/elasticsearch-auth

Authentication filter for Elasticsearch

Primary LanguageJavaApache License 2.0Apache-2.0

Elasticsearch Auth Plugin

Overview

Elasticsearch Auth Plugin provides an authentication filter for Elasticsearch contents. This plugin consists of:

  • User Management
  • Content Constraints
  • Login/Logout

Version

Auth Tested On Elasticsearch
master 1.7.x
1.4.0 1.4.0
1.3.0 1.3.1
1.2.0 1.2.1
1.1.0 1.0.0
1.0.1 0.90.11

Issues/Questions

Please file an issue. (Japanese forum is here.)

Installation

$ $ES_HOME/bin/plugin --install org.codelibs/elasticsearch-auth/1.4.0

User Management

The user management feature for Auth plugin is an extensible implementation. The default implementation is that Auth plugin stores user info into Elasticsearch index (org.codelibs.elasticsearch.auth.security.Authenticator). If you want your own authentication system, such as LDAP, you can create your Authenticator class.

IndexAuthenticator is a default implementation for managing users. The authenticator name is 'index'. The user information contains a password and roles.

Create User

$ curl -XPUT 'localhost:9200/_auth/account' -d "{
    \"authenticator\" : \"index\",
    \"username\" : \"testuser\",
    \"password\" : \"test123\",
    \"roles\" : [\"user\", \"admin\"]
}"

Update User

$ curl -XPOST 'localhost:9200/_auth/account' -d "{
    \"authenticator\" : \"index\",
    \"username\" : \"testuser\",
    \"password\" : \"test321\",
    \"roles\" : [\"user\"]
}"

Delete User

$ curl -XDELETE 'localhost:9200/_auth/account' -d "{
    \"authenticator\" : \"index\",
    \"username\" : \"testuser\"
}"

Content Constraints

Contents are restricted by a content constraints. The content constraint consists of paths, HTTP methods and roles.

If you want to allow "admin" users to access to /aaa by GET and POST method, the configuration is below:

$ curl -XPOST 'localhost:9200/security/constraint/' -d "{
    \"authenticator\" : \"index\",
    \"paths\" : [\"/aaa\"],
    \"methods\" : [\"get\", \"post\"],
    \"roles\" : [\"admin\"]
}"

"paths" is a prefix matching.

If "user" users access to /bbb by only GET method:

$ curl -XPOST 'localhost:9200/security/constraint/' -d "{
    \"authenticator\" : \"index\",
    \"paths\" : [\"/bbb\"],
    \"methods\" : [\"get\"],
    \"roles\" : [\"user\"]
}"

Reload Configuration

$ curl -XPOST 'localhost:9200/_auth/reload'

Login/Logout

User accesses to restricted contents on Elasticsearch by a token published by Auth plugin.

Login

The token is published by:

$ curl -XPOST 'localhost:9200/login' -d "{
    \"username\" : \"testuser\",
    \"password\" : \"test123\"
}"

and the response is:

{
  "status" : 200,
  "token" : "..."
}

The published token is managed in your application, and then it needs to be set to a request parameter or a cookie.

Access to Elasticsearch

Requesting with a token, the content will be obtained.

$ curl -XGET http://localhost:9200/aaa_search?q=\*:\*&token=...

or

$ curl --cookie "eaid=..." -XGET http://localhost:9200/aaa/_search?q=\*:\*

'eaid' is a token key on a cookie.

Logout

The published token is discarded by:

$ curl -XPOST 'localhost:9200/logout?token=....'

TTL for Token

Using ttl of Elasticsearch, expired token is discarded automatically.

$ curl -XPUT 'localhost:9200/auth/token/_mapping' -d "{
    \"_ttl\" : { \"enabled\" : true, \"default\" : \"1d\" }
}"