Open willemdh opened 5 years ago
Pinging @elastic/es-security (:Security/Security)
We discussed this in today's team meeting. We see value in such a functionality but we are currently lacking the settings infrastructure to do per node type cluster settings. There are other projects/initiatives that run in parallel that might benefit from such an infrastructure so we will revisit this when/if it is in place
Currently we are setting the
xpack.security.http.filter.allow
directive in elasticsearch.yml to secure our nodes. The configuration is different for master / data nodes and ingest /coordination nodes. This implies that we cannot usexpack.security.http.filter.allow
as a cluster setting (https://www.elastic.co/guide/en/elasticsearch/reference/current/cluster-update-settings.html), as currenlyxpack.security.http.filter.allow
is for all nodes in the cluster.See also https://discuss.elastic.co/t/per-node-ip-filters-in-cluster-settings/199384
Using cluster update settings is much more dynamic then the elasticsearch.yml configuration files. As we require separate
xpack.security.http.filter.allow
settings for data, ingest and search clients, it would be a nice to have feature to no longer having to restart all nodes when you need to updatexpack.security.http.filter.allow
.