Hacker News new | past | comments | ask | show | jobs | submit login

”If you want to try all of the X-Pack features”

It’s quite confusing. There are different tiers of X-Pack: https://www.elastic.co/subscriptions

The Basic tier, which is free, supports simple username and password authentication.




Yeah, I read this link also - before posting above. There is no 'username' or 'password' term on that page - nor any positive checkmark in any security column for the open-source tier.

'Basic' tier does have 'File and Native Authentication'. But it is far from clear what that means.

More importantly, in several different places that _are_ clear about security in the Elastic documentation, it repeatedly says "there is no security", "assume anyone who can reach elastic is a superuser" ... and more ...

So if that is not true, the documentation should probably change ...


(Disclosure, I work for Elastic)

It's definitely complicated, and can be quite confusing due to the number of subscription tiers, the ambiguity around terminology, and historical documentation.

We need need to find a way to bring more clarity to the documentation, and we try, but the subscriptions page, in particular, is very difficult. It's already very long, so we don't want to add detailed explanations to individual points but it's hard to find short sentences that are both accurate and well understood by a variety of audiences.

To be clear:

- There is no security in Open Source elasticsearch.

- There is security in the free "basic" license. It is, at the time of writing, disabled by default.

- Early versions of Elasticsearch had no security at all.

- The security product that we (Elastic) produced was exclusively a paid feature for many years

- The core security features (authentication, users management, role based access control) have been free in the basic license since May of last year. https://www.elastic.co/blog/security-for-elasticsearch-is-no...

- If you download the latest version of the Elastic-licensed distribution of Elasticsearch (which is the default download if you get it from our website or package repositories), you get a version on which you can enable security, free of charge, without needing to register, with no expiry.

The only documentation I found which says "there is no security", etc is from old blog articles (e.g. this one from 2013 https://www.elastic.co/de/blog/found-elasticsearch-security). We don't do a great job of indicating that the information on those articles is out of date.


Thank you for chiming in and clarifying. I was thinking of that 2013 page specifically - good to know it is now out of date.


PS: I work at Elastic.co.

At any point of time, if you feel that docs are not appropriate kindly raise a issue in https://github.com/elastic/docs. You could also consider contributing to docs. Appreciate it!

Other than that, we have a very live discourse forum. You can also put up all sort of questions discuss.elastic.co.

Still want a more real time chat, you can join slack group too ela.st/slack.


I haven't seen anywhere in the documentation that claims "assume anyone who can reach elastic is a superuser".

The Elasticsearch Security documentation appears to be up to date and has notes on if certain features depend on a subscription. https://www.elastic.co/guide/en/elasticsearch/reference/curr...


"Elasticsearch has no concept of a user. Essentially, anyone that can send arbitrary requests to your cluster is a “super user”. "

https://www.elastic.co/de/blog/found-elasticsearch-security

This document says it twice verbatim - once as an emphasizes blurb of its own. It is also re-emphasized it in several other ways.

(same link as also posted by the Elasticsearch employee above).




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: