Setup Authentication and Authorization WITHOUT X-Pack?

Am part of a small enterprise and unfortuntely we cannot afford the licensing model to leverage X-PACK. In light of this, I was wondering what is considered a robust open source authentication and authorization setup to allow controlled access to our EC2 Based Elastic Instances? Here is the needs I want to solve for:

  • Allow Support for SSO based authentication for my small enterprise's employees
  • Support for Authorization and role based access (ie allow admin rights for administration and read-only rights to read data from Elastic Stack per user basis?)

I guess you can add a ngnix on top of elasticsearch and try to protect some urls with it.

But be aware that some APIS will probably need to be blocked all together like _bulk and _msearch and _mget.
Also any usage of index wildcard may be?

At the very least, do not expose elasticsearch on internet but use an application layer for which elasticsearch access is granted.

BTW did you engage with the sales team about your project? If not, check with them as many options are available and one might fit your budget.
Also consider

@dadoonet thank you.

  1. So by adding an NGINX layer in front of ElasticSearch - will authentication automatically bubble up to Kibana Layer?
  2. Can I support Authorization in addition to Authentication and allow certain roles to access certain types of HTTP Methods (ie allow Normal Users only access to GET whilst Admin Users to GET/PUT/POST/DELETE?)

This is my revised architecture in light of what you have suggested:

Route53(KB) > ElasticLoadBalancer (KB) > KB EC2 >Route53(ELASTICSEARCH)> (NGINX)> ElasticLoadBalancer(ELASTICSEARCH)>ELASTIC EC2

  1. No I don't think so.
  2. Probably. That's a Ngnix question IMO.
1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.