Change in licensing for custom authentication modules in SG 6?
40 views
Skip to first unread message
Rich Megginson
Jan 2, 2019, 5:09:56 PM1/2/19
to Search Guard Community Forum
Can someone from Searchguard/Floragunn please clarify if we can continue to provide our own Custom Authentication Modules with SearchGuard 6 as we do with SearchGuard 5?
The licensing model is that the base components are free (Apache 2.0), but the “Enterprise” features require a paid license to use. https://search-guard.com/licensing/ This presentation
explains the differences between the versions: https://search-guard.com/wp-content/uploads/2018/03/SG_Licensing-model-overview.pdf Note that this is for searchguard version 6. Version 5 is
somewhat different.
For example, here is a non-free component for version 5: https://github.com/floragunncom/search-guard-module-dlsfls/tree/ves-5.3-9 and the license is non-free:
https://github.com/floragunncom/search-guard-module-dlsfls/blob/ves-5.3-9/LICENSE
In version 5, we created our own Custom Authentication Modules for use in doing file based username/password authentication, and authentication using OpenShift tokens. These are used in the
openshift-elasticsearch-plugin - for example:
https://github.com/fabric8io/openshift-elasticsearch-plugin/blob/openshift-elasticsearch-plugin-5.6.12.2/src/main/java/io/fabric8/elasticsearch/plugin/auth/OpenShiftTokenAuthentication.java
We use some of these interfaces from the searchguard code: com.floragunn.searchguard.auth.AuthenticationBackend, com.floragunn.searchguard.auth.HTTPAuthenticator and more.
These are defined here: https://github.com/floragunncom/search-guard/blob/v5.6.12-19.2/src/main/java/com/floragunn/searchguard/auth/AuthenticationBackend.java and
https://github.com/floragunncom/search-guard/blob/v5.6.12-19.2/src/main/java/com/floragunn/searchguard/auth/HTTPAuthenticator.java
You’ll note that the headers of these files specify Apache 2.0, which is consistent with the license at the top of the source code repo:
https://github.com/floragunncom/search-guard/blob/v5.6.12-19.2/LICENSE
From what I can tell, what we’ve implemented is called a Custom Authentication Module, and also from what I can tell, there is no explicit documentation about how to implement one, or if such
a thing is permitted by the license. There is only the implicit license ability to do so, implied by the Apache 2.0 license on the sources. So, as far as I can tell, we have the right to
create our own Custom Authentication Modules to use with SearchGuard 5.
For version 6, there is added documentation which suggests that Custom Authentication Modules are _not_ part of the free Community version:
https://docs.search-guard.com/latest/custom-authentication-modules
“If none of the Enterprise modules fits your needs, you can also write your own implementation. This is a feature of the Enterprise Edition, you can implement your own HTTP authenticator and
also your own authentication and authorization backends…. A custom HTTPAuthenticator must extend the interface com.floragunn.searchguard.auth.HTTPAuthenticator.
The methods to implement are fully documented in JavaDoc: https://github.com/floragunncom/search-guard/blob/master/src/main/java/com/floragunn/searchguard/auth/HTTPAuthenticator.java "
If you follow the link, you’ll see that it points to the source code, which is the source code of the free Community edition, which is licensed under Apache 2.0.
Here is the non-free code for SearchGuard 6.x: https://github.com/floragunncom/search-guard-enterprise-modules/tree/6.4.x
It does have a restrictive license: https://github.com/floragunncom/search-guard-enterprise-modules/blob/6.4.x/LICENSE
The README does not mention anything about Custom Authentication Modules, nor are any of the Custom Authentication Module interfaces included in the non-free code.
The licensing model is that the base components are free (Apache 2.0), but the “Enterprise” features require a paid license to use. https://search-guard.com/licensing/ This presentation
explains the differences between the versions: https://search-guard.com/wp-content/uploads/2018/03/SG_Licensing-model-overview.pdf Note that this is for searchguard version 6. Version 5 is
somewhat different.
For example, here is a non-free component for version 5: https://github.com/floragunncom/search-guard-module-dlsfls/tree/ves-5.3-9 and the license is non-free:
https://github.com/floragunncom/search-guard-module-dlsfls/blob/ves-5.3-9/LICENSE
In version 5, we created our own Custom Authentication Modules for use in doing file based username/password authentication, and authentication using OpenShift tokens. These are used in the
openshift-elasticsearch-plugin - for example:
https://github.com/fabric8io/openshift-elasticsearch-plugin/blob/openshift-elasticsearch-plugin-5.6.12.2/src/main/java/io/fabric8/elasticsearch/plugin/auth/OpenShiftTokenAuthentication.java
We use some of these interfaces from the searchguard code: com.floragunn.searchguard.auth.AuthenticationBackend, com.floragunn.searchguard.auth.HTTPAuthenticator and more.
These are defined here: https://github.com/floragunncom/search-guard/blob/v5.6.12-19.2/src/main/java/com/floragunn/searchguard/auth/AuthenticationBackend.java and
https://github.com/floragunncom/search-guard/blob/v5.6.12-19.2/src/main/java/com/floragunn/searchguard/auth/HTTPAuthenticator.java
You’ll note that the headers of these files specify Apache 2.0, which is consistent with the license at the top of the source code repo:
https://github.com/floragunncom/search-guard/blob/v5.6.12-19.2/LICENSE
From what I can tell, what we’ve implemented is called a Custom Authentication Module, and also from what I can tell, there is no explicit documentation about how to implement one, or if such
a thing is permitted by the license. There is only the implicit license ability to do so, implied by the Apache 2.0 license on the sources. So, as far as I can tell, we have the right to
create our own Custom Authentication Modules to use with SearchGuard 5.
For version 6, there is added documentation which suggests that Custom Authentication Modules are _not_ part of the free Community version:
https://docs.search-guard.com/latest/custom-authentication-modules
“If none of the Enterprise modules fits your needs, you can also write your own implementation. This is a feature of the Enterprise Edition, you can implement your own HTTP authenticator and
also your own authentication and authorization backends…. A custom HTTPAuthenticator must extend the interface com.floragunn.searchguard.auth.HTTPAuthenticator.
The methods to implement are fully documented in JavaDoc: https://github.com/floragunncom/search-guard/blob/master/src/main/java/com/floragunn/searchguard/auth/HTTPAuthenticator.java "
If you follow the link, you’ll see that it points to the source code, which is the source code of the free Community edition, which is licensed under Apache 2.0.
Here is the non-free code for SearchGuard 6.x: https://github.com/floragunncom/search-guard-enterprise-modules/tree/6.4.x
It does have a restrictive license: https://github.com/floragunncom/search-guard-enterprise-modules/blob/6.4.x/LICENSE
The README does not mention anything about Custom Authentication Modules, nor are any of the Custom Authentication Module interfaces included in the non-free code.
Simon Gao
Feb 14, 2019, 10:54:09 AM2/14/19
to search...@googlegroups.com
I have the same question. I'd be much appreciated if SearchGuard can clarify this ambiguity here. Thanks.
SG
Feb 14, 2019, 11:11:13 AM2/14/19
to search...@googlegroups.com
Can you please send us an email with your license information?
> Am 14.02.2019 um 16:54 schrieb Simon Gao <simon...@gmail.com>:
>
> I have the same question. I'd be much appreciated if SearchGuard can clarify this ambiguity here. Thanks.
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/5c5198c2-1a9a-4154-a4ac-67cec91aafb1%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> Am 14.02.2019 um 16:54 schrieb Simon Gao <simon...@gmail.com>:
>
> I have the same question. I'd be much appreciated if SearchGuard can clarify this ambiguity here. Thanks.
>
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/5c5198c2-1a9a-4154-a4ac-67cec91aafb1%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Simon Gao
Feb 14, 2019, 7:20:11 PM2/14/19
to search...@googlegroups.com
Hi Search Guard, thanks for replying. The question is for people (like me) who don't have an enterprise license. We are just wondering if, under Apache 2.0, we are allowed to write our own custom authentication modules based on the community code base (https://github.com/floragunncom/search-guard) for commercial use.
Jochen Kressin
Feb 17, 2019, 2:26:50 PM2/17/19
to Search Guard Community Forum
The short answer is yes it is possible, but if you want to only use the community codebase for it, you need to compile the SG plugin yourself:
The Community Edition of Search Guard will only load the pre-defined authentication and authorization modules automatically. The Enterprise and Compliance Editions will also load arbitrary custom written modules automatically: You just specify the fully qualified class name in sg_config.yml, and SG will instantiate your module(s), add it to the list of available modules and manage the lifecycle of the module on configuration changes.
But: since the Community Edition is Apache 2.0, including the interfaces for HTTPAuthenticator, AuthenticationBackend and AuthorizationBackend, you can still implement custom modules. In order for Search Guard to actually load them, you need to add them to the list of the pre-defined modules (see the constructor of com.floragunn.searchguard.auth.BackendRegistry) and then mvn compile and install the Search Guard plugin with the -Penterprise maven profile.
So if you're ok with compiling the plugin on your own, it's perfectly possible and legal to change the Apache 2.0 code so it loads your custom module.
If the module you have written is of general interest/use, please also think about submitting a PR for it. We are happy to add it to the Community Edition, so other users can benefit from it as well!
Let me know if this answers your question!
Reply all
Reply to author
Forward
0 new messages