Authentication and security

  • Firewall port 9300 for intra-cluster connections only
    • Puppet exported rule with the tag set from a hiera secret
  • Apache on the master node
    • 443 - https, cern SSO, read-only, authorization on cern e-groups
      • allowed adding kibana dashboards
      • TODO? one e-group to add dashboards, another - read-only. May be difficult
    • 9201 - http, basic auth, read-only, users, groups, passwords in hiera
      • TODO: https, need cooperation from clients. What clients?
    • 9202 - http, basic auth, full access, users, groups, passwords in hiera
      • TODO: https, need cooperation from clients (e.g. MIG writer)
    • all ports proxy towards localhost:9200
    • r/o enforced with mod_rewrite on http method + location
      • what are sometimes considered "writing" GETs can only flush indices and clear caches. In a strictest sense these are write operations, but not really dangerous.
         /_cache/clear,/_flush,/_optimize,/_refresh,/{index}/_cache/clear,/{index}/_flush,/{index}/_optimize,/{index}/_refresh 
      • "reading" POSTs are provided for compatibility with clients that don't support GETs with payload. Kibana does use POST /_search.
      • we don't make a distinction between administrative POSTs (controlling the cluster) and data write POSTs, write access port provides full access.
  • forbid dynamic scripting
     script.disable_dynamic: true 
  • TODO? index-level separation

Performance

  • index refresh tweak (for faster bulk indexing, but data appears in searches after index refresh only)
     curl -XPUT localhost:9200/_settings -d '{ "index.refresh_interval": "30s"}' 
  • on nodes half of the memory for java heap, half for cache
  • TODO? bigger nodes?
  • TODO? decouple client and master?
Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r6 - 2014-05-26 - IvanKadochnikov
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback