Re: Shield doesn't support third party plugins

[joergpra...@gmail.com]

As a plugin author, is there any chance to use something like a suite of
tests or a compatibility kit in order to validate a plugin for being
compatible with Shield / a specific Shield version?

Jörg

On Wed, Jan 28, 2015 at 11:50 AM, uboness 
wrote:

> Tim,
>
> We're in the process of clarifying this in the docs (agreed that the
> current description is not really clear). Let me try to clarify it a bit
> here...
>
> When it comes to third party plugins, we have no control over the plugin
> code. The plugin infrastructure is extremely flexible in terms of what can
> be extended in elasticsearch, from adding analyzers to adding new internal
> actions and rest endpoints. While the former will have no impact on
> security, the latter might have a significant impact and potentially
> completely bypass the security checks in the system. For this reason, from
> a company perspective, we can't really support plugins that are not under
> our control (note that a lot of these plugins are developed internally in
> companies and are not open source such that we can even review the code).
>
> As far as "won't work" is concerned, it obviously depends on what the
> plugin is doing. A lot of plugins will work just fine (e.g. adding
> additional analyzers), but others may experience unexpected behaviour when
> developed without Shield security concerns in mind.
>
> I hope this clarifies it a bit. As mentioned above, we will fix the docs
> with better explanation about it.
>
>
> On Wednesday, January 28, 2015 at 10:27:20 AM UTC+1, Tim S wrote:
>>
>> http://www.elasticsearch.org/guide/en/shield/current/limitations.html
>> says that "Third-party plugins are not supported on clusters with the
>> Shield security plugin installed."
>>
>> Can someone clarify the difference between "not supported" and "won't
>> work" in this case please?
>>
>> If I have a plugin that is critical to the way I use elasticsearch (e.g.
>> a plugin that adds a custom analyzer), is that page saying that
>> Elasticsearch.com will not support an installation containing both shield
>> and this analysis plugin? So that just means that anyone using third party
>> plugins cannot use Shield at all? Is there any plan to change that?
>>
>> Thanks.
>>
>  --
> You received this message because you are subscribed to the Google Groups
> "elasticsearch" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to elasticsearch+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/elasticsearch/9d2661af-eb39-4cef-851c-1951d25965f2%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to elasticsearch+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/elasticsearch/CAKdsXoFByTUtz%2BP%3Dutq_tQtcLVsz8EWyr1C96sopBuUXESE0EQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Shield doesn't support third party plugins

[Tim S]

Thanks Uri, that helps, it makes a lot of sense.

On Wednesday, January 28, 2015 at 10:50:17 AM UTC, uboness wrote:
>
> Tim,
>
> We're in the process of clarifying this in the docs (agreed that the 
> current description is not really clear). Let me try to clarify it a bit 
> here...
>
> When it comes to third party plugins, we have no control over the plugin 
> code. The plugin infrastructure is extremely flexible in terms of what can 
> be extended in elasticsearch, from adding analyzers to adding new internal 
> actions and rest endpoints. While the former will have no impact on 
> security, the latter might have a significant impact and potentially 
> completely bypass the security checks in the system. For this reason, from 
> a company perspective, we can't really support plugins that are not under 
> our control (note that a lot of these plugins are developed internally in 
> companies and are not open source such that we can even review the code).
>
> As far as "won't work" is concerned, it obviously depends on what the 
> plugin is doing. A lot of plugins will work just fine (e.g. adding 
> additional analyzers), but others may experience unexpected behaviour when 
> developed without Shield security concerns in mind.
>
> I hope this clarifies it a bit. As mentioned above, we will fix the docs 
> with better explanation about it.
>
>
> On Wednesday, January 28, 2015 at 10:27:20 AM UTC+1, Tim S wrote:
>>
>> http://www.elasticsearch.org/guide/en/shield/current/limitations.html 
>> says that "Third-party plugins are not supported on clusters with the 
>> Shield security plugin installed."
>>
>> Can someone clarify the difference between "not supported" and "won't 
>> work" in this case please?
>>
>> If I have a plugin that is critical to the way I use elasticsearch (e.g. 
>> a plugin that adds a custom analyzer), is that page saying that 
>> Elasticsearch.com will not support an installation containing both shield 
>> and this analysis plugin? So that just means that anyone using third party 
>> plugins cannot use Shield at all? Is there any plan to change that?
>>
>> Thanks.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to elasticsearch+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/elasticsearch/aa4dbf86-709d-4399-8496-6a94a358610e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Shield doesn't support third party plugins

[uboness]

Tim,

We're in the process of clarifying this in the docs (agreed that the 
current description is not really clear). Let me try to clarify it a bit 
here...

When it comes to third party plugins, we have no control over the plugin 
code. The plugin infrastructure is extremely flexible in terms of what can 
be extended in elasticsearch, from adding analyzers to adding new internal 
actions and rest endpoints. While the former will have no impact on 
security, the latter might have a significant impact and potentially 
completely bypass the security checks in the system. For this reason, from 
a company perspective, we can't really support plugins that are not under 
our control (note that a lot of these plugins are developed internally in 
companies and are not open source such that we can even review the code).

As far as "won't work" is concerned, it obviously depends on what the 
plugin is doing. A lot of plugins will work just fine (e.g. adding 
additional analyzers), but others may experience unexpected behaviour when 
developed without Shield security concerns in mind.

I hope this clarifies it a bit. As mentioned above, we will fix the docs 
with better explanation about it.


On Wednesday, January 28, 2015 at 10:27:20 AM UTC+1, Tim S wrote:
>
> http://www.elasticsearch.org/guide/en/shield/current/limitations.html 
> says that "Third-party plugins are not supported on clusters with the 
> Shield security plugin installed."
>
> Can someone clarify the difference between "not supported" and "won't 
> work" in this case please?
>
> If I have a plugin that is critical to the way I use elasticsearch (e.g. a 
> plugin that adds a custom analyzer), is that page saying that 
> Elasticsearch.com will not support an installation containing both shield 
> and this analysis plugin? So that just means that anyone using third party 
> plugins cannot use Shield at all? Is there any plan to change that?
>
> Thanks.
>

-- 
You received this message because you are subscribed to the Google Groups 
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to elasticsearch+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/elasticsearch/9d2661af-eb39-4cef-851c-1951d25965f2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Shield doesn't support third party plugins

[Mark Walkom]

You should contact Elasticsearch support regarding this.

On 28 January 2015 at 20:27, Tim S  wrote:

> http://www.elasticsearch.org/guide/en/shield/current/limitations.html
> says that "Third-party plugins are not supported on clusters with the
> Shield security plugin installed."
>
> Can someone clarify the difference between "not supported" and "won't
> work" in this case please?
>
> If I have a plugin that is critical to the way I use elasticsearch (e.g. a
> plugin that adds a custom analyzer), is that page saying that
> Elasticsearch.com will not support an installation containing both shield
> and this analysis plugin? So that just means that anyone using third party
> plugins cannot use Shield at all? Is there any plan to change that?
>
> Thanks.
>
> --
> You received this message because you are subscribed to the Google Groups
> "elasticsearch" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to elasticsearch+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/elasticsearch/2d838ef0-209b-4475-8e0f-22734fff0472%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to elasticsearch+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/elasticsearch/CAEYi1X80k%3DoWzZ6aC6h%3DvckzoU3am%3DW9ouQtBrcBp3KBRJL%3Dfg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Shield doesn't support third party plugins

[Tim S]

http://www.elasticsearch.org/guide/en/shield/current/limitations.html says 
that "Third-party plugins are not supported on clusters with the Shield 
security plugin installed."

Can someone clarify the difference between "not supported" and "won't work" 
in this case please?

If I have a plugin that is critical to the way I use elasticsearch (e.g. a 
plugin that adds a custom analyzer), is that page saying that 
Elasticsearch.com will not support an installation containing both shield 
and this analysis plugin? So that just means that anyone using third party 
plugins cannot use Shield at all? Is there any plan to change that?

Thanks.

-- 
You received this message because you are subscribed to the Google Groups 
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to elasticsearch+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/elasticsearch/2d838ef0-209b-4475-8e0f-22734fff0472%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.