Nuxeo Server

Elasticsearch Passthrough

Updated: November 13, 2017 Page Information Edit on GitHub

The platform allows to use the HTTP REST API provided by the Elasticsearch back end.

Principle

Elasticsearch exposes a search API to request indexes with HTTP requests (see Elasticsearch documentation). Elasticsearch does not perform authentication or authorization. The purpose of the Nuxeo Elasticsearch Passthrough is to expose a limited set of Read Only Elasticsearch HTTP REST API, taking in account the Nuxeo authentication and authorization.

Concretely, HTTP requests are not sent to the Elasticsearch back end but addressed to the Nuxeo Platform which will rework the query to add a filter according to a Principal and forward them to the Elasticsearch cluster.

The Nuxeo Elasticsearch passthrough is available at http://my-nuxeo-server:8080/nuxeo/site/es.

Requirement

When your Elasticsearch instance is embedded is the same JVM than your Nuxeo instance (not recommended for production), the passthrough works out of the box.

When using a standalone Elasticsearch instance, make sure the following property is correctly set in your nuxeo.conf:

elasticsearch.httpReadOnly.baseUrl=http://your_es_instance:9200

Querying Indexes

Repository Index

The Elasticsearch index name for the default repository is nuxeo. To query the nuxeo repository, you can issue the following request:

curl -XGET -u jdoe:jdoe  'http://localhost:8080/nuxeo/site/es/nuxeo/_search' -d '{ "query": { "match_all":{}}}'

The platform will use the DefaultSearchRequestFilter to rework the query applying ACL filtering as follow:

{
    "query": {
        "bool": {
            "filter": {
                "terms": {
                    "ecm:acl": [
                        "members",
                        "jdoe",
                        "Everyone"
                    ]
                }
            },
            "must": {
                "match_all": {}
            }
        }
    }
}

The security filtering takes in account only the ACL security and security policy that is expressible in NXQL. If you use a custom security policy that is not expressible in NXQL you should not enable the Nuxeo Elasticsearch passthrough.

Audit Index

The platform only allows Administrator users to query the audit index.

curl -XGET -u Administrator:Administrator  'http://localhost:8080/nuxeo/site/es/audit/_search' -d '{ "query": { "match_all":{}}}'

In the same way the AuditRequestFilter search request filter to only Administrators request the audit index.

Contributing a Custom Index View with a SearchRequestFilter

As detailed above, you can directly query Elasticsearch index with the following URL:

http://localhost:8080/nuxeo/site/es/{es_index_name}/_search

The repository index and the audit index use by default respectively the DefaultSearchRequestFilter and AuditRequestFilter to make sure the current user only accesses authorized data.

DefaultSearchRequestFilter and AuditRequestFilter are SearchRequestFilter and you can contribute your own SearchRequestFilter with the extension point filters.

Worfklow Audit Index Example

The following contribution:

<?xml version="1.0"?>
<component name="org.nuxeo.ecm.platform.routing.es" version="1.0">
  <require>org.nuxeo.elasticsearch.http.readonly.RequestFilterService</require>
  <extension target="org.nuxeo.elasticsearch.http.readonly.RequestFilterService"
    point="filters">
    <requestFilter filterClass="org.nuxeo.ecm.platform.routing.core.audit.es.RoutingAuditRequestFilter"
      index="audit_wf" />
  </extension>
</component>

will tell to apply the RoutingAuditRequestFilter on each Elasticsearch query addressed to the audit_wf. The audit_wf index does not really exist, it is somehow a view of the audit index.

The RoutingAuditRequestFilter basically

  1. Adds filters on the query to:
    • Restrict to Routing audit event only
    • Restrict to the event related to workflow model name on which the current user has the Data Visualization permission.
  2. Redirects the reworked query to the audit index.


5 days ago manonlumeau Added content-review-lts2017 label
10 days ago manonlumeau NXDOC-1347: Update documentation for Nuxeo 9.3 and Elasticsearch 5.6
a month ago manonlumeau NXDOC-1346-FT review screenshot
a year ago Guillaume Renard 14 | ix typ
2 years ago Benoit Delbosc 13
2 years ago Solen Guitter 12 | Add link to nuxeo.conf and fix typos
2 years ago Guillaume Renard 11
2 years ago Bertrand Chauvin 10 | Fixed typo
2 years ago Solen Guitter 9 | Fix request filters names and links in Contributing a Custom Index View with a SearchRequestFilter
2 years ago Solen Guitter 8
2 years ago Guillaume Renard 7
2 years ago Guillaume Renard 6
2 years ago Alain Escaffre 5
2 years ago Guillaume Renard 4
2 years ago Guillaume Renard 3
2 years ago Guillaume Renard 2
2 years ago Guillaume Renard 1
History: Created by Guillaume Renard