Provisioning cluster to only allow "test" index to be visible by master node

Elastic Stack Elasticsearch
1

Hey All,

Title pretty much summarizes what I am trying to do but I can't find any information on this subject. Basically, I have a single cluster with different nodes across different subnets. I have set my firewall rules to allow communication between servers in different subnets and have set up a cluster that had remote nodes.

My goal is basically this:
I have two nodes (node-1 and node-2) where node-1 is the master/data node and node-2 is only a data node. I have filebeat pushing logs from my edge device to my cluster where they are filtered and placed into one of two indices (index-1 and index-2). I want node-1 to have visibility and access to search both of my indices, however, I want node-2 to only have visibility and access to search index-2.

I tried to mess around with shard allocation but I can still access the logs and when i curl the status of my indices from node-2, it still has all the updated logs being push to both index-1 and index-2. Maybe this is not an intended use-case for elasticsearch, but I was wondering if it was possible in the first place. Thanks !

2

Indices are accessed st the cluster level so what you want to do is not possible. You could however create different users and control access to indices that way, but not by entry point.

3

This is what I was beginning to suspect. Are there security implications to using access control to prevent a user on node-2 from accessing index-1 (lets say this node exists in their network enclave or on their LAN).

Also, this seems like it would be possible with cross-cluster replication as you can assign which indices are followed but I was trying to avoid buying the platinum license

4

If you control access through users and roles they will have the same access irrespective of which node they are connecting to.

5

Alright. This seem to be my best path forward. I appreciate your time!

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.