2.1, cause when i tried
getting it running on ES 1.2.1, i was getting following error :
java.lang.IncompatibleClassChangeError: Implementing class
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:800)
at
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
at
org.elasticsearch.plugins.security.service.SecurityService.doStart(SecurityService.java:79)
at
org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:85)
at
org.elasticsearch.node.internal.InternalNode.start(InternalNode.java:217)
at org.elasticsearch.bootstrap.Bootstrap.start(Bootstrap.java:122)
at org.elasticsearch.bootstrap.Bootstrap.main(Bootstrap.java:206)
at
org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:32)

Thanks and Regards
Srinath Kotu

On Tuesday, November 19, 2013 6:43:43 PM UTC-5, Hendrik wrote:

Hi,

i am working on Kerberos/NTLM and host/ip based coarse-grained and
document level security for elasticsearch (early dev stage but roughly
working)

https://github.com/salyh/elasticsearch-security-plugin

This plugin adds http/rest security functionality to Elasticsearch in
kind of separate modules. Instead of Netty a embedded Tomcat 7 is used to
process http/rest requests.

*Currently for user based authentication and authorization Kerberos and
NTLM are supported through 3rd party library waffle (only on windows
servers). *
For UNIX servers Kerberos is supported through 3rd party library
tomcatspnegoad (Works with any kerberos implementation. For authorization
either Active Directory and generic LDAP is supported).

You can use this plugin also without Kerberos/NTLM but then only host
based authentication is available.

As of now two security modules are implemented:

  • Actionpathfilter: Restrict actions against Elasticsearch on a
    coarse-grained level like who is allowed to to READ, WRITE or even ADMIN
    rest api calls
  • Document level security (dls): Restrict actions on document level
    like who is allowed to query for which fields within a document

Suggestions, corrections, improvements are very welcome!
Thanks and best regards
Hendrik

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/c433f1ac-4870-4631-b1ef-f3d1c87d113b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Hello,

Is the plugin still compatible with ES 1.3.4 or sup ?
Is it possible de use a Kerberos auth ?

Regards.

Le mercredi 20 novembre 2013 00:43:43 UTC+1, Hendrik a écrit :

Hi,

i am working on Kerberos/NTLM and host/ip based coarse-grained and
document level security for elasticsearch (early dev stage but roughly
working)

https://github.com/salyh/elasticsearch-security-plugin

This plugin adds http/rest security functionality to Elasticsearch in
kind of separate modules. Instead of Netty a embedded Tomcat 7 is used to
process http/rest requests.

*Currently for user based authentication and authorization Kerberos and
NTLM are supported through 3rd party library waffle (only on windows
servers). *
For UNIX servers Kerberos is supported through 3rd party library
tomcatspnegoad (Works with any kerberos implementation. For authorization
either Active Directory and generic LDAP is supported).

You can use this plugin also without Kerberos/NTLM but then only host
based authentication is available.

As of now two security modules are implemented:

  • Actionpathfilter: Restrict actions against Elasticsearch on a
    coarse-grained level like who is allowed to to READ, WRITE or even ADMIN
    rest api calls
  • Document level security (dls): Restrict actions on document level
    like who is allowed to query for which fields within a document

Suggestions, corrections, improvements are very welcome!
Thanks and best regards
Hendrik

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/b1b92d70-18ac-47b1-be9c-2025d3bcc4f8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.