This plugins adds security functionality to elasticsearch in kind of separate modules.
As of now two security modules are implemented:
- Restrict actions against elasticsearch on IP-Address basis (actionpathfilter)
- Limit fields which will be returned on IP-Address basis (fieldresponsefilter)
Windows:
plugin.bat --url http://goo.gl/1JwMKw --install elasticsearch-security-plugin-0.0.1.Beta1
UNIX:
plugin --url http://goo.gl/1JwMKw --install elasticsearch-security-plugin-0.0.1.Beta1
Optionally enable XFF
security.http.xforwardedfor.header: X-Forwarded-ForEnable XFFsecurity.http.xforwardedfor.trustedproxies: <List of proxy ip's>Example: 192.168.1.1, 31.122.45.1, 193.54.55.21security.http.xforwardedfor.enforce: trueEnforce XFF header, default: false
Example: Configure 'Restrict actions against elasticsearch on IP-Address basis (actionpathfilter)' module
$ curl -XPUT 'http://localhost:9200/securityconfiguration/actionpathfilter/actionpathfilter' -d '
{
"rules": [
{
"hosts" : [ "*" ],
"indices" :[ "*" ],
"permission" : "ALL"
},
{
"hosts" : [ "google-public-dns-a.google.com" ],
"indices" :[ "*"],
"permission" : "NONE"
},
{
"hosts" : [ "8.8.8.8" ],
"indices" :[ "testindex1","testindex2" ],
"permission" : "READWRITE"
},
{
"hosts" : [ "81.*.8.*","2.44.12.14","*google.de","192.168.*.*" ],
"indices" :[ "testindex1" ],
"permission" : "READONLY"
}
]
}'Permissions:
- ALL: No restrictions
- READWRITE: No admin actions but read write operations allowed
- READONLY: No admin and no write actions allowed (but read actions)
- NONE: No action allowd (also read actions will be denied)
Example: Configure 'Limit fields which will be returned on IP-Address basis (fieldresponsefilter)' module
$ curl -XPUT 'http://localhost:9200/securityconfiguration/fieldresponsefilter/fieldresponsefilter' -d '
{
"rules": [
{
"hosts" : [ "*" ],
"indices" :[ "*" ],
"fields" : "_id"
},
{
"hosts" : [ "*mycompany.com" ],
"indices" :[ "*"],
"fields" : "*"
},
{
"hosts" : [ "39.18.22.8" ],
"indices" :[ "testindex1","testindex2" ],
"fields" : "name,user,_id"
},
{
"hosts" : [ "132.*.6.*","122.44.123.14","*google.de","192.168.1.*" ],
"indices" :[ "testindex1","textindex3","myindex" ],
"fields" : "timestamp,my.field.name,street,plz"
}
]
}'Fields:
- List of fields (comma separated) which will be returned for a POST _search/_msearch query
In a more formal way the configuration looks like:
- Format is JSON
- One top level array named "rules"
- The single wildchar character (*) match any host or any index
- In hostnames or ip's you can use the wildchar character (*) for specifing subnets
- The rules elemens look like:
{
"hosts" : [ <* or list of hostnames/ip's for which this rule apply> ],
"indices" :[ <* or list of indices for which this rule apply> ],
"<qualification name\>" : <qualification string>
}
- There must be exactly one default rule:
{
"hosts" : [ "*" ],
"indices" :[ "*" ],
"<qualification name\>" : <qualification string>
}
- I more than one rule match then the last one (right down at the bottom of the security config) is used