0

I've got an AWS Elasticsearch server that I'm using to power search in my iOS app. I'm using Alamofire to make search requests from the iOS app, and I've got a Node.js server to manage the relationship between the Elasticsearch index and my backend database and keep the index updated whenever my backend gets new data.

How can I restrict the access of the iOS clients to read-only, but also have read/write access for my Node.js server?

Forest Kunecke
  • 2,160
  • 15
  • 32

1 Answers1

1

I don't think I would let an iOS client touch ES directly.

I would send those GET requests (assuming they are GET requests) to your node server and then let node send them along to ES.

I would never expose ES to the outside world, especially to untrusted sources.

James R
  • 4,571
  • 3
  • 30
  • 45
  • What's the advantage to adding this layer between the iOS clients and ES? – Forest Kunecke Jan 12 '17 at 21:47
  • 1
    Your server can discriminate, elasticsearch isn't really set up for that. You could easily get DDOSd, or something evil could happen. Even sending "read only" type stuff. It's also a vector to your datasource, with no auth layer. Once that's discovered, it would be easy to download all of your data. There's lots of reasons. It would be like exposing mysql/postgres directly to your users. You just wouldn't do it. – James R Jan 12 '17 at 21:49
  • Thanks. I've been scouring the web and it does seem very difficult to set up realistic multi client security for elastic, but I wanted to get some second opinions. I'll look into relaying messages through node. – Forest Kunecke Jan 12 '17 at 21:59