Add SSL support to Netty transport layer for Client/Node-to-Node communication #2105
Conversation
|
Very nice. I love the idea. |
|
Thanks for providing this pull request. The story around SSL on the transport layer is a bit more complicated though. If we add this, we need to think about allowing for cases where node to node communication does not use SSL, while clients do. The overhead of node to node communication over SSL is huge, I don't really think people understand that ... . The value security wise is close to 0, to be honest, if you have proper firewall and other security measures in place. |
|
Thanks for the feedback. I understand the complexity that represents node to node communication over SSL. This pull request was a quick and easy way to get SSL within a cluster, as requested by many users. |
|
This seemed like the most promising proposal, but it was rejected. What does it take to get SSL into ES? Is it enough to have separate options for requiring SSL for connections initiated inside the node versus outside the node? What are your requirements, @kimchy ? |
|
Quick note: Even though security value may be 0, having node-to-node communication be encrypted may still be required. Our specific case is that to store HIPAA information in Amazon and still be considered in compliance for auditing purposes, all patient data must be encrypted when sent over the wire. It's not strictly required by pure HIPAA regulations, but a HIPAA related contract (BAA) signed with Amazon does require it. Because this pull request was rejected, Elasticsearch fails to meet this requirement and thus can't be used. HIPAA won't be the last place we'll see this requirement (I suspect a lot of government related Amazon work will be similarly covered). And since it's a bunch of legalese, no amount of pointing out how little actual security is gained or how firewalls and port isolation are enough will suffice to pass the lawyers and auditors scrutiny. Please consider resurrecting this pull request! |
|
@mbarrien in the same boat here. Firewall rules alone won't cut it. We've been audited by expensive HIPAA experts and I can tell you the actual price of not having SSL transport layer, and it's definitely not 0. @kimchy is the pull request going to hurt anyone if they actually implement it? At this point I may just have to clone ES and roll my own solution even if it's ugly. BTW the overhead looks completely acceptable for our setup if the figures @tlrx provided are in the ballpark. |
|
@robottaway Yeah, I'd second that — seems silly to throw away @tlrx's efforts just because we think it was difficult to do. |
|
@kimchy I'd like to add a vote for this feature (despite the age of the issue). It would be incredibly helpful from a HIPPA/HITECH compliance perspective. |
|
+1000 for this feature |
|
+1000 for this one! |
|
+100000....Also looking to have node to node encryption for HIPAA information in Amazon |
|
We have a repo containing the SSL enabled version of the 1.1.0 code here: https://gitlab.devero.com/public/projects there is also a SSL and QOS enabled RabbitMQ river plugin. On my radar to We plan to keep SSL branches as we move up versions of Elasticsearch or -rob On Saturday, May 3, 2014, Marc DiPasquale notifications@github.com wrote:
|
|
Also, could you please confirm if the v1.1.0_ssl_work branch contains functionality to SSL protect inter-node communications on the transport layer (port 9300)? If so, could you please share some configuration settings, java client API usage and expected performance metrics? Thanks! |
|
@RobbieHer encryption on 9300 is what this branch of ours provides. If you want TLS/SSL on the 9200 you will likely setup NGINX, Apache or another proxy in front which will allow setting up encryption. Note if you are going to use the Java API in your app you will need to configure encryption for 9300 there also since you cannot have both secured and unsecured. |
|
@robottaway Thanks! Any idea on when this change can/will make it into the official ElasticSearch branch? |
|
You are very welcome! I would hope this could get into the official branch(es) some day! Past conversations being an indicator it doesn't seem likely though. It def is a bit of work to have to patch every branch we want to use, and it certainly keeps us from upgrading as quickly as we could. |
|
👍 for this feature! Checking it out right now, it would be awesome if this could be implemented in ES or an "official" module. |
13 participants
This pull request modifies the Netty transport layer in order to support SSL for client/node to node communication within an elasticsearch cluster.
Configuration
SSL encryption is activated with a new configuration entry transport.tcp.compress. If set to true, the keystore and trustore of the node must also be configured:
If keystores settings are not set in configuration file, it looks for JVM options (-Djavax.net.ssl.keyStore=..., -Djavax.net.ssl.trustStore=...)
Before starting the cluster, make sure that all nodes recognize each other (by importing the certificates in other nodes' trustores)
A generate.sh script can be used to create keystores for testing:
Transport Client
SSL can be configured for a TransportClient with the Java API:
TransportClient client = new TransportClient(settingsBuilder() .put("client.transport.nodes_sampler_interval", "30s") .put("transport.tcp.ssl", true) .put("transport.tcp.ssl.keystore", "/opt/certificates/esnode1.jks") .put("transport.tcp.ssl.keystore_password", "mypassword") .put("transport.tcp.ssl.truststore", "/opt/certificates/esnode1.jks") .put("transport.tcp.ssl.truststore_password", "mypassword") .put("client.transport.sniff", false).build()); client.addTransportAddress(new InetSocketTransportAddress("localhost", 9300));Use cases
Perf
One should pay attention to performance :/
NettyEchoBenchmark:
NettyEchoSSLBenchmark:
Code review and comments are welcome! :)