Only want authorization (w/o TLS), not possible?

accts · April 14, 2019, 9:49am

According to this post Problem with OpenSSL netty_tcnative , for which I still did not find a solution after investing hours, I am questioning myself for what I need that.
What I want, as elasticsearch is only running on localhost and is not open to the world is just some form of authorization (user) against elasticsearch so the content cannot be read by everyone on the machine.
But it seems search-guard is not able to do this because TLS encrypted communication is mandatory for the install. Am I right with this assumption? Because tbh there is no need for a TLS communication if I communicate from localhost (graylog) to localhost (elastic) on the same node.
Are there any other solutions for this problem maybe.

Would appreciate any help, thanks!

cstaley · April 14, 2019, 11:03am

For HTTP TLS is optional, for internode communication (transport protocol) it is mandatory.

But OpenSSL is totally optional - if there are problems (like in your case) we just fallback to use TLS implementation of the JVM. So you can just ignore that. If you are on Java 11 there are also no big performance gains anymore of using OpenSSL over JVM TLS. If you are on Java 8 and can not use OpenSSL you can adjust the cipher suites to use CBC mode instead of GCM to make things faster. See https://github.com/floragunncom/search-guard/issues/310#issuecomment-372145935

accts · April 14, 2019, 11:10am

Thanks for your reply, yes I understand that it is mandatory for node communication in a case where the nodes are on different machines, because this is the only thing that makes sense. But there is no real internode communication in this case as it is on the same machine.
Anyway as said in the other thread I will give the netty debug a try and then get back to you.

accts · April 14, 2019, 11:21am

But to get back on that topic here, a possibility to just use user authentication against Elastic without the hassle to have to use TLS (because for local installs this is unneeded work setting up, it just complicates things) would be a great benefit

cstaley · April 14, 2019, 11:48am

See Security for Elasticsearch and Kibana | TLS | Search Guard and we have no plans to change it. But Search Guard is an open source project and maybe you just like to fork it and adapt it to your needs.

accts · April 14, 2019, 12:24pm

Ok thanks for getting back to me on this. So will go through TLS setup anyways then (I will script it) and try now to get OpenSSL working with netty debug of the static lib, thanks

system · May 5, 2019, 12:24pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Query on searchguard without tls Search Guard	12	1268	November 19, 2019
Is it possible to install searchguard on ES5 without enabling ssl/tls Search Guard	3	340	May 9, 2017
Can searchguard be used for only authorization and authentication and nothing else? Search Guard	1	343	June 22, 2018
Searchguard without tls Search Guard	13	1554	May 19, 2020
Open SSL not available (this is not an error, we simply fallback to built-in JDK SSL) Search Guard	1	670	July 14, 2016

Only want authorization (w/o TLS), not possible?

Related Topics