Shield doesn't support third party plugins

http://www.elasticsearch.org/guide/en/shield/current/limitations.html says
that "Third-party plugins are not supported on clusters with the Shield
security plugin installed."

Can someone clarify the difference between "not supported" and "won't work"
in this case please?

If I have a plugin that is critical to the way I use elasticsearch (e.g. a
plugin that adds a custom analyzer), is that page saying that
Elasticsearch.com will not support an installation containing both shield
and this analysis plugin? So that just means that anyone using third party
plugins cannot use Shield at all? Is there any plan to change that?

Thanks.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/2d838ef0-209b-4475-8e0f-22734fff0472%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

You should contact Elasticsearch support regarding this.

On 28 January 2015 at 20:27, Tim S timstibbs@gmail.com wrote:

http://www.elasticsearch.org/guide/en/shield/current/limitations.html
says that "Third-party plugins are not supported on clusters with the
Shield security plugin installed."

Can someone clarify the difference between "not supported" and "won't
work" in this case please?

If I have a plugin that is critical to the way I use elasticsearch (e.g. a
plugin that adds a custom analyzer), is that page saying that
Elasticsearch.com will not support an installation containing both shield
and this analysis plugin? So that just means that anyone using third party
plugins cannot use Shield at all? Is there any plan to change that?

Thanks.

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/2d838ef0-209b-4475-8e0f-22734fff0472%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/2d838ef0-209b-4475-8e0f-22734fff0472%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAEYi1X80k%3DoWzZ6aC6h%3DvckzoU3am%3DW9ouQtBrcBp3KBRJL%3Dfg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Tim,

We're in the process of clarifying this in the docs (agreed that the
current description is not really clear). Let me try to clarify it a bit
here...

When it comes to third party plugins, we have no control over the plugin
code. The plugin infrastructure is extremely flexible in terms of what can
be extended in elasticsearch, from adding analyzers to adding new internal
actions and rest endpoints. While the former will have no impact on
security, the latter might have a significant impact and potentially
completely bypass the security checks in the system. For this reason, from
a company perspective, we can't really support plugins that are not under
our control (note that a lot of these plugins are developed internally in
companies and are not open source such that we can even review the code).

As far as "won't work" is concerned, it obviously depends on what the
plugin is doing. A lot of plugins will work just fine (e.g. adding
additional analyzers), but others may experience unexpected behaviour when
developed without Shield security concerns in mind.

I hope this clarifies it a bit. As mentioned above, we will fix the docs
with better explanation about it.

On Wednesday, January 28, 2015 at 10:27:20 AM UTC+1, Tim S wrote:

http://www.elasticsearch.org/guide/en/shield/current/limitations.html
says that "Third-party plugins are not supported on clusters with the
Shield security plugin installed."

Can someone clarify the difference between "not supported" and "won't
work" in this case please?

If I have a plugin that is critical to the way I use elasticsearch (e.g. a
plugin that adds a custom analyzer), is that page saying that
Elasticsearch.com will not support an installation containing both shield
and this analysis plugin? So that just means that anyone using third party
plugins cannot use Shield at all? Is there any plan to change that?

Thanks.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/9d2661af-eb39-4cef-851c-1951d25965f2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Thanks Uri, that helps, it makes a lot of sense.

On Wednesday, January 28, 2015 at 10:50:17 AM UTC, uboness wrote:

Tim,

We're in the process of clarifying this in the docs (agreed that the
current description is not really clear). Let me try to clarify it a bit
here...

When it comes to third party plugins, we have no control over the plugin
code. The plugin infrastructure is extremely flexible in terms of what can
be extended in elasticsearch, from adding analyzers to adding new internal
actions and rest endpoints. While the former will have no impact on
security, the latter might have a significant impact and potentially
completely bypass the security checks in the system. For this reason, from
a company perspective, we can't really support plugins that are not under
our control (note that a lot of these plugins are developed internally in
companies and are not open source such that we can even review the code).

As far as "won't work" is concerned, it obviously depends on what the
plugin is doing. A lot of plugins will work just fine (e.g. adding
additional analyzers), but others may experience unexpected behaviour when
developed without Shield security concerns in mind.

I hope this clarifies it a bit. As mentioned above, we will fix the docs
with better explanation about it.

On Wednesday, January 28, 2015 at 10:27:20 AM UTC+1, Tim S wrote:

http://www.elasticsearch.org/guide/en/shield/current/limitations.html
says that "Third-party plugins are not supported on clusters with the
Shield security plugin installed."

Can someone clarify the difference between "not supported" and "won't
work" in this case please?

If I have a plugin that is critical to the way I use elasticsearch (e.g.
a plugin that adds a custom analyzer), is that page saying that
Elasticsearch.com will not support an installation containing both shield
and this analysis plugin? So that just means that anyone using third party
plugins cannot use Shield at all? Is there any plan to change that?

Thanks.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/aa4dbf86-709d-4399-8496-6a94a358610e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

As a plugin author, is there any chance to use something like a suite of
tests or a compatibility kit in order to validate a plugin for being
compatible with Shield / a specific Shield version?

Jörg

On Wed, Jan 28, 2015 at 11:50 AM, uboness uri.boness@elasticsearch.com
wrote:

Tim,

We're in the process of clarifying this in the docs (agreed that the
current description is not really clear). Let me try to clarify it a bit
here...

When it comes to third party plugins, we have no control over the plugin
code. The plugin infrastructure is extremely flexible in terms of what can
be extended in elasticsearch, from adding analyzers to adding new internal
actions and rest endpoints. While the former will have no impact on
security, the latter might have a significant impact and potentially
completely bypass the security checks in the system. For this reason, from
a company perspective, we can't really support plugins that are not under
our control (note that a lot of these plugins are developed internally in
companies and are not open source such that we can even review the code).

As far as "won't work" is concerned, it obviously depends on what the
plugin is doing. A lot of plugins will work just fine (e.g. adding
additional analyzers), but others may experience unexpected behaviour when
developed without Shield security concerns in mind.

I hope this clarifies it a bit. As mentioned above, we will fix the docs
with better explanation about it.

On Wednesday, January 28, 2015 at 10:27:20 AM UTC+1, Tim S wrote:

http://www.elasticsearch.org/guide/en/shield/current/limitations.html
says that "Third-party plugins are not supported on clusters with the
Shield security plugin installed."

Can someone clarify the difference between "not supported" and "won't
work" in this case please?

If I have a plugin that is critical to the way I use elasticsearch (e.g.
a plugin that adds a custom analyzer), is that page saying that
Elasticsearch.com will not support an installation containing both shield
and this analysis plugin? So that just means that anyone using third party
plugins cannot use Shield at all? Is there any plan to change that?

Thanks.

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/9d2661af-eb39-4cef-851c-1951d25965f2%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/9d2661af-eb39-4cef-851c-1951d25965f2%40googlegroups.com?utm_medium=email&utm_source=footer
.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAKdsXoFByTUtz%2BP%3Dutq_tQtcLVsz8EWyr1C96sopBuUXESE0EQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.