Restricting access via an intermediate layer


(dragan) #1

Hi,

I am working on restricting access to my elasticsearch cluster and I'd
love some feedback on it.

All outside requests should go through an authenticated server that
passes them (unauthenticated) to elasticsearch. The ES machines only
accept requests from this server and from each other, all other
requests are denied.

I am trying to figure out what I'm going to do with the head plugin. I
can expose an api function that passes the status request to
elasticsearch, but it would be nice to be able to check up on the
index through /_plugin/head/

My questions are the following:

  1. I can open port X (X would be a different port from the one on
    which ES is running) and only allow authenticated access on it. I am
    assuming I can host head on port X, since all I need is to access
    /plugins/head/_site/index.html
    Is that correct?

  2. Is this a good way to protect my cluster?

Thank you


(Thomas Peuss) #2

Hi Dragan!

Am Donnerstag, 22. März 2012 21:29:47 UTC+1 schrieb Dragan:

passes them (unauthenticated) to elasticsearch. The ES machines only
accept requests from this server and from each other, all other
requests are denied.

You can tell ES to only bind to localhost (ES defaults to binding to all
interfaces on the host). So ES is only accessible on the local machine. Put
for example an Apache httpd on the machine and configure it as reverse
proxy against the local ES instance. You can configure authentication quite
detailed in httpd.
This does not work if you want to use the Java client which uses a binary
protocol against the ES instance. This would need changes to ES itself.

CU
Thomas


(Igor Motov) #3

Head is HTML5 application, which means head code doesn't run inside
elasticsearch. Instead you load it into your browser, and then your browser
is executing all necessary queries against elasticsearch. In other words,
to use head you need to provide access from your browser to all requests
that head is using. Head itself doesn't have to be protected since just
accessing head doesn't give you anything that is not already available on
github.

If you fell comfortable with configuring jetty, you might want to take a
look at jetty plugin for elasticsearch
(https://github.com/sonian/elasticsearch-jetty). It will allow you to setup
authentication on the elasticsearch nodes without an intermediate layer.

On Thursday, March 22, 2012 4:29:47 PM UTC-4, Dragan wrote:

Hi,

I am working on restricting access to my elasticsearch cluster and I'd
love some feedback on it.

All outside requests should go through an authenticated server that
passes them (unauthenticated) to elasticsearch. The ES machines only
accept requests from this server and from each other, all other
requests are denied.

I am trying to figure out what I'm going to do with the head plugin. I
can expose an api function that passes the status request to
elasticsearch, but it would be nice to be able to check up on the
index through /_plugin/head/

My questions are the following:

  1. I can open port X (X would be a different port from the one on
    which ES is running) and only allow authenticated access on it. I am
    assuming I can host head on port X, since all I need is to access
    /plugins/head/_site/index.html
    Is that correct?

  2. Is this a good way to protect my cluster?

Thank you

On Thursday, March 22, 2012 4:29:47 PM UTC-4, Dragan wrote:

Hi,

I am working on restricting access to my elasticsearch cluster and I'd
love some feedback on it.

All outside requests should go through an authenticated server that
passes them (unauthenticated) to elasticsearch. The ES machines only
accept requests from this server and from each other, all other
requests are denied.

I am trying to figure out what I'm going to do with the head plugin. I
can expose an api function that passes the status request to
elasticsearch, but it would be nice to be able to check up on the
index through /_plugin/head/

My questions are the following:

  1. I can open port X (X would be a different port from the one on
    which ES is running) and only allow authenticated access on it. I am
    assuming I can host head on port X, since all I need is to access
    /plugins/head/_site/index.html
    Is that correct?

  2. Is this a good way to protect my cluster?

Thank you


(dragan) #4

Thank you guys

On Fri, Mar 23, 2012 at 9:56 AM, Igor Motov imotov@gmail.com wrote:

Head is HTML5 application, which means head code doesn't run inside
elasticsearch. Instead you load it into your browser, and then your browser
is executing all necessary queries against elasticsearch. In other words, to
use head you need to provide access from your browser to all requests that
head is using. Head itself doesn't have to be protected since just accessing
head doesn't give you anything that is not already available on github.

If you fell comfortable with configuring jetty, you might want to take a
look at jetty plugin for elasticsearch
(https://github.com/sonian/elasticsearch-jetty). It will allow you to setup
authentication on the elasticsearch nodes without an intermediate layer.

On Thursday, March 22, 2012 4:29:47 PM UTC-4, Dragan wrote:

Hi,

I am working on restricting access to my elasticsearch cluster and I'd
love some feedback on it.

All outside requests should go through an authenticated server that
passes them (unauthenticated) to elasticsearch. The ES machines only
accept requests from this server and from each other, all other
requests are denied.

I am trying to figure out what I'm going to do with the head plugin. I
can expose an api function that passes the status request to
elasticsearch, but it would be nice to be able to check up on the
index through /_plugin/head/

My questions are the following:

  1. I can open port X (X would be a different port from the one on
    which ES is running) and only allow authenticated access on it. I am
    assuming I can host head on port X, since all I need is to access
    /plugins/head/_site/index.html
    Is that correct?

  2. Is this a good way to protect my cluster?

Thank you

On Thursday, March 22, 2012 4:29:47 PM UTC-4, Dragan wrote:

Hi,

I am working on restricting access to my elasticsearch cluster and I'd
love some feedback on it.

All outside requests should go through an authenticated server that
passes them (unauthenticated) to elasticsearch. The ES machines only
accept requests from this server and from each other, all other
requests are denied.

I am trying to figure out what I'm going to do with the head plugin. I
can expose an api function that passes the status request to
elasticsearch, but it would be nice to be able to check up on the
index through /_plugin/head/

My questions are the following:

  1. I can open port X (X would be a different port from the one on
    which ES is running) and only allow authenticated access on it. I am
    assuming I can host head on port X, since all I need is to access
    /plugins/head/_site/index.html
    Is that correct?

  2. Is this a good way to protect my cluster?

Thank you


(system) #5