I, nor my users, can afford X-pack og similar commercial alternatives to protect Elasticsearch. I have several use cases that require me to put Elasticsearch on the Internet and as such I have started a little project that will allow you to protect individual Elasticsearch indices using a combination of Oath 2.0 Personal Access Tokens and JSON Web Tokens.
In a nutshell:
- Provide the use of Personal Access Tokens to protect Elasticsearch. Frees you from having to manage Basic Auth at the server level.
- JSON Api for managing indices and tokens.
- Also, a self service frontend GUI allowing users to set create their own indices and attach tokens to these.
For more information please see https://github.com/jorgenb/elasticshield. I realise that it does not solve anything new but I hope that with time and feedback I will be able to grow it to solution that can benefit many.