2017-04-06 21:29:29 -04:00
[[java-clients]]
2018-12-19 17:53:37 -05:00
=== Java Client and security
2017-04-06 21:29:29 -04:00
2017-12-01 06:24:26 -05:00
deprecated[7.0.0, The `TransportClient` is deprecated in favour of the {java-rest}/java-rest-high.html[Java High Level REST Client] and will be removed in Elasticsearch 8.0. The {java-rest}/java-rest-high-level-migration.html[migration guide] describes all the steps needed to migrate.]
2018-12-19 17:53:37 -05:00
The {es} {security-features} support the Java http://www.elastic.co/guide/en/elasticsearch/client/java-api/current/transport-client.html[transport client] for Elasticsearch.
2017-04-06 21:29:29 -04:00
The transport client uses the same transport protocol that the cluster nodes use
for inter-node communication. It is very efficient as it does not have to marshall
and unmarshall JSON requests like a typical REST client.
NOTE: Using the Java Node Client with secured clusters is not recommended or
supported.
[float]
[[transport-client]]
==== Configuring the Transport Client to work with a Secured Cluster
To use the transport client with a secured cluster, you need to:
[[java-transport-client-role]]
2017-10-12 08:40:30 -04:00
. {ref}/setup-xpack-client.html[Configure the {xpack} transport client].
2017-10-12 08:18:44 -04:00
2017-04-06 21:29:29 -04:00
. Configure a user with the privileges required to start the transport client.
2018-12-19 17:53:37 -05:00
A default `transport_client` role is built-in to the {es} {security-features},
which grants the
2017-04-06 21:29:29 -04:00
appropriate cluster permissions for the transport client to work with the secured
cluster. The transport client uses the _Nodes Info API_ to fetch information about
the nodes in the cluster.
. Set up the transport client. At a minimum, you must configure `xpack.security.user` to
include the name and password of your transport client user in your requests. The
following snippet configures the user credentials globally--every request
submitted with this client includes the `transport_client_user` credentials in
its headers.
+
2017-10-12 08:18:44 -04:00
--
2017-04-06 21:29:29 -04:00
[source,java]
-------------------------------------------------------------------------------------------------
import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
...
TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
.put("cluster.name", "myClusterName")
2017-06-29 16:27:57 -04:00
.put("xpack.security.user", "transport_client_user:x-pack-test-password")
2017-04-06 21:29:29 -04:00
...
.build())
2018-04-18 12:15:43 -04:00
.addTransportAddress(new TransportAddress("localhost", 9300))
.addTransportAddress(new TransportAddress("localhost", 9301));
2017-04-06 21:29:29 -04:00
-------------------------------------------------------------------------------------------------
2017-10-12 08:18:44 -04:00
2017-04-06 21:29:29 -04:00
WARNING: If you configure a transport client without SSL, passwords are sent in
clear text.
2017-10-12 08:18:44 -04:00
2017-04-06 21:29:29 -04:00
You can also add an `Authorization` header to each request. If you've configured
global authorization credentials, the `Authorization` header overrides the global
authentication credentials. This is useful when an application has multiple users
who access Elasticsearch using the same client. You can set the global token to
a user that only has the `transport_client` role, and add the `transport_client`
role to the individual users.
2017-10-12 08:18:44 -04:00
2017-04-06 21:29:29 -04:00
For example, the following snippet adds the `Authorization` header to a search
request:
2017-10-12 08:18:44 -04:00
2017-04-06 21:29:29 -04:00
[source,java]
--------------------------------------------------------------------------------------------------
2017-04-17 13:28:46 -04:00
import org.elasticsearch.common.settings.SecureString;
2017-04-06 21:29:29 -04:00
import org.elasticsearch.common.settings.Settings;
2018-04-18 12:15:43 -04:00
import org.elasticsearch.common.transport.TransportAddress;
2017-04-06 21:29:29 -04:00
import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
2018-01-23 13:43:58 -05:00
import static UsernamePasswordToken.basicAuthHeaderValue;
2017-04-06 21:29:29 -04:00
...
TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
.put("cluster.name", "myClusterName")
2017-06-29 16:27:57 -04:00
.put("xpack.security.user", "transport_client_user:x-pack-test-password")
2017-04-06 21:29:29 -04:00
...
.build())
.build()
2018-04-18 12:15:43 -04:00
.addTransportAddress(new TransportAddress(InetAddress.getByName("localhost"), 9300))
.addTransportAddress(new TransportAddress(InetAddress.getByName("localhost"), 9301))
2017-04-06 21:29:29 -04:00
2017-06-29 16:27:57 -04:00
String token = basicAuthHeaderValue("test_user", new SecureString("x-pack-test-password".toCharArray()));
2017-04-06 21:29:29 -04:00
client.filterWithHeader(Collections.singletonMap("Authorization", token))
.prepareSearch().get();
--------------------------------------------------------------------------------------------------
2017-10-12 08:18:44 -04:00
--
2017-04-06 21:29:29 -04:00
. Enable SSL to authenticate clients and encrypt communications. To enable SSL,
you need to:
.. Configure the paths to the client's key and certificate in addition to the certificate authorities.
Client authentication requires every client to have a certification signed by a trusted CA.
+
2017-10-12 08:18:44 -04:00
--
2017-04-06 21:29:29 -04:00
NOTE: Client authentication is enabled by default. For information about
disabling client authentication, see <<disabling-client-auth, Disabling Client Authentication>>.
2017-10-12 08:18:44 -04:00
2017-04-06 21:29:29 -04:00
[source,java]
--------------------------------------------------------------------------------------------------
import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
...
TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
.put("cluster.name", "myClusterName")
2017-06-29 16:27:57 -04:00
.put("xpack.security.user", "transport_client_user:x-pack-test-password")
2017-04-06 21:29:29 -04:00
.put("xpack.ssl.key", "/path/to/client.key")
.put("xpack.ssl.certificate", "/path/to/client.crt")
.put("xpack.ssl.certificate_authorities", "/path/to/ca.crt")
...
.build());
--------------------------------------------------------------------------------------------------
2017-10-12 08:18:44 -04:00
--
2017-04-06 21:29:29 -04:00
.. Enable the SSL transport by setting `xpack.security.transport.ssl.enabled` to `true` in the
client configuration.
+
2017-10-12 08:18:44 -04:00
--
2017-04-06 21:29:29 -04:00
[source,java]
--------------------------------------------------------------------------------------------------
import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
...
TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
.put("cluster.name", "myClusterName")
2017-06-29 16:27:57 -04:00
.put("xpack.security.user", "transport_client_user:x-pack-test-password")
2017-04-06 21:29:29 -04:00
.put("xpack.ssl.key", "/path/to/client.key")
.put("xpack.ssl.certificate", "/path/to/client.crt")
.put("xpack.ssl.certificate_authorities", "/path/to/ca.crt")
.put("xpack.security.transport.ssl.enabled", "true")
...
.build())
2018-04-18 12:15:43 -04:00
.addTransportAddress(new TransportAddress(InetAddress.getByName("localhost"), 9300))
.addTransportAddress(new TransportAddress(InetAddress.getByName("localhost"), 9301))
2017-04-06 21:29:29 -04:00
--------------------------------------------------------------------------------------------------
2017-10-12 08:18:44 -04:00
--
2017-04-06 21:29:29 -04:00
[float]
[[disabling-client-auth]]
2018-12-19 17:53:37 -05:00
===== Disabling client authentication
2017-04-06 21:29:29 -04:00
If you want to disable client authentication, you can use a client-specific
transport protocol. For more information see <<separating-node-client-traffic, Separating Node to Node and Client Traffic>>.
If you are not using client authentication and sign the Elasticsearch node
certificates with your own CA, you need to provide the path to the CA
certificate in your client configuration.
[source,java]
------------------------------------------------------------------------------------------------------
import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
...
TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
.put("cluster.name", "myClusterName")
2017-06-29 16:27:57 -04:00
.put("xpack.security.user", "test_user:x-pack-test-password")
2017-04-06 21:29:29 -04:00
.put("xpack.ssl.certificate_authorities", "/path/to/ca.crt")
.put("xpack.security.transport.ssl.enabled", "true")
...
.build())
2018-04-18 12:15:43 -04:00
.addTransportAddress(new TransportAddress("localhost", 9300))
.addTransportAddress(new TransportAddress("localhost", 9301));
2017-04-06 21:29:29 -04:00
------------------------------------------------------------------------------------------------------
NOTE: If you are using a public CA that is already trusted by the Java runtime,
you do not need to set the `xpack.ssl.certificate_authorities`.
[float]
[[connecting-anonymously]]
2018-12-19 17:53:37 -05:00
===== Connecting anonymously
2017-04-06 21:29:29 -04:00
To enable the transport client to connect anonymously, you must assign the
anonymous user the privileges defined in the <<java-transport-client-role,transport_client>>
role. Anonymous access must also be enabled, of course. For more information,
see <<anonymous-access,Enabling Anonymous Access>>.
[float]
[[security-client]]
2018-12-19 17:53:37 -05:00
==== Security client
2017-04-06 21:29:29 -04:00
2018-12-19 17:53:37 -05:00
The {stack} {security-features} expose an API through the `SecurityClient` class.
To get a hold of a `SecurityClient` you first need to create the `XPackClient`,
which is a wrapper around the existing {es} clients (any client class implementing
2017-04-06 21:29:29 -04:00
`org.elasticsearch.client.Client`).
2018-12-19 17:53:37 -05:00
The following example shows how you can clear the realm caches using
2017-04-06 21:29:29 -04:00
the `SecurityClient`:
[source,java]
------------------------------------------------------------------------------------------------------
Client client = ... // create the transport client
XPackClient xpackClient = new XPackClient(client);
SecurityClient securityClient = xpackClient.security();
ClearRealmCacheResponse response = securityClient.authc().prepareClearRealmCache()
.realms("ldap1", "ad1") <1>
.usernames("rdeniro")
.get();
------------------------------------------------------------------------------------------------------
<1> Clears the `ldap1` and `ad1` realm caches for the `rdeniro` user.