deflEK
Reverse proxy that adds index-level RBAC to Elasticsearch.
Disclaimer
Deflek man-in-the-middles requests to elasticsearch in order to apply a best effort to filter access and mutate requests to be compatible, and to provide an audit log. It is not perfect, and probably never will be. Elasticsearch needs security to be baked in to do it properly. There are solutions that come closer to this, like ReadOnlyREST, Search Guard or Elastic's own X-pack security, but all of those are also bolt-on security, in the form of an Elasticsearch plugin. So use it at your own risk! Help make it better! Make a PR to add proper RBAC to the core of Elasticsearch!
Authentication
It currently requires fronting with a SSO authentication proxy (such as saml-proxy) to pass Username and Group headers for RBAC lookup. deflEK assumes these headers are trusted input. If that is not true for your use case, you MUST add your own authentication middleware, or else it will not work.
An example setup looks like this:
USER -> saml-proxy -> Kibana -> deflek -> Elasticsearch
To have Kibana pass user and group headers from saml-proxy to deflek, use Kibana's elasticsearch.requestHeadersWhitelist configuration option, documented here: https://www.elastic.co/guide/en/kibana/6.2/settings.html
The headers specified in config.example.yaml would be specified like this:
elasticsearch.requestHeadersWhitelist: ["X-Remote-Groups", "X-Remote-User"]
Features
- RBAC on indices and APIs
- Request traces - elasped time, query, errors, user, groups, indices, response code
- JSON logging, ready for indexing
Coverage
deflek can enforce RBAC on HTTP methods for every HTTP API elasticsearch offers
aditionally, deflek has index awareness for the following APIs:
- _mget
- _msearch
- _all
- _search
- direct index access (/< index >/1)
deflek can also mutate wildcard requests on the fly, to support software like Kibana.
Configuration
config.example.yaml is included as a sample configuration file. This is also the config that should be used with integration tests. It includes the indices and API whitelisting necessary to support Kibana.
You will need to edit the headers to match what your authentication layer passes to deflek. You will also need to modify groups access to match what will be included via those headers.
Running it
Build docker image:
docker build -t deflek .Deploy test stack to local Swarm:
docker stack deploy -c docker-compose.test.yml deflekTesting it
Ensure you have the dependencies:
dep ensureUse the example config:
cp config.example.yaml config.yamlRun a test elasticsearch cluster, if needed:
docker run -p 127.0.0.1:9200:9200 --rm -it -e "discovery.type=single-node" -v esdata1:/usr/share/elasticsearch/data docker.elastic.co/elasticsearch/elasticsearch-oss:6.2.1Build and run deflek:
go build; ./deflEKRun deflek integration and unit tests:
go test