New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support File Sockets rather than just Ethernet Interfaces #21377
Comments
We discussed this internally and there are a couple of issues that we see with adding this. Lemme elaborate:
We decided to close this for these reasons for now. |
Unix sockets are a very simple (thus reliable) way of enforcing security in a wide variety of situations. The utility of this is rapidly increasing. Not all problems require a cluster, and if you don't HAVE to build a cluster, you certainly do not want to. The number of cores per machine is making clustering across machines less and less necessary, and there are huge incentives to centralize (performance, simplicity of code and administration). We have pretty cheap machines with 128 cores now, and even then, a lot of problems can be decomposed in a way so that it's not the ES that needs to be clustered, but a different layer in the stack.
Specifically, to your points
Also note that curl (the ES defacto standard CLI), has supported communication via unix sockets since version 7.40 (now on 7.52). Given that securing ES is such a huge issue (https://www.google.com/search?q=securing%20elasticsearch), and that supporting unix sockets is so simple compared to other solutions, it seems like a great feature to add. Thanks! I am impressed with what ES overall. -Carl |
Unix domain sockets are more simple than TCP sockets. Also, ES is nice to use with a single-server application that provides cheap text search. I was shocked when I found out that ES doesn't support them. Most servers support them, because they are so fundamental. It so easy to secure unix domain sockets using standard file permissions. This is much easier than (mis)configuring authentication although one would be wise to layer their security. I just realized that everything I'm saying has been said much better by @CarlEklof. |
It has been 2 years since the issue was closed. It may be a time to revise this. @s1monw do you think that if you discuss this issue internally you might want to consider implementing a unix socket now? |
+1 This would be a great feature to have! -cc @s1monw |
Describe the feature:
This is a feature request. Right now it seems like ElasticSearch only supports binding port 9200 to an actual Ethernet interface. The problem with this is that it means any non-privileged user on an ElasticSearch host has access to do destructive things (unless you're running the Shield plugin) to the cluster.
I would like to configure ElasticSearch to bind to a unix file socket, and then be able to control the permissions to that file socket with standard Unix file permissions. From there, we can easily use Apache to provide a reasonable level of authenticated access.
Note about plugins:
I know that there are plugins like https://github.com/sscarduzio/elasticsearch-readonlyrest-plugin that help provide authorization to the REST interface. The problem is that these have to be compiled and managed for each specific version of ElasticSearch, and we're just tired of playing that game. Fronting ElasticSearch with Apache has a ton of advantages (centralized logging being a huge one) ... and its just a common design.
The text was updated successfully, but these errors were encountered: