The Elasticsearch Security Plugin was built to work using the body section of a search action request and the Aspire Group Expansion Service.
The request to Elasticsearch will be:
"You will have to release a new version of the plugin for each new Elasticsearch release. This version is checked when the plugin is loaded, so Elasticsearch will refuse to start in the presence of plugins with the incorrect elasticsearch.version." – elasticsearch documentation
| Elasticsearch Security Plugin | |
|---|---|
| Currently Supporting: | Elasticsearch 2.3.x |
Requirements
In order to use this plugin:
- Elasticsearch 2.3.x
- Newer versions supported on demand
- Group Expansion
- Please check Group Expansion Service
A separate service from group expansion can be used if:
- It is a REST endpoint that accepts the parameter username.
- The response is an xml with the same format as this one.
URL Request
- For example, http://call-to-a-different-service:1234/getGroups?username=admin
XML Response
<groups>
<group>tesla</group>
<group>scientists</group>
<group>italians</group>
<group>group1</group>
<group>group2</group>
<group>group3</group>
<group>group4</group>
<group>PUBLIC:ALL</group>
<group>xxxxxx</group>
</groups>Configuration
This plugin can be configured adding the following options into the elasticsearch.yml file.
| Property | Type | Default | Example | Description |
|---|---|---|---|---|
| searchtechnologies.security.enable | boolean | true | Turns security on and off | |
| searchtechnologies.security.usePublicAllGroup | boolean | true | If an element doesn’t have groups, then adds PUBLIC:ALL to it | |
| searchtechnologies.security.usePublicAllUser | boolean | true | If no user was added to the parameters, then it uses the PUBLIC:ALL user and retrieves only the public elements | |
| searchtechnologies.security.groupsPath | string | - | acls.groups. | Path to the groups (notice that the path includes a dot at the end to call the name of the group, e.g acls.groups.Administarators) |
| searchtechnologies.security.usersPath | string | - | acls.users. | Path to the users (notice that the path includes a dot at the end to call the name of the user, e.g acls.groups.admin) |
| searchtechnologies.security.groupexpansion.url | string | - | http://localhost:50505/groupExpansion | Group Expansion url |
| searchtechnologies.security.groupexpansion.updateTimeout | long | 300000 | Connection to group expansion timeout | |
| searchtechnologies.security.groupexpansion.cacheGroups | boolean | true | Caches the groups per user | |
| searchtechnologies.security.groupexpansion.cacheMaxSize | int | 100 | Max size of the cache |
Example of the Elasticsearch.yml
################################## Search Technologies Security Plugin ################################ searchtechnologies.security.enable: true searchtechnologies.security.usePublicAllGroup: false searchtechnologies.security.usePublicAllUser: true searchtechnologies.security.groupsPath: acls.groups. searchtechnologies.security.usersPath: acls.users. searchtechnologies.security.groupexpansion.url: http://localhost:50505/groupExpansion searchtechnologies.security.groupexpansion.updateTimeout: 300000 searchtechnologies.security.groupexpansion.cacheGroups: true searchtechnologies.security.groupexpansion.cacheMaxSize: 100
Installation
To install the plugin, see https://www.elastic.co/guide/en/elasticsearch/plugins/2.4/plugin-management-custom-url.html
ACLs Format
The ACLs structure used by this plugin is the one created by the Publish to ElasticSearch by default. This structure can change but the object containing all of the groups and users must be specified in the properties groupsPath and usersPath. Here is an example of the ACLs created by the publisher:
{
"acls": {
"groups": {
"d01ad33ba2d22573b459fa21249d65b6": {
"access": "allow",
"name": "PUBLIC_ALL"
},
"ac19d5a588e0679a3d6977b887bd6062": {
"access": "allow",
"name": "Administrators"
},
},
"users": {
"c9cce1546a882f3f9a781ae5a1f29ab8": {
"access": "allow",
"name": "ealvarado"
},
"88ebf55fa69c1879e901222e7f669730": {
"access": "deny",
"name": "mmarin"
},
}
},
}
Overview
Content Tools