Server

Elasticsearch Passthrough

Updated: December 2, 2024

The platform allows to use the HTTP REST API provided by the Elasticsearch back end.

Principle

Elasticsearch exposes a search API to request indexes with HTTP requests (see Elasticsearch documentation). Elasticsearch does not perform authentication or authorization. The purpose of the Nuxeo Elasticsearch Passthrough is to expose a limited set of Read Only Elasticsearch HTTP REST API, taking in account the Nuxeo authentication and authorization.

Concretely, HTTP requests are not sent to the Elasticsearch back end but addressed to the Nuxeo Platform which will rework the query to add a filter according to a Principal and forward them to the Elasticsearch cluster.

The Nuxeo Elasticsearch passthrough is available at http://my-nuxeo-server:8080/nuxeo/site/es.

Requirement

When your Elasticsearch instance is embedded is the same JVM than your Nuxeo instance (not recommended for production), the passthrough works out of the box.

When using a standalone Elasticsearch instance, make sure the following property is correctly set in your nuxeo.conf:

elasticsearch.httpReadOnly.baseUrl=http://your_es_instance:9200

Querying Indexes

Repository Index

The Elasticsearch index name for the default repository is nuxeo. To query the nuxeo repository, you can issue the following request:

curl -XGET -u jdoe:jdoe  'http://localhost:8080/nuxeo/site/es/nuxeo/_search' -d '{ "query": { "match_all":{}}}'

The platform will use the DefaultSearchRequestFilter to rework the query applying ACL filtering as follow:

{
    "query": {
        "bool": {
            "filter": {
                "terms": {
                    "ecm:acl": [
                        "members",
                        "jdoe",
                        "Everyone"
                    ]
                }
            },
            "must": {
                "match_all": {}
            }
        }
    }
}

The security filtering takes in account only the ACL security and security policy that is expressible in NXQL. If you use a custom security policy that is not expressible in NXQL you should not enable the Nuxeo Elasticsearch passthrough.

Audit Index

The platform only allows Administrator users to query the audit index.

curl -XGET -u Administrator:Administrator  'http://localhost:8080/nuxeo/site/es/audit/_search' -d '{ "query": { "match_all":{}}}'

In the same way the AuditRequestFilter search request filter to only Administrators request the audit index.

Contributing a Custom Index View with a SearchRequestFilter

As detailed above, you can directly query Elasticsearch index with the following URL:

http://localhost:8080/nuxeo/site/es/{es_index_name}/_search

The repository index and the audit index use by default respectively the DefaultSearchRequestFilter and AuditRequestFilter to make sure the current user only accesses authorized data.

DefaultSearchRequestFilter and AuditRequestFilter are SearchRequestFilter and you can contribute your own SearchRequestFilter with the extension point filters.

Worfklow Audit Index Example

The following contribution:

<?xml version="1.0"?>
<component name="org.nuxeo.ecm.platform.routing.es">
  <require>org.nuxeo.elasticsearch.http.readonly.RequestFilterService</require>
  <extension target="org.nuxeo.elasticsearch.http.readonly.RequestFilterService"
    point="filters">
    <requestFilter filterClass="org.nuxeo.ecm.platform.routing.core.audit.es.RoutingAuditRequestFilter"
      index="audit_wf" />
  </extension>
</component>

will tell to apply the RoutingAuditRequestFilter on each Elasticsearch query addressed to the audit_wf. The audit_wf index does not really exist, it is somehow a view of the audit index.

The RoutingAuditRequestFilter basically

  1. Adds filters on the query to:
    • Restrict to Routing audit event only
    • Restrict to the event related to workflow model name on which the current user has the Data Visualization permission.
  2. Redirects the reworked query to the audit index.