TransportClient & Authentication

Eric_Jain · April 5, 2012, 1:58am

If the elasticsearch nodes are running on a different network (or in a
different ec2 security group), how do I connect using the Java
TransportClient?

kimchy · April 8, 2012, 5:51pm

There ins't a built in option for "security", you can possibly channel it
through an ssh tunnel?

On Thu, Apr 5, 2012 at 4:58 AM, Eric Jain eric.jain@gmail.com wrote:

If the elasticsearch nodes are running on a different network (or in a
different ec2 security group), how do I connect using the Java
TransportClient?

Eric_Jain · April 9, 2012, 7:10am

On Sun, Apr 8, 2012 at 10:51, Shay Banon kimchy@gmail.com wrote:

There ins't a built in option for "security", you can possibly channel it
through an ssh tunnel?

Do the servers need to connect back to the client when using either
the TransportClient or the default client?

Eric_Jain · April 11, 2012, 7:40am

On Apr 8, 10:51 am, Shay Banon kim...@gmail.com wrote:

There ins't a built in option for "security", you can possibly channel it
through an ssh tunnel?

Also: If there are several elasticsearch servers in the cluster, REST
API requests can go through a load balancer. But I'm not sure the same
is possible with an SSH tunnel for the Java API?

kimchy · April 11, 2012, 9:23am

For the TransportClient, no, the connection is only from the client to the
cluster. With NodeClient, the master needs to connect to the client in
order to notify it with events (potentially, we could have used the same
connection from the client to the cluster to notify for events, but
currently it requires a connection from the "cluster" to the node client).

On Mon, Apr 9, 2012 at 10:10 AM, Eric Jain eric.jain@gmail.com wrote:

On Sun, Apr 8, 2012 at 10:51, Shay Banon kimchy@gmail.com wrote:

There ins't a built in option for "security", you can possibly channel it
through an ssh tunnel?

Do the servers need to connect back to the client when using either
the TransportClient or the default client?

Eric_Jain · April 11, 2012, 6:03pm

On Wed, Apr 11, 2012 at 02:23, Shay Banon kimchy@gmail.com wrote:

For the TransportClient, no, the connection is only from the client to the
cluster [...]

So TransportClient could work, but in order to connect to a cluster
from outside without opening port 9300 to the world I'd have to set up
an ssh tunnel to an ssh load balancer that knows which machines are
running elasticearch. Is this really the simplest solution?

The use case is using a cluster of elasticsearch instances on EC2 from
an application deployed on Heroku (also running on EC2, but in a
different security group).