Elasticsearch Auth Plugin provides an authentication filter for Elasticsearch contents. This plugin consists of:
- User Management
- Content Constraints
- Login/Logout
| Auth | Tested On Elasticsearch |
|---|---|
| master | 1.7.x |
| 1.4.0 | 1.4.0 |
| 1.3.0 | 1.3.1 |
| 1.2.0 | 1.2.1 |
| 1.1.0 | 1.0.0 |
| 1.0.1 | 0.90.11 |
Please file an issue. (Japanese forum is here.)
$ $ES_HOME/bin/plugin --install org.codelibs/elasticsearch-auth/1.4.0
The user management feature for Auth plugin is an extensible implementation. The default implementation is that Auth plugin stores user info into Elasticsearch index (org.codelibs.elasticsearch.auth.security.Authenticator). If you want your own authentication system, such as LDAP, you can create your Authenticator class.
IndexAuthenticator is a default implementation for managing users. The authenticator name is 'index'. The user information contains a password and roles.
$ curl -XPUT 'localhost:9200/_auth/account' -d "{
\"authenticator\" : \"index\",
\"username\" : \"testuser\",
\"password\" : \"test123\",
\"roles\" : [\"user\", \"admin\"]
}"
$ curl -XPOST 'localhost:9200/_auth/account' -d "{
\"authenticator\" : \"index\",
\"username\" : \"testuser\",
\"password\" : \"test321\",
\"roles\" : [\"user\"]
}"
$ curl -XDELETE 'localhost:9200/_auth/account' -d "{
\"authenticator\" : \"index\",
\"username\" : \"testuser\"
}"
Contents are restricted by a content constraints. The content constraint consists of paths, HTTP methods and roles.
If you want to allow "admin" users to access to /aaa by GET and POST method, the configuration is below:
$ curl -XPOST 'localhost:9200/security/constraint/' -d "{
\"authenticator\" : \"index\",
\"paths\" : [\"/aaa\"],
\"methods\" : [\"get\", \"post\"],
\"roles\" : [\"admin\"]
}"
"paths" is a prefix matching.
If "user" users access to /bbb by only GET method:
$ curl -XPOST 'localhost:9200/security/constraint/' -d "{
\"authenticator\" : \"index\",
\"paths\" : [\"/bbb\"],
\"methods\" : [\"get\"],
\"roles\" : [\"user\"]
}"
$ curl -XPOST 'localhost:9200/_auth/reload'
User accesses to restricted contents on Elasticsearch by a token published by Auth plugin.
The token is published by:
$ curl -XPOST 'localhost:9200/login' -d "{
\"username\" : \"testuser\",
\"password\" : \"test123\"
}"
and the response is:
{
"status" : 200,
"token" : "..."
}
The published token is managed in your application, and then it needs to be set to a request parameter or a cookie.
Requesting with a token, the content will be obtained.
$ curl -XGET http://localhost:9200/aaa_search?q=\*:\*&token=...
or
$ curl --cookie "eaid=..." -XGET http://localhost:9200/aaa/_search?q=\*:\*
'eaid' is a token key on a cookie.
The published token is discarded by:
$ curl -XPOST 'localhost:9200/logout?token=....'
Using ttl of Elasticsearch, expired token is discarded automatically.
$ curl -XPUT 'localhost:9200/auth/token/_mapping' -d "{
\"_ttl\" : { \"enabled\" : true, \"default\" : \"1d\" }
}"