User Guide for Siren Federate

Securing Connector

When using Search Guard, Federate will need to authenticate as a user with all the permissions on the indices storing datasources and virtual indices configuration. The credentials of this user can be specified through the following node configuration settings:

  • siren.connector.username: the username of the Federate system user.
  • siren.connector.password: the password of the Federate system user.
Federate system role

If your cluster is protected by Search Guard, it is required to define a role with access to the Federate indices and internal operations and to create a Federate system user with this role.

Whenever a virtual index is created the Federate plugin creates a concrete Elasticsearch index with the same name as the virtual index: when starting up, the Federate plugin will check for missing concrete indices and will attempt to create them automatically.

sg_roles.yml. 

federate_system:
  indices:
    '?siren-federate-*':
      '*':
        - INDICES_ALL

Then create a user with that role e.g., a user called federate_system_user.

Example 1. Master node in a cluster with authentication and federate_system_user user:

elasticsearch.yml. 

siren.connector.username: federate_system_user
siren.connector.password: password
siren.connector.encryption.secret_key: "1zxtIE6/EkAKap+5OsPWRw=="


Example 2. JDBC node in a cluster with authentication and federate_system_user user:

elasticsearch.yml. 

siren.connector.username: federate_system_user
siren.connector.password: password
siren.connector.encryption.secret_key: "1zxtIE6/EkAKap+5OsPWRw=="
node.attr.connector.jdbc: true


Restart the nodes after setting the appropriate configuration parameters.

Administrative role

In order to manage, search, read datasources and virtual indices, it is required to grant the following cluster and indices-level permissions:

  • cluster:admin/federate/connector/* which are given by the CLUSTER_MANAGE group;
  • indices:admin/federate/connector/* which are included in the MANAGE group;
  • indices:admin/mappings/federate/connector/* which are part of the VIEW_INDEX_METADATA group; and
  • indices:data/read/federate/connector/* which are part of the READ group.

When a virtual index is defined, index-level write permissions are required because Federate creates a concrete index with the same name for interoperability with authentication plugins, unless such an index already exists.

For instance, if a MySQL datasource is defined and is named db_mysql, an index named db_mysql will be created. Then, the following connector_admin role can be created in order to manage/read/search it.

sg_roles.yml. 

connector_admin:
  cluster:
    - CLUSTER_MANAGE
    - CLUSTER_MONITOR
  indices:
    db_mysql:
      '*':
        - READ
        - VIEW_INDEX_METADATA
        - MANAGE

Note

Write operations are made on the virtual index, not against the actual datasource per se.

Search role

In order to search virtual indices, a user needs indices:data/read/federate/connector/* permissions which are part of the READ group.

Keeping with the db_mysql virtual index example, a connector_user needs the following permissions granted:

sg_roles.yml. 

connector_user:
  cluster:
    - CLUSTER_INTERNAL_FEDERATE
  indices:
    db_mysql:
      '*':
        - READ