Migrating from access control to shield / Make deny the default

xyz · December 10, 2015, 5:38pm

I want to upgrade our elasticsearch instance from 1.6.x to 2.1. There is the new shield configuration.

We use 2 indices. One for search requests from the application with a lot of details and another where we have indexed only the name field for suggest.
Until now we have used this configuration in the access control settings:

default: deny
rules:
  - paths:
      - '/suggest/_search/template'
    action: allow

So it’s possible to disallow all requests to http://host:9200/ except the suggest index:
http://host:9200/suggest/_search/template

I don’t know how I can transform this behaviour to the new shield configuration.
With the default shield configuration I can already access http://host:9200/ because deny seems not to be the default behaviour.

jaymode · December 15, 2015, 6:57pm

Shield will deny by default. The / endpoint only requires authentication to work (or if anonymous access is enabled, everyone can access this endpoint). This is due to how Shield authorizes requests; it does so at the action level in elasticsearch and the / endpoint does not map to an action.

It looks like you only want to allow the users to search with a search template. Is the search template indexed? If so you need to grant access to the .scripts index. You may try using a role like:

role_name:
  indices:
    '.scripts': read
    'suggest': search