Being a Graylog user/Admin since Graylog 2.x one of the main points that I always advocate was against the directly access on Elasticsearch to perform any kind of query. Not only for the security aspect of it but also to make sure that graylog performance would not be impacted by other systems ( grafana in this case ) to perform queries directly on Elasticsearch. A few days ago, our team is debating towards granting queries capabilities directly from grafana for the mentioned points by creating a datasource on ES towards all the indexes ( or the aliased one ) so other teams that should not have access directly to graylog, could visualize some metrics on grafana.
My question would be, based on my experience and past ugly situations when granting access directly to elasticsearch. I never saw or found an official documentation stating that accessing elasticsearch directly isn’t considered good or bad practice.
Again, from my point of view based on years of graylog administration, granting access directly to elasticsearch could cause some security problems along with performance issues ( for example if someone performs a query of 1+ year on grafana and graylog being impacted by that ) but I would like to know more opinions about this.
I’m also looking into securing access to elasticsearch for our different environments. This subject comes up often, but one thing we have started doing was looking for ways to limit access to elasticsearch as in this post below.
When digging deeper into Security I also came across these documents.
I haven’t fully tested this out for performance issues in my lab yet but it’s a start.
As performing “a query of 1+ year on grafana and graylog” I’m not so sure. What we do is limit users’ activities through Authentication Services settings which is configured to use MS AD in that environment.
That’s about all the info I have. Sorry I cant be more help.
Hey @gsmith thank you a lot for the information. One the points that I missed ( forgot , probably) was that X-Pack became Open so regarding RBAC, I believe that we will be able to secure the access to elasticsearch. Regarding performance, Additional tests will be required on our side which i will be sharing the results here as soon i have the data.
