Securing Connector
When using Search Guard, Federate will need to authenticate as a user with all the permissions on the indices storing datasources and virtual indices configuration. The credentials of this user can be specified through the following node configuration settings:
-
siren.connector.username
: the username of the Federate system user. -
siren.connector.password
: the password of the Federate system user.
Federate system role
If your cluster is protected by Search Guard, it is required to define a role with access to the Federate indices and internal operations and to create a Federate system user with this role.
Whenever a virtual index is created the Federate plugin creates a concrete Elasticsearch index with the same name as the virtual index: when starting up, the Federate plugin will check for missing concrete indices and will attempt to create them automatically.
sg_roles.yml.
federate_system: indices: '?siren-federate-*': '*': - INDICES_ALL
Then create a user with that role e.g., a user called federate_system_user
.
federate_system_user
user:elasticsearch.yml.
siren.connector.username: federate_system_user siren.connector.password: password siren.connector.encryption.secret_key: "1zxtIE6/EkAKap+5OsPWRw=="
federate_system_user
user:elasticsearch.yml.
siren.connector.username: federate_system_user siren.connector.password: password siren.connector.encryption.secret_key: "1zxtIE6/EkAKap+5OsPWRw==" node.attr.connector.jdbc: true
Restart the nodes after setting the appropriate configuration parameters.
Administrative role
In order to manage, search, read datasources and virtual indices, it is required to grant the following cluster and indices-level permissions:
-
cluster:admin/federate/connector/*
which are given by theCLUSTER_MANAGE
group; -
indices:admin/federate/connector/*
which are included in theMANAGE
group; -
indices:admin/mappings/federate/connector/*
which are part of theVIEW_INDEX_METADATA
group; and -
indices:data/read/federate/connector/*
which are part of theREAD
group.
When a virtual index is defined, index-level write permissions are required because Federate creates a concrete index with the same name for interoperability with authentication plugins, unless such an index already exists.
For instance, if a MySQL datasource is defined and is named db_mysql
, an index named db_mysql
will be created. Then, the following connector_admin
role can be created in order to manage/read/search it.
sg_roles.yml.
connector_admin: cluster: - CLUSTER_MANAGE - CLUSTER_MONITOR indices: db_mysql: '*': - READ - VIEW_INDEX_METADATA - MANAGE
Note
Write operations are made on the virtual index, not against the actual datasource per se.
Search role
In order to search virtual indices, a user needs indices:data/read/federate/connector/*
permissions which are part of the READ
group.
Keeping with the db_mysql
virtual index example, a connector_user
needs the following permissions granted:
sg_roles.yml.
connector_user: cluster: - CLUSTER_INTERNAL_FEDERATE indices: db_mysql: '*': - READ