The Elasticsearch Security Plugin was built to work using the body section of a search action request and the Aspire Group Expansion Service.
The request to Elasticsearch will be:
"You will have to release a new version of the plugin for each new Elasticsearch release. This version is checked when the plugin is loaded, so Elasticsearch will refuse to start in the presence of plugins with the incorrect
elasticsearch.version." – elasticsearch documentation
|Elasticsearch Security Plugin|
|Currently Supporting:||Elasticsearch 2.3.x|
In order to use this plugin:
- Elasticsearch 2.3.x
- Newer versions supported on demand
- Group Expansion
- Please check Group Expansion Service
A separate service from group expansion can be used if:
- It is a REST endpoint that accepts the parameter username.
- The response is an xml with the same format as this one.
- For example, http://call-to-a-different-service:1234/getGroups?username=admin
<groups> <group>tesla</group> <group>scientists</group> <group>italians</group> <group>group1</group> <group>group2</group> <group>group3</group> <group>group4</group> <group>PUBLIC:ALL</group> <group>xxxxxx</group> </groups>
This plugin can be configured adding the following options into the elasticsearch.yml file.
Turns security on and off
If an element doesn’t have groups, then adds PUBLIC:ALL to it
If no user was added to the parameters, then it uses the PUBLIC:ALL user and retrieves only the public elements
Path to the groups (notice that the path includes a dot at the end to call the name of the group, e.g acls.groups.Administarators)
Path to the users (notice that the path includes a dot at the end to call the name of the user, e.g acls.groups.admin)
Group Expansion url
Connection to group expansion timeout
Caches the groups per user
Max size of the cache
Example of the Elasticsearch.yml
To install the plugin, see https://www.elastic.co/guide/en/elasticsearch/plugins/2.4/plugin-management-custom-url.html
The ACLs structure used by this plugin is the one created by the Publish to ElasticSearch by default. This structure can change but the object containing all of the groups and users must be specified in the properties groupsPath and usersPath. Here is an example of the ACLs created by the publisher: