search

elastic / sense

A JSON aware developer's interface to Elasticsearch. Comes with handy machinery such as syntax highlighting, autocomplete, formatting and code folding.
Other
381 stars 134 forks source link

Change default proxyFilter #75

Open bleskes opened 8 years ago

bleskes commented 8 years ago

Currently it's only documented: https://www.elastic.co/guide/en/sense/current/installing.html#securing_sense

A localhost default strikes the right balance between out of the box experience and security.

skearns64 commented 8 years ago

Would an alternative/simple approach for 2.0 be to just use the single Kibana configured ES cluster/host and not let the user change it? That way, you can't launch attacks against a cluster that isn't configured in Kibana?

As a kibana plugin (vs. browser plugin), I suspect it's less important to allow requests against arbitrary ES clusters from the same Kibana instance. If/when the Kibana framework grows support for multiple clusters, Sense could just use the Kibana config?

Apologies if this was already discussed!

bleskes commented 8 years ago

I think it would be a great shame to lose the ability to connect from Sense to multiple clusters. We are looking into indeed having the list of possible clusters be pre-configured but that's somewhere in the future.

If kibana ends up having a similar list Elasticsearch clusters available to all of the apps in the kibana universe, I'll be +1 on using that. It would be a shame to enforce a limit now.

skearns64 commented 8 years ago

Compared with old-Sense, I agree, but as a Kibana app, it seems a bit odd that the whole Kibana framework points at just one cluster, but the Sense app is not tied to any cluster, and you have to enter the IP address.

Perhaps a middle-ground here isn't to set the default to localhost, it's to set the default to "the ES cluster that the Kibana framework is configured to communicate with"?

bleskes commented 8 years ago

Perhaps a middle-ground here isn't to set the default to localhost, it's to set the default to "the ES cluster that the Kibana framework is configured to communicate with"?

Agreed to use that as the default white list. At the moment @spalger had some concerns about accessing that setting from Sense.

spalger commented 8 years ago

I don't want to create a required binding between kibana and sense, but I don't mind changing the default if it's available. We can safely try to read the kibana config value and fallback to localhost when kibana isn't enabled.