Secure Elasticsearch datasources a bit (#6031)

Instead of allowing users to access the entire cluster, apply some sane restrictions. Change-Id: Ib2e93722bf2e39d700d4afa713ff49ec556f2fdf

Secure Elasticsearch datasources a bit (#6031)
Instead of allowing users to access the entire cluster, apply some sane restrictions. Change-Id: Ib2e93722bf2e39d700d4afa713ff49ec556f2fdf
a73424d6 · wvl · Torkel Ödegaard · 6a723dff · a73424d6
Commit a73424d6 authored Sep 13, 2016 by wvl Committed by Torkel Ödegaard Sep 13, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 0 deletions

pkg/api/dataproxy.go
+16 -0

No files found.
--- a/pkg/api/dataproxy.go
+++ b/pkg/api/dataproxy.go
@@ -104,6 +104,22 @@ func ProxyDataSourceRequest(c *middleware.Context) {
 	}

 	proxyPath := c.Params("*")
+
+	if ds.Type == m.DS_ES {
+		if c.Req.Request.Method == "DELETE" {
+			c.JsonApiErr(403, "Deletes not allowed on proxied Elasticsearch datasource", nil)
+			return
+		}
+		if c.Req.Request.Method == "PUT" {
+			c.JsonApiErr(403, "Puts not allowed on proxied Elasticsearch datasource", nil)
+			return
+		}
+		if c.Req.Request.Method == "POST" && proxyPath != "_msearch" {
+			c.JsonApiErr(403, "Posts not allowed on proxied Elasticsearch datasource except on /_msearch", nil)
+			return
+		}
+	}
+
 	proxy := NewReverseProxy(ds, proxyPath, targetUrl)
 	proxy.Transport = dataProxyTransport
 	proxy.ServeHTTP(c.Resp, c.Req.Request)