Now that ES is in the big leagues, I'd like to re-open a discussion about
security, hardening and operational issues. Specifically, the position up
until this point on security and authentication of any kind has been 'stick
a proxy out front'. Unfortunately, the diversity of approaches to tackling
this don't create any single methodology that would converge toward a
robust solution in the coming years.
Cutting my opinions short let me propose a couple of very specific
recommendations to the group:
- Refactor REST routes so that a VERY simple ruleset may be applied to
differentiate Read/Write access.
Use Case:
- Allow any user to issue search requests without authentication
- Allow any authenticated user to access ANY endpoint
Problem:
- To implement this, one might want to pass all GET request through, and
force authentication for all other verbs. However, searches can and are
often required to be issued as POSTS via _search and _msearch, so these
specific strings would need to be detected in the URL as well. It is
possible that new features such as 'Update By Query' might also create more
conflicts of R/W within the POST verb segment of routes.
Possible Solution:
- Require all searches (_search and _msearch) to be issued via GET,
ensuring long URLs are supported (Solr supports up to 64KB even though IE
has a 2K limit) - Publish a simple logical ruleset that would 'Secure' an ES instance
-
Replace Netty with Jetty and minimize configuration changes to enable
HTTPS and Basic Authentication for simple install scenarios -
Apply the now easy to implement and easy to verify 'rules' from #1
above, to allow a fresh ES install to set auth requirements for Searches,
R/W access and Configuration changes, with 3 roles [user, editor, admin]
where an array of user/pass combinations can be assigned to these roles (or
none) to allow for the diverse type of access that is required. This can
be used in development or single-server production deployments. -
ES should either develop or make a 'preferred' recommendation for a
Proxy/Load Balancer with a provided sample configuration. Managing
backends from a LB is a non-trivial problem, and intelligent integration
with proxies is a highly desirable feature. Moreover there seem to be
shortcomings with almost every option out there currently. For example, my
preferred choice for a LB/Proxy would be Varnish. Varnish can easily
provide HTTPS if needed, as well as a simple auth system. However the
rules to actually secure ES implemented in VCL would be lengthy and error
prone. Moreover the caching features of Varnish are cannot be leveraged
because Varnish will not use POST bodies as part of a cache key in any
default configuration. (Caching of common queries is highly desirable in
many use cases - but I'll leave that for another post).
It is totally possible that some of this is in process, has already been
discussed, or already been solved, but I've not yet come across the
appropriate material. Please help educate me if that is the case,
otherwise, I hope this helps create some lively conversation around these
and related topics.
D
--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.