We have hosted an elastic search V7.11.2 on our non-cloud ecosystem. We are using presto V0.248 to connect to it.
Our Elastic Search is secured with a basic authentication system (currently is NON-SSL) we are able to connect but due to authentication enabled we are getting 401 HTTP status. As per the documentation we currently don't see any header adding or option to add username or password to presto connector.
Any help or pointer on how to enable the same.
Prestodb doesn't support user/password authentication for Elasticsearch. You may want to look at Trino (a fork of prestodb by its creators and major contributors, formerly known as PrestoSQL), which has had this feature since version 337 (latest version is 354): https://trino.io/docs/current/connector/elasticsearch.html#elasticsearch-auth-user
Related
I am using hazelcast 3.11.2, free version. Trying to enforce authentication, i.e. group password, but it is not working. Hazelcast is ignoring it, and letting nodes join the cluster anyway, without specifying or specifying a wrong password.
According to hazelcast resources on the net, newer versions starting with 3.8.2 will let members join the cluster with the same group name even if the group password is different / not specified. On the other hand JAAS is supported with Enterprise version only.
So, how should authentication be added in the hazelcast's community edition? Try and hack in something when the members are joining or there is a better, standardized way?
Open to recommendations... Thx!
Group password was removed because it wasn't meant to be used as security. For community edition, you can try setting hazelcast.application.validation.token at runtime for all your members.
Security is an enterprise feature and can not be accessed in community version.
I've been experimenting with trying to secure a Elasticsearch cluster with basic auth and TLS.
I've successfully been able to do that using Search-Guard. The problem occurs with the Couchbase XDCR to Elasticsearch.
I'm using a plugin called elasticsearch-transport-couchbase which perfectly fine without TLS and Basic Auth enabled on the Elasticsearch cluster. But when enabling that with Search-Guard I am not able to make that work.
As far as I can tell the issue lies with the elasticsearch-transport-couchbase plugin. This has also been discussed previously in some issues on their Github repo.
It is also the only plugin what I can find that can be used for XDCR from Couchbase.
I'm curious about other peoples experience with this. Is there anyone who have been in the same situation as I and been able to setup a XDCR from Couchbase to Elasticsearch with TLS?
Or perhaps there are some other more suitable tools that I can use that I have missed?
The Couchbase transport plugin doesn't support XDCR TLS yet, it's on the roadmap, but isn't going to happen soon. Search-guard adds SSL to the HTTP/REST endpoint in ES, but the plugin opens its own endpoint (on port 9091 by default) which Search-guard doesn't touch. I'll take a look at whether it's possible to extend search-guard to apply to the transport plugin - the main problem is on the Couchbase XDCR side, which doesn't expect SSL on the target endpoint.
Version 4.0 of the Couchbase Elasticsearch connector supports secure connections to Couchbase Server and/or Elasticsearch.
Reference: https://docs.couchbase.com/elasticsearch-connector/4.0/secure-connections.html
A small update. We went around the issue by setting up a stunnel with xinetd. So all communication with ELS have to go through the stunnel where the TLS will terminate.
We blocked access to port 9200, and restricted 9091 to the Couchbase-cluster host and 9300 to the other ELS nodes only.
Seems to work good.
I am trying to deploy an Akka application on Azure, that uses the journal persistence plugin.
I cannot find a working combination when it comes to the persistence plugin I should use.
So far I looked into:
akka-persistence-mongo and Azure Document Store with Mongo driver: it does not work because akka-persistence-mongo is not compatible with the latest reactive-mongo version that supports SSL
akka-persistence-jdbc and an Azure SQL server: it seems the akka-persistence-jdbc is only compatible with Slick H2, Oracle and MySQL drivers
I do not have any strong performance requirements, this is why both solutions would have worked.
My best guess for the moment is akka-persistence-redis with Microsoft Azure Redis.
I am proposing a contribution to this plugin to make it compatible with Microsoft Azure Redis (authentication, as well as a strange error when calling zrangebyscore that I do not have with a local Redis).
I have only one server, Solr server. Is it possible to enable Authentication and Authorization for Solr 5 without installing ZooKeeper?
I know that one possible way is to configure, for example, IP table and give access to the server from a certain host (or hosts). But I am interested in Solr's capabilities without any external servers like ZooKeepers.
You can configure your container to do authentication yourself, but the only bundled support in Solr requires running Solr in SolrCloud mode (meaning that it has to either use an external Zookeeper or the internal, bundled one). From [the reference guide about Authentication and Authorization]:(https://cwiki.apache.org/confluence/display/solr/Authentication+and+Authorization+Plugins)
To use these plugins, you must create a security.json file and upload it to ZooKeeper. This means that authentication and authorization is supported in SolrCloud mode only.
You could also bind Solr to localhost (as Solr shouldn't be exposed on public ips) and then use nginx or Apache to reverse proxy any requests and perform authentication. Configuration would depend on the chosen httpd and how it configures Basic HTTP Authentication.
You don't have to install any external zookeeper to enable authentication and authorization in your solr server. Internal zookeeper works perfectly fine.
http://lucidworks.com/blog/2015/08/17/securing-solr-basic-auth-permission-rules/
I hope this helps.
I can't seem to get cassandra-stress working with authentication. I'm using simple username/password authentication. When I run cassandra-stress, I get auth failures (naturally). Anybody know how to specify username / passwords for stress-tool. I'm trying out apache cassandra 2.1.0-rc4 btw.
I know this is an old one but cassandra-stress got authentication support in 2.1.3 with CASSANDRA-7985.
I turned off authentication (stopped Cassandra, in conf/cassandra.yaml changed authenticator value from PasswordAuthenticator to AllowAllAuthenticator, then started Cassandra), then cassandra-stress tool worked.
Maybe it just doesn't support authentication? That would be a little disappointing (version 2.0.9)
Ben