Nginx reverse proxy for elasticsearch – inserting filters

elasticsearchkibananginx

I've got an elasticsearch instance, with an Nginx reverse proxy sat in front of it, implementing a URL level access control mechanism – approximately as described in this article

This is giving me per-index granularity, which is handy.

What I'm trying to figure out next though is – can I enforce a blanket filter criteria that excludes results from searches and direct document retrievals?

I'm thinking a 'group' model, where docs in my indices are tagged by group, and users can only see results and docs for their group.

Now, I know I could do a per-group index, and apply URL level controls. That may be my workaround if I can't do this.

I have had a look at aliasing – this seems to do 90% of what I want, in that I can restrict a search to an alias. But what I can't then do is inhibit a direct 'GET' request with an (unauthorised) document ID.

Is there a way of doing this, or am I just on a road to nowhere?

Note – part of my reasons for this, is I'm trying to use a fairly standard kibana setup, and I have overlapping groups of users.

Best Answer

While I can't directly answer your question (+1), I wanted to point out that the people working at elastic finally listened to all the requests made by people demanding access control for Elasticsearch and introduced Shield. Quoting the website:

With the rapid adoption of Elasticsearch, it is easier than ever to store, search, and analyze your data. Shield allows you to easily protect this data with a username and password, while simplifying your architecture. Advanced security features like encryption, role-based access control, IP filtering, and auditing are also available when you need them.

Your data is increasingly your most valuable asset. Password protect it with Shield.

Maybe having a look at least to check if this fulfills your requirements would be worth.

Related Topic