deflek

command module

v0.0.0-...-a253802 Latest Latest Go to latest Published: Jun 5, 2018 License: LGPL-3.0 Imports: 16 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/dustin-decker/deflek

Links

Open Source Insights

README ¶

deflEK

Reverse proxy that adds index-level RBAC to Elasticsearch.

Disclaimer

Deflek man-in-the-middles requests to elasticsearch in order to apply a best effort to filter access and mutate requests to be compatible, and to provide an audit log. It is not perfect, and probably never will be. Elasticsearch needs security to be baked in to do it properly. There are solutions that come closer to this, like ReadOnlyREST, Search Guard or Elastic's own X-pack security, but all of those are also bolt-on security, in the form of an Elasticsearch plugin. So use it at your own risk! Help make it better! Make a PR to add proper RBAC to the core of Elasticsearch!

Authentication

It currently requires fronting with a SSO authentication proxy (such as saml-proxy) to pass Username and Group headers for RBAC lookup. deflEK assumes these headers are trusted input. If that is not true for your use case, you MUST add your own authentication middleware, or else it will not work.

An example setup looks like this:

USER -> saml-proxy -> Kibana -> deflek -> Elasticsearch

To have Kibana pass user and group headers from saml-proxy to deflek, use Kibana's elasticsearch.requestHeadersWhitelist configuration option, documented here: https://www.elastic.co/guide/en/kibana/6.2/settings.html The headers specified in config.example.yaml would be specified like this:

elasticsearch.requestHeadersWhitelist: ["X-Remote-Groups", "X-Remote-User"]

Features

RBAC on indices and APIs
Request traces - elasped time, query, errors, user, groups, indices, response code
JSON logging, ready for indexing

Coverage

deflek can enforce RBAC on HTTP methods for every HTTP API elasticsearch offers

aditionally, deflek has index awareness for the following APIs:

_mget
_msearch
_all
_search
direct index access (/< index >/1)

deflek can also mutate wildcard requests on the fly, to support software like Kibana.

Configuration

config.example.yaml is included as a sample configuration file. This is also the config that should be used with integration tests. It includes the indices and API whitelisting necessary to support Kibana.

You will need to edit the headers to match what your authentication layer passes to deflek. You will also need to modify groups access to match what will be included via those headers.

Running it

Build docker image:

docker build -t deflek .

Deploy test stack to local Swarm:

docker stack deploy -c docker-compose.test.yml deflek

Testing it

Ensure you have the dependencies:

dep ensure

Use the example config:

cp config.example.yaml config.yaml

Run a test elasticsearch cluster, if needed:

docker run -p 127.0.0.1:9200:9200 --rm -it -e "discovery.type=single-node" -v esdata1:/usr/share/elasticsearch/data docker.elastic.co/elasticsearch/elasticsearch-oss:6.2.1

Build and run deflek:

go build; ./deflEK

Run deflek integration and unit tests:

go test

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL