Hello guys,
I’m currently looking for a solution to secure my ElasticSearch cluster.
I would like to prevent than anyone in my network can start an ES node and join my cluster by setting the same cluster name.
I was looking to your solution Search Guard and I see in the searchguard_config_template.yml the following properties:
Do other nodes have to authenticate themself to the cluster, default is true
#searchguard.ssl.transport.node.enforce_clientauth: true
``
Unfortunately I didn’t find any documentation/example about how to configure the transport layer.
First I would like to know if I can I use Search Guard to prevent anyone to join the cluster or I’m misunderstanding ?
Is it the purpose of the enforce_clientauth ? Or does Search Guard have other mechanisms such as the IP Filtering provide by Shield ?
Thanks a lot,
Thib
Hello,
The searchguard.ssl.transport.node.enforce_clientauth parameter force the nodes to check if their truststore contains the certificate of new connecting nodes. It may be very effective but a bit long to set up as you have to generate and deploy every certificates of the nodes. You can use SSL between the nodes with just only searchguard.ssl.transport.node.enabled: true and searchguard.ssl.transport.node.keystore_type and searchguard.ssl.transport.node.keystore_filepath correctly configured.
···
On Thursday, July 23, 2015 at 7:04:10 AM UTC+2, Thibault Clement wrote:
Hello guys,
I’m currently looking for a solution to secure my ElasticSearch cluster.
I would like to prevent than anyone in my network can start an ES node and join my cluster by setting the same cluster name.
I was looking to your solution Search Guard and I see in the searchguard_config_template.yml the following properties:
Do other nodes have to authenticate themself to the cluster, default is true
#searchguard.ssl.transport.node.enforce_clientauth: true
``
Unfortunately I didn’t find any documentation/example about how to configure the transport layer.
First I would like to know if I can I use Search Guard to prevent anyone to join the cluster or I’m misunderstanding ?
Is it the purpose of the enforce_clientauth ? Or does Search Guard have other mechanisms such as the IP Filtering provide by Shield ?
Thanks a lot,
Thib
Thanks for your answer Simon
···
On Friday, July 24, 2015 at 4:15:43 PM UTC+7, simon....@gmail.com wrote:
Hello,
The searchguard.ssl.transport.node.enforce_clientauth parameter force the nodes to check if their truststore contains the certificate of new connecting nodes. It may be very effective but a bit long to set up as you have to generate and deploy every certificates of the nodes. You can use SSL between the nodes with just only searchguard.ssl.transport.node.enabled: true and searchguard.ssl.transport.node.keystore_type and searchguard.ssl.transport.node.keystore_filepath correctly configured.
On Thursday, July 23, 2015 at 7:04:10 AM UTC+2, Thibault Clement wrote:
Hello guys,
I’m currently looking for a solution to secure my ElasticSearch cluster.
I would like to prevent than anyone in my network can start an ES node and join my cluster by setting the same cluster name.
I was looking to your solution Search Guard and I see in the searchguard_config_template.yml the following properties:
Do other nodes have to authenticate themself to the cluster, default is true
#searchguard.ssl.transport.node.enforce_clientauth: true
``
Unfortunately I didn’t find any documentation/example about how to configure the transport layer.
First I would like to know if I can I use Search Guard to prevent anyone to join the cluster or I’m misunderstanding ?
Is it the purpose of the enforce_clientauth ? Or does Search Guard have other mechanisms such as the IP Filtering provide by Shield ?
Thanks a lot,
Thib