Security of ES


(Patrick Proniewski) #1

Hello,

As a BOfH, I'm quite used to provide auth-based access to IT resources. As CISO I must guaranty that users get only what they need, especially about sensitive content. Unfortunately I can't find anything about authentication, and security in ES documentation. It looks like the product is designed like memcached: it's there and free to use.

Is there any way to provide some partitioning inside an ES cluster, so that we can share the cluster without sharing the data?

thanks,
Patrick

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/E22ED5A1-1554-4558-BBC7-3408CBA3C179%40patpro.net.
For more options, visit https://groups.google.com/d/optout.


(Adrien Grand) #2

Hi,

Elasticsearch doesn't support any form of authentification or authorization
at the moment. The way users deal with this issue is usually by giving
access to Elasticsearch through a proxy that would handle security based on
the path of the URL.

On Wed, Apr 30, 2014 at 5:56 PM, Patrick Proniewski <
elasticsearch@patpro.net> wrote:

Hello,

As a BOfH, I'm quite used to provide auth-based access to IT resources. As
CISO I must guaranty that users get only what they need, especially about
sensitive content. Unfortunately I can't find anything about
authentication, and security in ES documentation. It looks like the product
is designed like memcached: it's there and free to use.

Is there any way to provide some partitioning inside an ES cluster, so
that we can share the cluster without sharing the data?

thanks,
Patrick

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/E22ED5A1-1554-4558-BBC7-3408CBA3C179%40patpro.net
.
For more options, visit https://groups.google.com/d/optout.

--
Adrien Grand

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAL6Z4j53TD4iwPrP76RcKP6ofojtho%2Bt2o9BCbNsx3u0BLGpRA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


(David Pilato) #3

Yes. By now, you have to deal with security yourself.

So, secure URL using Ngnix for example, use aliases which will expose alias URL and not direct index URL.
Use filters in aliases.

Example:

Let's say you have a groupid field in your documents and you have a "doc" index.
A doc A belongs to groupid "marketing".
Doc B belongs to groupid "finances".

Create an alias "marketing" which uses "doc" index with a prebuilt filter on groupid with "marketing".
Same for finances.

Then secure your URLs using Nginx and let users only access to the right URLs (aliases) they should see.

My 2 cents.

--
David Pilato | Technical Advocate | Elasticsearch.com
@dadoonet | @elasticsearchfr

Le 30 avril 2014 à 17:56:10, Patrick Proniewski (elasticsearch@patpro.net) a écrit:

Hello,

As a BOfH, I'm quite used to provide auth-based access to IT resources. As CISO I must guaranty that users get only what they need, especially about sensitive content. Unfortunately I can't find anything about authentication, and security in ES documentation. It looks like the product is designed like memcached: it's there and free to use.

Is there any way to provide some partitioning inside an ES cluster, so that we can share the cluster without sharing the data?

thanks,
Patrick

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/E22ED5A1-1554-4558-BBC7-3408CBA3C179%40patpro.net.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/etPan.53611f0e.257130a3.2280%40MacBook-Air-de-David.local.
For more options, visit https://groups.google.com/d/optout.


(Patrick Proniewski) #4

Thanks Adrien.

On 30 avr. 2014, at 18:02, Adrien Grand wrote:

Hi,

Elasticsearch doesn't support any form of authentification or authorization at the moment. The way users deal with this issue is usually by giving access to Elasticsearch through a proxy that would handle security based on the path of the URL.

On Wed, Apr 30, 2014 at 5:56 PM, Patrick Proniewski elasticsearch@patpro.net wrote:
Hello,

As a BOfH, I'm quite used to provide auth-based access to IT resources. As CISO I must guaranty that users get only what they need, especially about sensitive content. Unfortunately I can't find anything about authentication, and security in ES documentation. It looks like the product is designed like memcached: it's there and free to use.

Is there any way to provide some partitioning inside an ES cluster, so that we can share the cluster without sharing the data?

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/859E581C-1821-4154-9DF8-461C1BFA225B%40patpro.net.
For more options, visit https://groups.google.com/d/optout.


(Patrick Proniewski) #5

Hmmm ok
I'll have to think about this. I do get the proxy part, very easy, I'm doing this kind of stuff for eons. Now you write I can discriminate URL's by injecting an arbitrary field into my data and creating an alias that names a prebuilt filter. I've discovered aliases just 2 hours ago, I'll have to dive into this to understand exactly how it works, and in particular how it can be used into a logstash install.

thanks for the tip.

On 30 avr. 2014, at 18:04, David Pilato wrote:

Yes. By now, you have to deal with security yourself.

So, secure URL using Ngnix for example, use aliases which will expose alias URL and not direct index URL.
Use filters in aliases.

Example:

Let's say you have a groupid field in your documents and you have a "doc" index.
A doc A belongs to groupid "marketing".
Doc B belongs to groupid "finances".

Create an alias "marketing" which uses "doc" index with a prebuilt filter on groupid with "marketing".
Same for finances.

Then secure your URLs using Nginx and let users only access to the right URLs (aliases) they should see.

My 2 cents.

--
David Pilato | Technical Advocate | Elasticsearch.com
@dadoonet | @elasticsearchfr

Le 30 avril 2014 à 17:56:10, Patrick Proniewski (elasticsearch@patpro.net) a écrit:

Hello,

As a BOfH, I'm quite used to provide auth-based access to IT resources. As CISO I must guaranty that users get only what they need, especially about sensitive content. Unfortunately I can't find anything about authentication, and security in ES documentation. It looks like the product is designed like memcached: it's there and free to use.

Is there any way to provide some partitioning inside an ES cluster, so that we can share the cluster without sharing the data?

thanks,
Patrick

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/E22ED5A1-1554-4558-BBC7-3408CBA3C179%40patpro.net.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/etPan.53611f0e.257130a3.2280%40MacBook-Air-de-David.local.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/13A65587-3274-4A57-8DB7-4A7E2488A3D5%40patpro.net.
For more options, visit https://groups.google.com/d/optout.


(system) #6