Almost all security issues with ES stem from their idea to keep authorization as...

joostdecock · on Dec 23, 2022

To be fair, "X-pack" was a thing many years ago. But those days are gone and have been for a while.

You get authorization in the free offering and that's been the case for the least two major versions.

The things you need to pay for are IMHO not hobby project stuff, like integration with LDAP/AD.

You are of course correct that this used to be the case, and that to some extend this sentiment prevails.

But I feel Elastic (the company) deserves credit for acknowledging the issue and addressing it.

jillesvangurp · on Dec 23, 2022

Actually wrong at several levels. First, the free version includes all the security features. Xpack was always free (as in beer) and easy to enable when that still was a separate thing (it no longer is). After they changed the license for the whole of elasticsearch to be similar, xpack is no longer a separate thing. You just get the whole product. For free. There are some paid features in there but they are mostly related to high value stuff related to e.g. machine learning.

The "security issues" mostly stem from people intentionally running it without a firewall completely unprotected on the public internet. And then they put important data in there. Simple solution: don't do that, it's stupid and negligent and it's 100% your fault if data leaks like that.

You wouldn't run a database on the internet either. But if you must run it on the public internet, just put nginx in front of it with basic auth and https. Problem solved. Not that hard.

Alternatively, use the hosted version which doesn't allow you to do that at all and is nice and easy to get started with.

antman · on Dec 23, 2022

That used to be the case, buy the Opensearch fork forced them to include it in their free offering