Skip to content
Free Elasticsearch security plugin and Kibana security plugin: super-easy Kibana multi-tenancy, Encryption, Authentication, Authorization, Auditing
Scala Java Other
Branch: master
Clone or download
Latest commit 25477d7 Sep 22, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.travis try to make travis ci understand SSH Jan 7, 2017
audit Feature/rordev 71 (#477) Jul 30, 2019
bin Update build.sh Sep 20, 2019
ci grep exact tag name Sep 25, 2018
config wip: ror stating algorithm May 20, 2019
core Rordev 117 (#499) Sep 20, 2019
es51x fixed: available groups in groups rule and hidden apps response format ( Sep 1, 2019
es52x Bugfix/rordev 85 (#497) Sep 7, 2019
es53x Bugfix/rordev 85 (#497) Sep 7, 2019
es55x Bugfix/rordev 85 (#497) Sep 7, 2019
es60x Bugfix/rordev 85 (#497) Sep 7, 2019
es61x Bugfix/rordev 85 (#497) Sep 7, 2019
es63x Merge remote-tracking branch 'upstream/master' into bugfix/RORDEV-116 Sep 9, 2019
es66x Bugfix/rordev 85 (#497) Sep 7, 2019
es70x Bugfix/rordev 85 (#497) Sep 7, 2019
es73x 7.3.2 support (#505) Sep 22, 2019
gradle/wrapper Feature/rordev 55 (#448) May 17, 2019
integration-tests-scala fixed: tests Sep 13, 2019
integration-tests changed: better reloading of ROR instance Sep 9, 2019
plugin-metadata add security permission needed in 6.5.0 + fix logger deprecations Nov 27, 2018
ror-shadowed-libs added: workaround for debugging in intellij (#434) Apr 21, 2019
tests-utils fixed: memory leak - downgraded snakeyaml to 1.17 Sep 14, 2019
.gitignore Change/rordev 24 (#435) Apr 25, 2019
.travis.yml fixed travis package task Aug 20, 2019
CONTRIBUTING.md fix address and reg number Oct 15, 2017
Dockerfile.tpl allow remote debugging Dec 13, 2016
LICENSE.md Feature/ldap support (#180) Feb 22, 2017
README.md add liberapay Mar 7, 2019
ReadonlyRESTLicenseHeader.txt Feature/better integration tests (#190) Mar 6, 2017
genHash.py WIP: 5.4+ works Oct 5, 2017
gradle.properties Update gradle.properties Sep 20, 2019
gradlew Update gradle and build for ES 5.4.0 May 15, 2017
gradlew.bat Update gradle and build for ES 5.4.0 May 15, 2017
ror-intellij-formatter-settings.xml Source formatting rules for intelliJ Apr 7, 2018
settings.gradle Feature/rordev 105 (#484) Aug 10, 2019

README.md

Codacy Badge Build Status Twitter URL Patreon Liberapay

ReadonlyREST needs your help ⚠️

ReadonlyREST is an GPLv3 open source project. Its ongoing development can only made possible thanks to the support of its backers:

  1. @nmaisonneuve
  2. @Id57
  3. PPRO
  4. Jeff Saxe
  5. Joseph Bull

If you care this project keeps on existing, read up the Patreon campaign, or Liberapay campaign.

Readonly REST Elasticsearch Plugin

Expose the high performance HTTP server embedded in Elasticsearch directly to the public, safely blocking any attempt to delete or modify your data.

In other words... no more proxies! Yay Ponies!

Key Features

Tiny memory overhead, blazing fast networking 🚀

Other security plugins are replacing the high performance, Netty based, embedded REST API of Elasticsearch with Tomcat, Jetty or other cumbersome XML based JEE madness.

This plugin instead is just a lightweight pure-Java filtering layer. Even the SSL layer is provided as an extra Netty transport handler.

Fewer moving parts

Some suggest to spin up a new HTTP proxy (Varnish, NGNix, HAProxy) between ES and clients to filter out malicious access with regular expressions on HTTP methods and paths. This is a bad idea for two reasons:

  • You're introducing more complexity in your architecture.
  • Reasoning about security at HTTP level is risky, flaky and less granular than controlling access at the internal Elasticsearch protocol level.

The only clean way to do the access control is AFTER Elasticsearch has parsed the queries.

Just set a few rules with this plugin and confidently open it up to the external world.

All the available rules in detail

Contributor License Agreement

By contributing your code to ReadonlyREST you grant its owner Simone Scarduzio a non-exclusive, irrevocable, worldwide, royalty-free, sublicenseable, transferable license under all of Your relevant intellectual property rights (including copyright, patent, and any other rights), to use, copy, prepare derivative works of, distribute and publicly perform and display the Contributions on any licensing terms, including without limitation: (a) open source licenses like the GPLv3 license; and (b) binary, proprietary, or commercial licenses. Except for the licenses granted herein, You reserve all right, title, and interest in and to the Contribution.

You confirm that you are able to grant us these rights. You represent that You are legally entitled to grant the above license. If Your employer has rights to intellectual property that You create, You represent that You have received permission to make the Contributions on behalf of that employer, or that Your employer has waived such rights for the Contributions.

You represent that the Contributions are Your original works of authorship, and to Your knowledge, no other person claims, or has the right to claim, any right in any invention or patent related to the Contributions. You also represent that You are not legally obligated, whether by entering into an agreement or otherwise, in any way that conflicts with the terms of this license.

The owner of the ReadonlyREST project Simone Scarduzio acknowledges that, except as explicitly described in this Agreement, any Contribution which you provide is on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE.

History

This project was incepted in this StackOverflow thread.

Credits

Thanks Ivan Brusic for publishing this guide

You can’t perform that action at this time.