Our elastic cluster is on-premise. We deploy the different components (kibana, logstash, enterprise search) to different nodes and configure them to connect / talk to the Elasticsearch cluster.
What I see in the documentation (Configuration | Elastic Enterprise Search Documentation [8.2] | Elastic) is that we no longer have to put the basic auth credentials to connect to Elasticsearch in the configuration file (or in a keystore). Saving them as environment variables is a marginal improvement -- I would prefer to use an API Key or service account token like the other components can -- but the question I have is about cluster and index privileges required for this connection.
Is there documentation someplace (or does anyone know) what privileges are required for the connection between enterprise search and the Elasticsearch cluster? I will create an account that can only be used for this connection, and I want to grant it the least amount of privileges required to do the work.
Please note that it's not a supported way of connecting Enterprise Search, and the guide below is not guaranteed to work or may cause issues down the road.
Thanks @Vadim_Yakhin So to be clear, the team is saying that the "supported" way to do this is to use the built-in elastic, super-user account? So if I try to do something with less privileges it will not be supported (or is certainly not guaranteed to work)?
I will make sure I have a case open with support on the topic, but here's my concern and some context.
It would seem to me it is really bad practice to put a superuser's credentials in plain text in a configuration file (or even stored as environment variables). So the "need" is not to get the product to run but to use the least amount of privileges to do the work... This is a fundamental secure coding practice, right?
My issue is not that I can't get the product to run. We have 7.x configured this way right now and have had it in production for nearly a couple of years now. But in current state, we only index fully-public, non-confidential data. In our next iteration, we want to start indexing more highly confidential data.
I was hoping with 8.x that A) I could use an API Key instead of end user credentials, and B) the API Key would have only the limited amount of permissions required to make the application work. At the very least I'd like to store the credentials more securely (though I don't relish the thought of having to manage another local keystore).
I'm sure I don't have to point out the kind of damage a bad actor could do to a cluster with super user credentials. Our environment is a highly-regulated (hyper-secure) environment, so we have sometimes have to go through some gymnastics to lock things down as tightly as possible.
Anyway, that's the "need" I'm trying to fill, not a functional one. Thanks for looking into it for me. Do very much appreciate it!
Just to be sure, it sounds as if you are attempting to use the API authentication mechanism within your Enterprise Search configuration to securely (but limited in scope with privileges) to interact with Elasticsearch?
Yes, that would be great! Along with it it would be good to document (and support) what the more limited list of privileges is... @Vadim_Yakhin has pulled together what looks like a credible list, but we don't want to go off into "unsupported" territory.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.