Django-Haystack using Amazon Elasticsearch hosting with IAM credentials

前端 未结 2 1241
无人及你
无人及你 2021-02-09 11:03

I am hoping to use Amazon\'s Elasticsearch server to power a search of longtext fields in a Django database. However, I also don\'t want to expose this search to those who don\'

2条回答
  •  谎友^
    谎友^ (楼主)
    2021-02-09 11:13

    AWS Identity and Access Management (IAM) allows you to manage users and user permissions for AWS services, to control which AWS resources users of AWS itself can access.

    You cannot use IAM credentials to authorize users at the application level via http_auth, as it appears you are trying to do via Haystack here. They are different authentication schemes for different services. They are not compatible.

    In your security use case, you have stated the need to 1) restrict access to your application, and 2) to secure the Elasticsearch service port from open access. These two requirements can be met using the following methods:

    Restrict access to your application

    I also don't want to expose this search to those who don't have a log in

    For the front-end search app, you want to use a server level Basic access authentication (HTTP auth) configuration on the web server. This is where you want to control user login access to your app, via a standard http_auth username and password (again, not IAM). This will secure your app at the application level.

    Secure the Elasticsearch service port

    don't want to rely on security through obscurity or some IP restriction tactic (unless it would work well with an existing heroku app, where the Django app is deployed).

    IP restriction is exactly what would work here, and consistent with AWS security best practices. You want to use security groups and security group rules as a firewall to control traffic for your EC2 instances.

    Given a Haystack configuration of:

    HAYSTACK_CONNECTIONS = {
        'default': {
            'ENGINE': 'haystack.backends.elasticsearch_backend.ElasticsearchSearchEngine',
            'URL': 'http://127.0.0.1:9200/',
            'INDEX_NAME': 'haystack',
        },
    }
    

    you will want to implement an IP restriction at the security group and/or ACL level on that IP and port 127.0.0.1, to restrict access from only your Django host or other authorize hosts. This will secure it from any unauthorized access at the service level.

    In your implementation, the URL will likely resolve to a public or private IP, depending on your network architecture.

提交回复
热议问题