Apache

  • We need Apache for Shibboleth anyway
  • Apache will probably allow cert-based authentication
  • Jetty's authorization is location-based anyway, can be replicated in Apache.
  • At first a simple restriction based on HTTP method is enough:
    • "writing" GETs can only flush indices and clear caches. In a strictest sense these are write operations, but not really dangerous.
       /_cache/clear,/_flush,/_optimize,/_refresh,/{index}/_cache/clear,/{index}/_flush,/{index}/_optimize,/{index}/_refresh 
    • "reading" POSTs are provided for compatibility with clients that don't support GETs with payload. We have predictable clients so we don't need these. * actually Kibana does use POST /_search. Location filter will be necessary.
    • in the first pass we don't make a distinction between administrative POSTs (controlling the cluster) and data write POSTs

Jetty plugin

https://github.com/sonian/elasticsearch-jetty/https://github.com/sonian/elasticsearch-jetty/

 /usr/share/elasticsearch/bin/plugin \
                      -url https://oss-es-plugins.s3.amazonaws.com/elasticsearch-jetty/elasticsearch-jetty-1.1.0-beta.zip \
                      -install elasticsearch-jetty 

Problem: Kibana stops working.

XMLHttpRequest cannot load http://dashb-es:9200/_all/_search. Request header field Content-Type is not allowed by Access-Control-Allow-Headers. 
Will need a "real" webserver to solve it with CORS: https://groups.google.com/forum/#!topic/elasticsearch-jetty/L8x3dBM3TEg

Either that, or instead of using downloaded Kibana, put it on the same domain, which also means installing a webserver. Correction: can also use the aimon team method and install a kibana fork as an Elasticsearch plugin:

/usr/share/elasticsearch/bin/plugin -url https://github.com/Pigueiras/kibana/archive/master.zip -i kibana

We would want Apache eventually for SSO integration anyway.

Important steps

Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r4 - 2014-05-08 - IvanKadochnikov
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback