Authentication and security

  • Firewall port 9300 for intra-cluster connections only
    • Puppet exported rule with the tag set from a hiera secret
  • Apache on the master node
    • 443 - https, cern SSO, read-only, authorization on cern e-groups
      • allowed adding kibana dashboards
      • TODO? one e-group to add dashboards, another - read-only. May be difficult
    • 9201 - http, basic auth, read-only, users, groups, passwords in hiera
      • TODO: https, need cooperation from clients. What clients?
    • 9202 - http, basic auth, full access, users, groups, passwords in hiera
      • TODO: https, need cooperation from clients (e.g. MIG writer)
    • all ports proxy towards localhost:9200
    • r/o enforced with mod_rewrite on http method + location
      • what are sometimes considered "writing" GETs can only flush indices and clear caches. In a strictest sense these are write operations, but not really dangerous.
      • "reading" POSTs are provided for compatibility with clients that don't support GETs with payload. Kibana does use POST /_search.
      • we don't make a distinction between administrative POSTs (controlling the cluster) and data write POSTs, write access port provides full access.
  • forbid dynamic scripting
     script.disable_dynamic: true 
  • TODO? index-level separation


  • index refresh tweak (for faster bulk indexing, but data appears in searches after index refresh only)
     curl -XPUT localhost:9200/_settings -d '{ "index.refresh_interval": "30s"}' 
  • on nodes half of the memory for java heap, half for cache
  • TODO? bigger nodes?
  • TODO? decouple client and master?

This topic: LCG > WebHome > WLCGMonitoringConsolidation > NoSQLStorageResearch > ElasticsearchKibanaAuthenticationNotes
Topic revision: r6 - 2014-05-26 - IvanKadochnikov
This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback