ROR setup on ES multi node cluster


(Vadim) #1

When setting up ror on multi nodes cluster (nodes are running on separate servers), should ror plugin need to be installed on master nodes only or on data nodes too ?
How this shoud be applied for 2 different scenarios: (1)nodes with master or data roles only and (2) nodes with both - master and data roles ? And what about coordinating (client) and ingesting nodes ?
Thanks


(Simone Scarduzio) #2

Hi @dzyubanv, ROR is so nice and simple because it literally doesn’t even know about being in a cluster.
Instead, ROR is a simple stateless access control layer for HTTP requests. This means you should install it in whatever ES node where you expect to receive HTTP requests.

NB: exception to being cluster-unaware = ROR can store its settings in the “.readonlyrest” index.
NB: exception to being stateless = some async authz/authc connectors may have some in-memory caching.


(Vadim) #3

Hi Simone!

What do you think about the following ES with RoR cluster topology.
The ES-5 cluster is running on 5 machines and there are 4 nodes (2 master and 2 data) on each of them.
The RoR is installed and enabled on master nodes on 4 machines as follows.

1st and 2nd machines RoR configuration files are identical and allow access to ES for all users/indices from servers abc with IP 11.111.11.22 and cde with IP 11.111.11.33 by setting this with the following control rules in readonlyrest.yml

access_control_rules:
- name: Accept all requests from servers
hosts: [11.111.11.22, 11.111.11.33]

3rd and 4th machines RoR configuration files on master nodes are identical and allow access to ES using group-based access control (certain users and certain indixes read or/and write).
5th machine’s two master nodes have no RoRs installed at all.
All master nodes (with and without RoRs) might receive incoming http requests.

So, here is the mix of RoRs configuration on different machines within one cluster.

Is this topology might be desirable and usable ?
Would it be possible if incoming http requests on master nodes on 5th machine (without RoRs) might be forbidden based on access control rules setup on RoRs on 1st/2nd and 3rd/4th machines (because of the zen discovery) ?
Or ALL RoR instances within the same multi-node cluster must have the same identical configurations on ALL master nodes which are exposed for external communication and might receive the incoming http requests ?

Thanks


(Simone Scarduzio) #4

The nice thing of ROR for ES is that (if you keep on using readonlyrest.yml and not the in index configuration) ROR behaves like a cluster unaware HTTP filter and you can have different settings in different nodes of the sae cluster.


(Vadim) #5

Thank you Simone for quick response, got you.
The only question in regard to your answer - is it possible to configure RoR somehow on the index instead of using readonlyrest.yml file or may be I’m missing something ?


(Simone Scarduzio) #6

It is possible for ROR to save settings inside an index, using an internal API implemented by the ROR PRO/Enterprise


(Vadim) #7

That is great, I will look at the ROR Pro/Enterprise.