1. Home
  2. Development
  3. RE: Elasticsearch Shield Security in Liferay Portal CE

RE: Elasticsearch Shield Security in Liferay Portal CE

Nils Wilmet, modified 6 Years ago.
Elasticsearch Shield Security in Liferay Portal CE
New Member Posts: 20 Join Date: 4/24/19 Recent Posts
Hi everyone,

I wanted to know if there is a possibility to connect a remote Elasticsearch to Liferay users system ? I want that remote cluster to be protected, so that only Liferay users can make queries against it. The only thing I found is a connector for Liferay DXP, to connect ES6 X-Pack-Security to Liferay.

Is there any other way to protect Elasticsearch against queries that are not from logged-in Liferay users ?

Thanks in advance
thumbnail
Olaf Kock, modified 6 Years ago.
RE: Elasticsearch Shield Security in Liferay Portal CE
Liferay Legend Posts: 6441 Join Date: 9/23/08 Recent Posts
Nils Wilmet
Is there any other way to protect Elasticsearch against queries that are not from logged-in Liferay users ?
I won't be able to answer the deep details of this question, but please note:
Liferay issues searches also for unauthenticated users. For example AssetPublisher works with the search index out of the box - and requires proper search functionality. AssetPublisher itself is also configurable to search through the database (typically slower), but I suspect that there might be other functionality that also utilizes search for unauthenticated users. Of course, after querying the index, permissions are still applied - e.g. the unauthenticated user will not see all documents, just because they're in the search index.

For the other details of this question, I'm stepping back. Unless this has clarified the question already (in that case: please comment)
Nils Wilmet, modified 6 Years ago.
RE: Elasticsearch Shield Security in Liferay Portal CE
New Member Posts: 20 Join Date: 4/24/19 Recent Posts
Hi Olaf,

Thank you for the explanations. You say that unauthenticated users can't see elements they're not allowed to, but how do you protect custom resources ?

Plus I am searching through the remote part of ES6 (by querying my server on port 9200) and it's that specific part that is vulnerable and that I want to protect
against unauthenticated queries (if there is a way).

Do you think it would be easier to write my own API that queries Elasticsearch from inside my Service Builder ? (and not from JS Fetch requests anymore)
thumbnail
Jorge Díaz, modified 6 Years ago.
RE: Elasticsearch Shield Security in Liferay Portal CE
Liferay Master Posts: 753 Join Date: 1/9/14 Recent Posts
Hi Nils,

Users will autenticate in Liferay system as Olaf said in his comment, but Liferay user data and permissions are not used to query Elasticsearch data:

If you are using Liferay Portal community or Liferay DXP without security module:
  • Liferay will connect to Elasticsearch without any autentication.
  • After query is executed, Liferay has its own permission system and query results will be filtered.
  • So anyone with direct access to Elasticsearch server, will be able to download all data.

If you are using Liferay DXP with security module ( https://web.liferay.com/marketplace/-/mp/application/106163963 ) installed:
  • In Liferay configuration, you will specify a generic user/password
  • Liferay will connect to Elasticsearch using that generic user
  • So Elasticsearch won't be aware of Liferay users, as a generic user is used for connection.
  • So anyone with direct access to Elasticsearch server, won't be able to download any data, as Elasticsearch will request autentication.

Returned data from Elasticsearch will be filtered by Liferay using its internal user and permission information before displaying it to the final users.

So in the end, in case you don't setup security modules in both Liferay and Elasticsearch, the only risk is: someone connects to Elasticsearch server and download indexed data.
As a workaround, you can configure a firewall in Elasticsearch server and only allow connections from Liferay server.
Nils Wilmet, modified 6 Years ago.
RE: Elasticsearch Shield Security in Liferay Portal CE
New Member Posts: 20 Join Date: 4/24/19 Recent Posts
Hi Jorge,

I'm actually using Liferay CE Portal 7.1... But I did a test on my service builder, with a route only available for connected users. This route queries Elasticsearch, and I'll be able to allow connection to Elasticsearch only from the server hosting the Liferay portal and service builder.

I just wondered if there were a way to connect Liferay users to Elasticsearch shield as with Liferay DXP security module, but it seems not. My workaround looks fine to me, without any loss of performances. 

Thanks a lot for your answers and explanations, the best way was found for me ! emoticon