This is an OpenShift plugin to ElasticSearch to:
- Dynamically update the SearchGuard ACL based on a user's name
- Transform kibana index requests to support multitenant deployments
With the update to use Searchguard-2 and Searchguard-SSL for ES 2.4.x, the OpenShift-Elasticsearch-Plugin assumes the initial ACLs are seeded when the cluster is started.
You can view sample configurations [here] (./samples/).
As with sgadmin, the plugin needs to use the certificate with a DN that matches
the searchguard.authcz.admin_dn as defined in the ES config to be able to
update the Searchguard index. You can specify the certificate and truststore information
for the esClient with the following properties.
| Property | Description |
|---|---|
| openshift.searchguard.keystore.path | The certificate that contains the cert and key for the admin_dn. Default: /usr/share/elasticsearch/config/admin.jks |
| openshift.searchguard.truststore.path | The truststore that contains the certificate for Elasticsearch. Default: /usr/share/elasticsearch/config/logging-es.truststore.jks |
| openshift.searchguard.keystore.password | The password to open the keystore. Default: kspass |
| openshift.searchguard.truststore.password | The password to open the truststore. Default: tspass |
| openshift.searchguard.keystore.type | The file type for the keystore. JKS or PKCS12 are accepted. Default: JKS |
| openshift.searchguard.truststore.type | The file type for the truststore. JKS or PKCS12 are accepted. Default: JKS |
You can configure which projects are deemed part of the .operations index for ACL configuration.
In your config file:
openshift.operations.project.names: ["default", "openshift", "openshift-infra"]
The defaults must all be in lower-case to be properly matched.
The following additional parameters can be set in set in elasticsearch.yml:
| Property | Description |
|---|---|
| io.fabric8.elasticsearch.acl.sync_delay_millis | The delay in milliseconds before the SG AGL document is resynced with OpenShift |
| io.fabric8.elasticsearch.acl.user_profile_prefix | The prefix to use to store Kibana user visualizations (default: .kibana.USERUUID) |
| io.fabric8.elasticsearch.kibana.mapping.app | Absolute file path to a JSON document that defines the index mapping for applications |
| io.fabric8.elasticsearch.kibana.mapping.ops | Absolute file path to a JSON document that defines the index mapping for operations |
| *io.fabric8.elasticsearch.kibana.mapping.empty | Absolute file path to a JSON document that defines the index mapping for blank indexes |
| openshift.config.project_index_prefix | The string value that project/namespace indices use as their prefix (default: ``) for example, with the |
common data model, if the namespace is test, the index name will be |
|
project.test.$uuid.YYYY.MM.DD. In this case, use "project" as the |
|
prefix - do not include the trailing .. |
Note: The io.fabric8.elasticsearch.kibana.mapping.* properties are required and must be defined for the plugin to function. A sample file
may be found in the samples folder.
Following are the dependencies
- [ElasticSearch 2.4.4] (https://github.com/elastic/elasticsearch/tree/2.4)
- [Search-Guard 2.4.4.10] (https://github.com/floragunncom/search-guard/tree/2.4.4.10)
- [Search-Guard-SSL 2.4.4.19] (https://github.com/floragunncom/search-guard-ssl/tree/2.4.4.19)
- Edit the Elasticsearch deployment config:
$oc edit dc/$ES_DCNAME
- Add environment variable:
...
spec:
containers:
- env:
- name: ES_JAVA_OPTS
value: -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=4021
...
- Forward the debug port
oc port-forward $ES_PODNAME 4000:4021
- Attach Eclipse debugger to forwarded port
Note: Mileage may vary here as this has not been verified since the plugin was compatible with ES1.7x
-
Install ES
-
Create a run configuration
-
Main Class
-
VM args:
-Des.path.home=${env_var:ES_HOME} -Delasticsearch -Des.foreground=yes -Dfile.encoding=UTF-8 -Delasticsearch -Xms256m -Xmx1g -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -XX:+DisableExplicitGC
- Environment Variables:
