Free Elasticsearch security plugin and Kibana security plugin: super-easy Kibana multi-tenancy, Encryption, Authentication, Authorization, Auditing
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.travis try to make travis ci understand SSH Jan 7, 2017
bin run integration testing also for es66x + tidy up Feb 9, 2019
ci grep exact tag name Sep 25, 2018
commons bypass SSL test as it seems to have connectivity issues with docker Feb 8, 2019
core Made HTTP Connection configurable (#410) Feb 8, 2019
es23x make it work with latest ES and first integration test Feb 6, 2019
es51x if ssl not enabled, don't even load it Feb 9, 2019
es52x if ssl not enabled, don't even load it Feb 9, 2019
es53x if ssl not enabled, don't even load it Feb 9, 2019
es60x loaded wrong settings Feb 10, 2019
es61x if ssl not enabled, don't even load it Feb 9, 2019
es63x fix bug + implement a method 6.4.x style and 6.5.x style so we avoid … Feb 9, 2019
es66x fix bug + implement a method 6.4.x style and 6.5.x style so we avoid … Feb 9, 2019
gradle/wrapper Update gradle, jjwt, support Java > 8 Sep 30, 2018
integration-tests Merge branch 'internode_ssl_integration' Feb 11, 2019
plugin-metadata add security permission needed in 6.5.0 + fix logger deprecations Nov 27, 2018
tests-utils don't enable node discovery in regular tests, only enable it in ssl t… Feb 8, 2019
.gitignore add useful development files Oct 18, 2018
.travis.yml run integration testing also for es66x + tidy up Feb 9, 2019
CONTRIBUTING.md fix address and reg number Oct 15, 2017
Dockerfile.tpl allow remote debugging Dec 13, 2016
LICENSE.md Feature/ldap support (#180) Feb 22, 2017
README.md Remove duplicate old documentation, send everyone to the official docs. Sep 19, 2018
ReadonlyRESTLicenseHeader.txt Feature/better integration tests (#190) Mar 6, 2017
genHash.py WIP: 5.4+ works Oct 5, 2017
gradle.properties first pre build of ROR with merged internode SSL Feb 11, 2019
gradlew Update gradle and build for ES 5.4.0 May 15, 2017
gradlew.bat Update gradle and build for ES 5.4.0 May 15, 2017
ror-intellij-formatter-settings.xml Source formatting rules for intelliJ Apr 7, 2018
settings.gradle ES API incompatibility in ES 6.6.0 -> new sub-project Feb 9, 2019

README.md

Codacy Badge Build Status Twitter URL Patreon

ReadonlyREST needs your help ⚠️

ReadonlyREST is an GPLv3 open source project. Its ongoing development can only made possible thanks to the support of its backers:

  1. @nmaisonneuve
  2. @Id57
  3. PPRO
  4. Jeff Saxe
  5. Joseph Bull

If you care this project keeps on existing, read up the ReadonlyREST Patreon campaign.

Readonly REST Elasticsearch Plugin

Expose the high performance HTTP server embedded in Elasticsearch directly to the public, safely blocking any attempt to delete or modify your data.

In other words... no more proxies! Yay Ponies!

Key Features

Tiny memory overhead, blazing fast networking 🚀

Other security plugins are replacing the high performance, Netty based, embedded REST API of Elasticsearch with Tomcat, Jetty or other cumbersome XML based JEE madness.

This plugin instead is just a lightweight pure-Java filtering layer. Even the SSL layer is provided as an extra Netty transport handler.

Fewer moving parts

Some suggest to spin up a new HTTP proxy (Varnish, NGNix, HAProxy) between ES and clients to filter out malicious access with regular expressions on HTTP methods and paths. This is a bad idea for two reasons:

  • You're introducing more complexity in your architecture.
  • Reasoning about security at HTTP level is risky, flaky and less granular than controlling access at the internal Elasticsearch protocol level.

The only clean way to do the access control is AFTER Elasticsearch has parsed the queries.

Just set a few rules with this plugin and confidently open it up to the external world.

All the available rules in detail

Contributor License Agreement

By contributing your code to ReadonlyREST you grant its owner Simone Scarduzio a non-exclusive, irrevocable, worldwide, royalty-free, sublicenseable, transferable license under all of Your relevant intellectual property rights (including copyright, patent, and any other rights), to use, copy, prepare derivative works of, distribute and publicly perform and display the Contributions on any licensing terms, including without limitation: (a) open source licenses like the GPLv3 license; and (b) binary, proprietary, or commercial licenses. Except for the licenses granted herein, You reserve all right, title, and interest in and to the Contribution.

You confirm that you are able to grant us these rights. You represent that You are legally entitled to grant the above license. If Your employer has rights to intellectual property that You create, You represent that You have received permission to make the Contributions on behalf of that employer, or that Your employer has waived such rights for the Contributions.

You represent that the Contributions are Your original works of authorship, and to Your knowledge, no other person claims, or has the right to claim, any right in any invention or patent related to the Contributions. You also represent that You are not legally obligated, whether by entering into an agreement or otherwise, in any way that conflicts with the terms of this license.

The owner of the ReadonlyREST project Simone Scarduzio acknowledges that, except as explicitly described in this Agreement, any Contribution which you provide is on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE.

History

This project was incepted in this StackOverflow thread.

Credits

Thanks Ivan Brusic for publishing this guide