Authentication and Authorization support from Elasticsearch Nest driver

Question

We are using the Elasticsearch NEST client in our C# project. Up till now, we are connecting to ES via HTTP (meaning no security). Our project uses IoC. Now we have a requirement to upgrade C# to ES communication to HTTPS.

I have read Elasticsearch documentation and/or online articles on how to authenticate to ES via username and password to retrieve API key and then use an API key for indexing, searching, etc. But all of them are explained using CURL to ES.

But I am unable to find documentation or examples on how to use NEST client to perform this two-step process - authentication and authorization. As explained in CURL samples, do I need to first make an authentication request via HttpClinet to API Key endpoint and then use it while creating ConnectionSettings?

    var uri = new Uri("http://localhost:9200");
    var pool = new SingleNodeConnectionPool(uri);
    var connectionSettings = new ConnectionSettings(pool).DefaultIndex("TestIndex")
        //.BasicAuthentication("username", "password")  // Authentication
        // .ApiKeyAuthentication("<id>", "<api key>")   // Authorization
            .ThrowExceptions()
            .EnableDebugMode();

My other question is: how and/or where to validate API key lifetime before making a request to ES? Does the NEST library do it internally?

Please point me if there are any existing examples or documentation to achieve this.

Answer 1

ConnectionSettings for the high level client that can be used to control how the clients interact with Elasticsearch. The following is a list of available connection configuration options on ConnectionSettings:

1. DefaultDisableIdInference Disables automatic Id inference for given CLR types.

2. DefaultFieldNameInferrer Specifies how field names are inferred from CLR property names.

3. DefaultIndex The default index to use for a request when no index has been explicitly specified and no default indices are specified for the given CLR type specified for the request.
   

4. DefaultMappingFor Specify how the mapping is inferred for a given CLR type. The mapping can infer the index, id and relation name for a given CLR type, as well as control serialization behaviour for CLR properties.

The low level client ConnectionConfiguration There are a number of configuration options available such as Authentication ClientCertificate DeadTimeout and so on.

Authentication An implementation of IAuthenticationHeader describing what http header to use to authenticate with the product.

`BasicAuthentication` for basic authentication
`ApiKey` for simple secret token
`Base64ApiKey` for Elastic Cloud style encoded api keys

Here’s demonstrate setting several configuration options:

var connectionConfiguration = new ConnectionConfiguration()
    .DisableAutomaticProxyDetection()
    .EnableHttpCompression()
    .DisableDirectStreaming()
    .PrettyJson()
    .RequestTimeout(TimeSpan.FromMinutes(2));

var lowLevelClient = new ElasticLowLevelClient(connectionConfiguration);

Basic Authentication credentials can alternatively be specified on the node URI directly

var uri = new Uri("http://username:password@localhost:9200");
var settings = new ConnectionConfiguration(uri);

The most basic component of security within the Elasticsearch is a realm, which is authenticates users. Elasticsearch works with a realm chain. A realm chain is a prioritized list of configured realms (from 1 to N realms) in ascending order of preference. When a user tries to access Elasticsearch, the request will step through the list sequentially until authentication succeeds or it runs out of realms to try.

When authentication phase is complete, the next step is authorization. authentication done through mapping users to predefined and/or user-defined roles. Attribute-based access control enables you to use attributes to restrict access to documents in search queries and aggregations.

---

Retrieves API keys information:
Retrieves information for API keys with Query DSL in a paginated fashion.

Prerequisites
To use this API, you must have at least the manage_own_api_key cluster privilege. If you have only the manage_own_api_key privilege, this API returns only the API keys that you own. If you have the manage_api_key or greater privileges (including manage_security), this API returns all API keys regardless of ownership.

Ref: Link1, Link2 Link3 Link4