The Elasticsearch Security Plugin was built to work using the body section of a search action request and the Aspire Group Expansion Service.
The request to Elasticsearch will be a POST request to the following endpoint, passing the query as the request body in JSON format:
"You will have to release a new version of the plugin for each new Elasticsearch release. This version is checked when the plugin is loaded, so Elasticsearch will refuse to start in the presence of plugins with the incorrect elasticsearch.version
." – elasticsearch documentation
Elasticsearch Security Plugin | |
---|---|
Currently Supporting: | Elasticsearch 5.2.2 |
In order to use this plugin:
A separate service from group expansion can be used if:
URL Request
XML Response
<groups> <group>tesla</group> <group>scientists</group> <group>italians</group> <group>group1</group> <group>group2</group> <group>group3</group> <group>group4</group> <group>PUBLIC:ALL</group> <group>xxxxxx</group> </groups>
This plugin can be configured adding the following options into the elasticsearch.yml file.
Property | Type | Default | Example | Description |
---|---|---|---|---|
searchtechnologies.security.usePublicAllGroup | boolean | true | If an element doesn’t have groups, then adds PUBLIC:ALL to it | |
searchtechnologies.security.usePublicAllUser | boolean | true | If no user was added to the parameters, then it uses the PUBLIC:ALL user and retrieves only the public elements | |
searchtechnologies.security.groupsPath | string | - | acls.groups. | Path to the groups (notice that the path includes a dot at the end to call the name of the group, e.g acls.groups.Administarators) |
searchtechnologies.security.usersPath | string | - | acls.users. | Path to the users (notice that the path includes a dot at the end to call the name of the user, e.g acls.groups.admin) |
searchtechnologies.security.groupexpansion.url | string | - | http://localhost:50505/groupExpansion | Group Expansion url |
searchtechnologies.security.groupexpansion.updateTimeout | long | 300000 | Connection to group expansion timeout | |
searchtechnologies.security.groupexpansion.cacheGroups | boolean | true | Caches the groups per user | |
searchtechnologies.security.groupexpansion.cacheMaxSize | int | 100 | Max size of the cache |
################################## Search Technologies Security Plugin ################################ searchtechnologies.security.usePublicAllGroup: false searchtechnologies.security.usePublicAllUser: true searchtechnologies.security.groupsPath: acls.groups. searchtechnologies.security.usersPath: acls.users. searchtechnologies.security.groupexpansion.url: http://localhost:50505/groupExpansion searchtechnologies.security.groupexpansion.updateTimeout: 300000 searchtechnologies.security.groupexpansion.cacheGroups: true searchtechnologies.security.groupexpansion.cacheMaxSize: 100
Download the source code. On the root folder containing pom.xml, compile the project executing:
mvn clean install
The plugin zip file will be created on the resulting /target/releases folder.
To install the plugin, see https://www.elastic.co/guide/en/elasticsearch/plugins/5.2/plugin-management-custom-url.html
The ACLs structure used by this plugin is the one created by the Publish to ElasticSearch by default. This structure can change but the object containing all of the groups and users must be specified in the properties groupsPath and usersPath. Here is an example of the ACLs created by the publisher:
{ "acls": { "groups": { "d01ad33ba2d22573b459fa21249d65b6": { "access": "allow", "name": "PUBLIC_ALL" }, "ac19d5a588e0679a3d6977b887bd6062": { "access": "allow", "name": "Administrators" }, }, "users": { "c9cce1546a882f3f9a781ae5a1f29ab8": { "access": "allow", "name": "ealvarado" }, "88ebf55fa69c1879e901222e7f669730": { "access": "deny", "name": "mmarin" }, } }, }