elastic / elasticsearch

Free and Open Source, Distributed, RESTful Search Engine
https://www.elastic.co/products/elasticsearch
Other
704 stars 24.79k forks source link

Per Node Ip Filter in cluster settings #47924

Open willemdh opened 5 years ago

willemdh commented 5 years ago

Currently we are setting the xpack.security.http.filter.allow directive in elasticsearch.yml to secure our nodes. The configuration is different for master / data nodes and ingest /coordination nodes. This implies that we cannot use xpack.security.http.filter.allow as a cluster setting (https://www.elastic.co/guide/en/elasticsearch/reference/current/cluster-update-settings.html), as currenly xpack.security.http.filter.allow is for all nodes in the cluster.

See also https://discuss.elastic.co/t/per-node-ip-filters-in-cluster-settings/199384

Using cluster update settings is much more dynamic then the elasticsearch.yml configuration files. As we require separate xpack.security.http.filter.allow settings for data, ingest and search clients, it would be a nice to have feature to no longer having to restart all nodes when you need to update xpack.security.http.filter.allow.

elasticmachine commented 5 years ago

Pinging @elastic/es-security (:Security/Security)

jkakavas commented 4 years ago

We discussed this in today's team meeting. We see value in such a functionality but we are currently lacking the settings infrastructure to do per node type cluster settings. There are other projects/initiatives that run in parallel that might benefit from such an infrastructure so we will revisit this when/if it is in place