Securing Elasticsearch Clusters

Question

I want to create a secure Elasticsearch Cluster.

About my use case. I want a multitenant system. Users must have administrative access to their own namespace. After a couple tries, I'm now just giving users their own clusters (via docker).

Attempt 1: Shield on a dedicated node with multitenancy. This requires me to modify roles yml file for every user. This is cumbersome and painful.

Attempt 2: Docker container + Shield: This looked to be working ok after some trial and error, but I don't like the licensing, and I also do not understand how it is securing the tcp transport.

Attempt 3: Docker container + nginx reverse proxy & htpasswd: This works well for securing the http transport, and works great with kibana now that basic auth is supported in Kibana. Unfortunately, this limits my clustering abilities because 9300 is wide open.

Attempt 4: I'm about to try docker container + Search Guard: This looks like a decent option, but I'm still not sure how the tcp transport is supposed to be secured.

How do people actually secure multitenant Elasticsearch clusters?

Answer 1

You're on the right track. ES isn't inherently multi-tenant and you really can't know for sure you've properly secured / namespace access. Also, ES lacks authentication and https, so you'll have those problems to deal with too. I know you can pay for the privilege, and there are some other hacks you can do to get it, but realistically, the system is per customer, not multi tenant.

I'd also caution against the assumption that multi-tenant using docker is a viable solution. Again, docker security is not a well known / solved problem yet. There are risks when you virtualize on top of the kernel. The main risk being that the kernel is a huge amount of code vs accepted virtualization techniques on hardware. Take an amazon ec2 instance that runs on a hypervisor. The hypervisor implements much of the boundaries between VMs through hardware - ie, special CPU procedures that assist in isolating different VMs at the hardware level.

Because the hypervisor is a small bit of code (compared to the kernel) it's much more easy to audit. Because the hypervisor uses hardware features to enforce isolation, it's much more safe.

On one dimension, Docker actually adds security on a per process basis (IE, if your application running nginx gets hacked and the docker is setup well, then the intruder will also have to break out of the docker instance). On the other dimension, it's not nearly as good as machine virtualization.

My recommendation is to create a cluster VMs for each customer, and on each VM cluster, run the ES docker plus other application dockers.