Does ROR support DC locator?

alonzo · May 29, 2019, 9:16am

Hi,

the question in the title above .
I’d like to know if we have several DCs in some sites , can I configure readonlyrest to choose the nearest site ?

Thanks .

sscarduzio · May 31, 2019, 6:51pm

Hello @alonzo, great question. We researched and found out the library we use for LDAP does support this feature. So we can make it work. Will add it to the backlog, it will take a couple of months before we have time for this though, as we have a ton to do in the next 3 sprints.

How urgent is this for you?

alonzo · June 2, 2019, 5:09am

Hi Simone,

it’s not “severity 1” , more like “severity 2” issue .
currently the application suffers from connection timeout from time to time since the active directory has some remote (for redundancy) and some local DCs.
we have a dirty workaround for those hangs and we will appreciate if you can promote a solution to fix this.

Thanks a lot .

sscarduzio · June 2, 2019, 7:32pm

@alonzo, maybe for now you can put all the known servers in HA in ROR settings?

github.com

beshu-tech/readonlyrest-docs/blob/master/elasticsearch.md#ldap-connector

# For Elasticsearch

## Overview: The ReadonlyREST Suite

ReadonlyREST is a light weight Elasticsearch plugin that adds encryption, authentication, authorization and access control capabilities to Elasticsearch embedded REST API. The core of this plugin is an ACL engine that checks each incoming request through a sequence of **rules** a bit like a firewall. There are a dozen rules that can be grouped in sequences of blocks and form a powerful representation of a logic chain.

The Elasticsearch plugin known as `ReadonlyREST Free` is released under the GPLv3 license, or alternatively, a commercial license \(see [ReadonlyREST Embedded](https://readonlyrest.com/embedded)\) and lays the technological foundations for the companion Kibana plugin which is released in two versions: [ReadonlyREST PRO](https://readonlyrest.com/pro) and [ReadonlyREST Enterprise](https://readonlyrest.com/enterprise).

Unlike the Elasticsearch plugin, the Kibana plugins are commercial only. But rely on the Elasticsearch plugin in order to work.

For a description of the Kibana plugins, skip to the [dedicated documentation page](kibana/) instead.

### ReadonlyREST Free plugin for Elasticsearch

In this document we are going to describe how to operate the Elasticsearch plugin in all its features. Once installed, this plugin will greatly extend the Elasticsearch HTTP API \(port 9200\), adding numerous extra capabilities:

* **Encryption**: transform the Elasticsearch API from HTTP to HTTPS
* **Authentication**: require credentials
* **Authorization**: declare groups of users, permissions and partial access to indices.
* **Access control**: complex logic can be modeled using an ACL \(access control list\) written in YAML.

This file has been truncated. show original

alonzo · June 3, 2019, 6:37am

thanks , we are familiar with those settings .
the reason we didn’t want to use it is because the way we configure the LDAP hosts is transparent to the application .
if we put the exact host names in the YML file we’ll have to maintain this list each time a DC is added or excluded by the IT team.
meanwhile since we have no choice we’ll use this option and wait for the new version to be released by you.

thanks again .

alonzo · June 30, 2019, 9:29am

Hi Simone ,

can you please update if there’s anything new with the DC Locator ?
is it going to be implemented in one of the new builds ?

Thanks .

sscarduzio · July 1, 2019, 10:25am

Hi @alonzo, this feature is in the pipeline, but not yet delivered. Will see if I can prioritise.

alonzo · July 1, 2019, 11:03am

no problem , thank you Simone .

pielas · December 20, 2020, 12:51pm

Hi @alonzo, we have developed a feature allowing usage of DNS SRV records for LDAP server discovery instead of having to provide list of servers in config file. This is what DC Locator is using to discover LDAP servers. ROR with this feature hasn’t been released yet, but you can check if it satisfies your needs using pre-release build. Here is link to ROR for ES 7.9.3 https://readonlyrest-data.s3.eu-west-1.amazonaws.com/build/1.26.0-pre5/readonlyrest-1.26.0-pre5_es7.9.3.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA5SJIWBO5QS2CXRMG%2F20201220%2Feu-west-1%2Fs3%2Faws4_request&X-Amz-Date=20201220T124817Z&X-Amz-Expires=604800&X-Amz-Signature=a948bf5f73eada369a5a9fb6d0a60990da9a43909de0f99cd84fc3fc5b21025c&X-Amz-SignedHeaders=host. Please let me know if you are using different version of elasticsearch.

Here is link to documentation of this feature readonlyrest-docs/elasticsearch.md at feature/RORDEV-76-ldap-server-discovery · pielas/readonlyrest-docs · GitHub. In the simplest form, when you want to use the system DNS, all you have to do is replace current host/hosts configuration with server_discovery: true.