1

I use elasticsearch and kibana for saving and querying my data. Some good feature like RBAC, SIEM require ssl communication on elasticsearch with kibana. So I enable xpack.security.http.ssl.enabled and xpack.security.transport.ssl.enabled. Thus client requests to es must be via https.

I also have a flink cluster writing data to elasticsearch. flink & elasticsearch & kibana are running on docker swarm. It's no need for flink to authenticate with es or encrypt between traffic. I think flink can access es via http protocol and no authentication.

So, can elasticseach support http and https simultaneously for different source host?

Is it possible to selectively authenticate user requests base on source ip or host?

Plus:

  1. Elasticsearch and Kibana are both 7.7.0 version
  2. Docker version: 19.03
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Libraco
  • 141
  • 2
  • 11

1 Answers1

3

Once you enable HTTP security, all clients must be updated to communicate with the cluster via SSL, it would not make sense to have one part of the clients communicating securely and another part that don't.

If you enable TLS on the HTTP layer in Elasticsearch, then you might need to make configuration changes in other parts of the Elastic Stack and in any Elasticsearch clients that you use.

Also see what just happened a few days ago to thousands of clusters that were being left accessible to the world.

Val
  • 207,596
  • 13
  • 358
  • 360
  • Thanks for you explaination. HTTP is indeed insecure.I would switch all clients to HTTPs protocol. Plus, the traditional database of mysql supports configuring the password according to the host: `CREATE USER 'pig'@'192.168.1.101_' IDENDIFIED BY '123456';` Can ElasticSearch support similar functions? – Libraco Jul 27 '20 at 06:40
  • With ES, you have the possibility to not secure HTTP communications, but once you enable them, all clients must abide. – Val Jul 27 '20 at 06:42
  • I'm still confuse on partial authcation feature in es. In Mysql, It can set user&password by host. In kafka, It can open different port for diffrent protocol(one need auth and encryption, the other one can be free and plaintext). – Libraco Jul 30 '20 at 13:55
  • Not in ES: You can either let all the clients use HTTP (even if the nodes talk SSL among themselves) but if you turn on SSL for HTTP clients, then all clients are required to use SSL – Val Jul 30 '20 at 14:00
  • Very appreciate for your answer. Can you explain why es does not implement this feature? – Libraco Jul 30 '20 at 16:37
  • That's a design choice, I guess, and a very good one if you ask me – Val Jul 30 '20 at 17:19