gpt4 book ai didi

elasticsearch - 直接从Javascript API访问Elasticsearch是否安全?

转载 作者:行者123 更新时间:2023-12-02 23:02:27 25 4
gpt4 key购买 nike

我正在学习elasticsearch。我想知道直接从JavaScript API访问ES服务器而不是通过后端访问ES服务器(在访问控制和验证用户访问方面)有多安全?直接从Javascript API访问ES是否安全?

最佳答案

取决于您所说的“安全”。

如果您的意思是“可以安全地暴露在互联网上”,那么肯定不会,因为没有任何访问控制,任何人都可以插入数据甚至删除所有索引。

This讨论很好地概述了该问题。相关部分:

Just as you would not expose a database directly to the Internet and let users send arbitrary SQL, you should not expose Elasticsearch to the world of untrusted users without sanitizing the input. Specifically, these are the problems we want to prevent:

  • Exposing private data. This entails limiting the searches to certain indexes, and/or applying filters to the searches.
  • Restricting who can update what.
  • Preventing expensive requests that can overwhelm or crash nodes and/or the entire cluster.
  • Preventing arbitrary code execution through dynamic scripts.

关于elasticsearch - 直接从Javascript API访问Elasticsearch是否安全?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/31073203/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com