The Elasticsearch Security Plugin was built to work using the body section of a search action request and the Aspire Group Expansion Service.
The request to Elasticsearch will be a POST request to the following endpoint, passing the query as the request body in JSON format:
"You will have to release a new version of the plugin for each new Elasticsearch release. This version is checked when the plugin is loaded, so Elasticsearch will refuse to start in the presence of plugins with the incorrect elasticsearch.version." – elasticsearch documentation
| Elasticsearch Security Plugin | |
|---|---|
| Currently Supporting: | Elasticsearch 5.2.2 |
Requirements
In order to use this plugin:
- Elasticsearch 5.2.2
- Newer versions supported on demand
- Group Expansion
- Please check Group Expansion Service
A separate service from group expansion can be used if:
- It is a REST endpoint that accepts the parameter username.
- The response is an xml with the same format as this one.
URL Request
- For example, http://call-to-a-different-service:1234/getGroups?username=admin
XML Response
<groups>
<group>tesla</group>
<group>scientists</group>
<group>italians</group>
<group>group1</group>
<group>group2</group>
<group>group3</group>
<group>group4</group>
<group>PUBLIC:ALL</group>
<group>xxxxxx</group>
</groups>Configuration
This plugin can be configured adding the following options into the elasticsearch.yml file.
| Property | Type | Default | Example | Description |
|---|---|---|---|---|
| searchtechnologies.security.usePublicAllGroup | boolean | true | If an element doesn’t have groups, then adds PUBLIC:ALL to it | |
| searchtechnologies.security.usePublicAllUser | boolean | true | If no user was added to the parameters, then it uses the PUBLIC:ALL user and retrieves only the public elements | |
| searchtechnologies.security.groupsPath | string | - | acls.groups. | Path to the groups (notice that the path includes a dot at the end to call the name of the group, e.g acls.groups.Administarators) |
| searchtechnologies.security.usersPath | string | - | acls.users. | Path to the users (notice that the path includes a dot at the end to call the name of the user, e.g acls.groups.admin) |
| searchtechnologies.security.groupexpansion.url | string | - | http://localhost:50505/groupExpansion | Group Expansion url |
| searchtechnologies.security.groupexpansion.updateTimeout | long | 300000 | Connection to group expansion timeout | |
| searchtechnologies.security.groupexpansion.cacheGroups | boolean | true | Caches the groups per user | |
| searchtechnologies.security.groupexpansion.cacheMaxSize | int | 100 | Max size of the cache |
Example of the Elasticsearch.yml
################################## Search Technologies Security Plugin ################################ searchtechnologies.security.usePublicAllGroup: false searchtechnologies.security.usePublicAllUser: true searchtechnologies.security.groupsPath: acls.groups. searchtechnologies.security.usersPath: acls.users. searchtechnologies.security.groupexpansion.url: http://localhost:50505/groupExpansion searchtechnologies.security.groupexpansion.updateTimeout: 300000 searchtechnologies.security.groupexpansion.cacheGroups: true searchtechnologies.security.groupexpansion.cacheMaxSize: 100
Installation
Download the source code. On the root folder containing pom.xml, compile the project executing:
mvn clean install
The plugin zip file will be created on the resulting /target/releases folder.
To install the plugin, see https://www.elastic.co/guide/en/elasticsearch/plugins/5.2/plugin-management-custom-url.html
ACLs Format
The ACLs structure used by this plugin is the one created by the Publish to ElasticSearch by default. This structure can change but the object containing all of the groups and users must be specified in the properties groupsPath and usersPath. Here is an example of the ACLs created by the publisher:
{
"acls": {
"groups": {
"d01ad33ba2d22573b459fa21249d65b6": {
"access": "allow",
"name": "PUBLIC_ALL"
},
"ac19d5a588e0679a3d6977b887bd6062": {
"access": "allow",
"name": "Administrators"
},
},
"users": {
"c9cce1546a882f3f9a781ae5a1f29ab8": {
"access": "allow",
"name": "ealvarado"
},
"88ebf55fa69c1879e901222e7f669730": {
"access": "deny",
"name": "mmarin"
},
}
},
}