
Security for Elasticsearch is now free - jasondc
https://www.elastic.co/blog/security-for-elasticsearch-is-now-free?blade=tw&hulk=social
======
mrkstu
Free, not open source version. Obviously a reaction to Amazon's fork- not
wanting to give them any code to pull into their version.

It will be interesting to see if this is enough to retain the majority of the
userbase or if we'll still see a majority migrate to the 'Open Distro' fork.

~~~
chelmzy
I was under the impression that they already opened the code for X-Pack
features.

~~~
lol768
Were these features licensed in such a way that you could freely use them,
though? Or was it 'open' as in "you can see the code" but it's not FOSS?

~~~
javagram
x-pack is not FOSS which is why amazon can’t use it.

~~~
lol768
As I thought - thanks for confirming.

------
haney
I know it's hard to make a buck with an open source business model but
deciding to charge more for security related features is always so frustrating
to me. It leads to a culture of insecure deployments in environments when the
business is trying to save money. Differentiate on storage or number of cores
or something, anything but auth/security. I'm glad they've finally reversed
this.

------
mrmondo
This (while perhaps not perfect) is massive for us, it’s going to be
especially useful for Kibana authentication to add readonly and write users,
something we’ve wanted for a long time but haven’t been able to afford as a
non-profit, charitable organisation.

I know it’s not all 100% open source, but it’s better than a nginx reverse
proxy hack or similar.

Thank you Elastic for continuing to create fantastic software.

~~~
dadoonet
Did you apply to this program? [https://www.elastic.co/elastic-search-
awards/](https://www.elastic.co/elastic-search-awards/) That could help your
hopefully.

------
tedk-42
Running Elasticsearch on K8s storing 16TB of compressed logs across 6 data
nodes and ~4600 shards.

We're a really happy ES customer. We've on ESv6 at the moment and it's been
running amazingly for us. We've halved our storage and running costs by moving
from 5 to 6.

We've always been a licensed customer and they are in front of AWS with their
features (we run our k8s stack on AWS though :) )

~~~
parliament32
That's an insane number of shards, you should be closer to 500 for that amount
of data and only 6 nodes.

~~~
tedk-42
It's due to the number of indicies/indexes stored from our various data
sources. Yours and another poster's comments are interesting so we might look
at ways we can reduce the shard count given the new info on overhead.

------
KenanSulayman
Interesting. Three hours ago someone in our Ops team shared a link to "Open
Distro for Elasticsearch" [1] and it's also featured on the AWS console login
page.

Is this a very rushed reaction to it? Or is this related? I would really love
to have a clarification of what's happening in that space.

[1] [https://opendistro.github.io/for-
elasticsearch/](https://opendistro.github.io/for-elasticsearch/)

~~~
syrrim
opendistro has this:

[https://github.com/opendistro-for-
elasticsearch/security](https://github.com/opendistro-for-
elasticsearch/security)

which has feature parity with the free version elastic just released afaict.

~~~
majkinetor
No it doesn't - for example LDAP/AD are paid feature in ES

------
vorpalhex
Too little too late? Trying to charge for TLS was a very poor move and it's
made me not trust ElasticSearch...

~~~
zaphirplane
Why don’t you want to pay for a feature that you need? The company that pays
your wages makes money from selling something. Of course you sell what people
need

~~~
Azeralthefallen
The last time i talked to Elasticsearch about pricing, it was so extremely
expensive for our use case to the point of it basically being a non valid
option for us.

~~~
softwaredoug
I think what most people miss for these and similar services is you’re paying
for really good, on call, white glove Elastic support. In my experience they
can often go as for as to replace having a search specific ops team. The cloud
hosting isn’t really where the value is.

~~~
Azeralthefallen
I guess my issue is that we didn't want or need support. We just wanted x-pack
features such as Auth and the Alerting plugins.

We were already hosting it fine ourselves on AWS, as we had devops people very
familiar with ES. However the price they quoted us per year was insane for our
cluster size for ~20 nodes.

------
mattupstate
There's also a lesser known project out there: [https://search-
guard.com/](https://search-guard.com/)

Paired with an OpenResty reverse proxy I was able to set up a reasonably
secure cluster back when X-Pack was prohibitively expensive and the AWS
offering wasn't under their BAA.

Big thanks to that team of contributors!

------
reilly3000
Some of the worst breaches of 2017-19 have been due to open ES clusters, some
on AWS. This is a welcome change. I just spun our AWS ES cluster down in favor
of BigQuery, but while I was setting it up security for it was a big chore,
with defaults that are in no way sane. AWS EC2 does a great job at secure
defaults for auth and firewalls, RDS even moreso. Why was ES left to wag in
the wind out of the box?

