I have an installation of Elasticsearch version 1.1.0 which will be indexing items out of a SQLserver database. I have the jdbc-river plugin for retrieving information. I also have the jetty-1.1.0-beta plugin installed.
Currently, I have jetty configured with
sonian.elasticsearch.http.jetty:
config: jetty.xml,jetty-hash-auth.xml,jetty-restrict-writes.xml
This works great for when I try to retrieve information with a query such as
GET {{server}}:9200/{{indexName}}/_search
My problem is that if I try to do one of these two searches
GET {{server}}:9200/_search
GET {{server}}:9200/_river/_search
I get back all the river information, including the database log-in credentials. Needless to say, I don't want this exposed. To this end, I am trying to write a custom jetty-restrict-*.xml file to require authentication for these reads, but I don't want authentication for reads in {{indexName}}.
Is it better to try to use an approach of listing what reads need authentication, or should I list which indexes aren't restricted? I'm afraid I am not very familiar with how the jetty xml files are written, so how would I do this?