honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
🔎 Open source distributed and RESTful search engine.
295 Commits 7 Branches 6 Tags 546 MiB
Java 99.5%
Groovy 0.4%
Go to file
uboness d7d96d866e [Fix] removed null hosts in the audit logs 
Some request are created locally by elasticsearch and therefore are not associated with a remote address (we only associate the remote address with a request that arrives remotely from via the transport layer). An example of such request is the periodic nodes info that is collected by elasticsearch. Also, requests that originate from the REST layer also create transport requests locally.

  This commit takes this behaviour into account and makes sure that we'll always log the host in the audit logs. We do that in the following way:

   - `host` is replaced by two attributes: `origin_type` and `origin_address`. `origin_type` can be either `rest`, `remote_node` or `local_node`. `origin_address` holds the host address of the origin
   - when no remote address is associated with the request, it's safe to assume it was created locally. We'll then output `origin_type=[local_node] origin_address=[<the localhost address>]`
   - when a rest request gets in, we'll copy and place its remote address in the context of the request (the context of the rest request is copied to the context of the transport request)
   - . in the audit logs, we'll inspect the transport request and look for a `rest_host` in its context. if we find it, we'll log the log entry under `origin_type=[rest], origin_address=[<the remote rest address>]` attributes. This way, the origin of the request won't get "lost" and we'll still differentiate between transport hosts and rest hosts.
   - if the request is holds a remote address, it can only come from the transport layer, so we'll output "origin_type=[transport] origin_address=[<remote address]"

 While at it, also changed the format of the log entries:

  - lowercased the whole message (e.g. `ANONYMOUS_ACCESS` to `[anonymous_access]` (for consistency sake)
  - introduced layer categorization for every entry to indicate whether its `[transport]`, `[rest]` or `[ip_filter]` related. I reckon this will make it easier to parse the logs if one wishes to do so.

Fixes elastic/elasticsearch#550

Original commit: elastic/x-pack-elasticsearch@b84f0c5548
 		2015-01-20 02:06:48 +01:00
dev-tools Updates the esvm files to esvm 0.0.10, and latest shield format 2014-12-11 12:19:23 -07:00
src [Fix] removed null hosts in the audit logs 2015-01-20 02:06:48 +01:00
LICENSE.txt Initial X-Pack commit 2018-04-20 14:16:58 -07:00
README.asciidoc Docs: Added SSL certification/CA creation docs 2014-07-23 15:42:10 +02:00
TESTING.asciidoc [DOCS] hopefully fixed formatting of TESTING.asciidoc 2014-11-24 11:55:25 +01:00
all-signatures.txt Initial import 2014-07-07 11:30:28 +02:00
core-signatures.txt Introduced realms factories 2014-11-25 14:31:51 -08:00
pom.xml move to es core 1.4.2 2015-01-19 08:24:18 +01:00
test-signatures.txt Initial import 2014-07-07 11:30:28 +02:00
tests.policy Integration with license plugin 2014-12-04 20:49:35 +01:00

README.asciidoc 

= Elasticsearch Security Plugin

This plugins adds security features to elasticsearch

You can build the plugin with `mvn package`.

The documentation is put in the `docs/` directory.