The other day on the Elastic blog there was an entry
in which it is reported that the main security functions of Elasticsearch, brought into open source space more than a year ago, are now free for users.
The official blog entry contains the “right” words that open source should be free and that project owners build their business on other additional features that they offer for enterprise solutions. Now the following security functions are included in the basic builds of versions 6.8.0 and 7.1.0, previously available only by gold subscription:
However, translating security functions into a free section is not a big gesture, but an attempt to create a distance between a commercial product and its main sores.
- TLS for encrypted communication.
- File and native realm for creating and managing user entries.
- Manage user access to the API and role-based cluster; Multi-user access to Kibana using Kibana Spaces is allowed.
And he has them serious.
The query “Elastic Leaked” returns 13.3 million search results in Google. Impressive, isn't it? After the withdrawal of the project’s security functions in open source, which once seemed like a good idea, Elastic started having serious problems with data leaks. In fact, the basic version turned into a sieve, as no one really supported these very security functions.
One of the loudest data leaks from the elastic server was the case with the loss of 57 million data of US citizens, which wrote in the press
in December 2018 (later it turned out that 82 million entries actually leaked). Then, in December 2018, due to security problems Elastic in Brazil stole the data of 32 million people. In March 2019, 250,000 confidential documents, including those of a legal nature, were leaked from another elastic-server. And this is only the first search page for the query we mention.
In fact, hacking continues to this day and began shortly after removing the security functions from the contentment by the developers themselves and translating them into open source.
The reader may notice: “So what? Well, do they have security problems, but who has them? ”
And now attention.
The question is that until this Monday, Elastic, with a clear conscience, took money from customers for a sieve called security-functions, which she also brought to open source in February 2018, that is, about 15 months ago. Without incurring any significant costs to support these functions, the company regularly took money from gold and premium subscribers from the client enterprise segment for them.
At some point, security problems have become so toxic for the company, and customer complaints are so threatening that greed has receded into the background. However, instead of resuming development and “patching” holes in their own project, which made millions of documents and personal data of ordinary people publicly available, Elastic threw out the security functions in a free version of elasticsearch. And it presents it as a great blessing and contribution to the open source business.
In the light of such “effective” solutions, the second part of the blog is extremely strange, because of which we, in fact, paid attention to this story. This is about the release of the alpha version of Elastic Cloud on Kubernetes ( ECK)
- the official operator Kubernetes for Elasticsearch and Kibana.
Developers with quite a serious facial expression say that, supposedly, due to the removal of the security functions to the basic free set of elasticsearch security functions, the load on the administrators of these solutions will be reduced. Anyway, everything is fine.
“We can guarantee that all clusters launched and managed by ECK will be protected by default from the moment of launch, without additional burden on administrators,” the official blog says.
As abandoned and plainly unsupported by the original developers, the solution that over the last year has become a universal whipping boy will provide users with security, the developers are silent.