Can someone from Searchguard/Floragunn please clarify if we can continue to provide our own Custom Authentication Modules with SearchGuard 6 as we do with SearchGuard 5?
The licensing model is that the base components are free (Apache 2.0), but the “Enterprise” features require a paid license to use.
https://search-guard.com/licensing/ This presentation
explains the differences between the versions:
https://search-guard.com/wp-content/uploads/2018/03/SG_Licensing-model-overview.pdf Note that this is for searchguard version 6. Version 5 is
somewhat different.
For example, here is a non-free component for version 5:
https://github.com/floragunncom/search-guard-module-dlsfls/tree/ves-5.3-9 and the license is non-free:
https://github.com/floragunncom/search-guard-module-dlsfls/blob/ves-5.3-9/LICENSE
In version 5, we created our own Custom Authentication Modules for use in doing file based username/password authentication, and authentication using OpenShift tokens. These are used in the
openshift-elasticsearch-plugin - for example:
https://github.com/fabric8io/openshift-elasticsearch-plugin/blob/openshift-elasticsearch-plugin-5.6.12.2/src/main/java/io/fabric8/elasticsearch/plugin/auth/OpenShiftTokenAuthentication.java
We use some of these interfaces from the searchguard code: com.floragunn.searchguard.auth.AuthenticationBackend, com.floragunn.searchguard.auth.HTTPAuthenticator and more.
These are defined here:
https://github.com/floragunncom/search-guard/blob/v5.6.12-19.2/src/main/java/com/floragunn/searchguard/auth/AuthenticationBackend.java and
https://github.com/floragunncom/search-guard/blob/v5.6.12-19.2/src/main/java/com/floragunn/searchguard/auth/HTTPAuthenticator.java
You’ll note that the headers of these files specify Apache 2.0, which is consistent with the license at the top of the source code repo:
https://github.com/floragunncom/search-guard/blob/v5.6.12-19.2/LICENSE
From what I can tell, what we’ve implemented is called a Custom Authentication Module, and also from what I can tell, there is no explicit documentation about how to implement one, or if such
a thing is permitted by the license. There is only the implicit license ability to do so, implied by the Apache 2.0 license on the sources. So, as far as I can tell, we have the right to
create our own Custom Authentication Modules to use with SearchGuard 5.
For version 6, there is added documentation which suggests that Custom Authentication Modules are _not_ part of the free Community version:
https://docs.search-guard.com/latest/custom-authentication-modules
“If none of the Enterprise modules fits your needs, you can also write your own implementation. This is a feature of the Enterprise Edition, you can implement your own HTTP authenticator and
also your own authentication and authorization backends…. A custom HTTPAuthenticator must extend the interface com.floragunn.searchguard.auth.HTTPAuthenticator.
The methods to implement are fully documented in JavaDoc:
https://github.com/floragunncom/search-guard/blob/master/src/main/java/com/floragunn/searchguard/auth/HTTPAuthenticator.java "
If you follow the link, you’ll see that it points to the source code, which is the source code of the free Community edition, which is licensed under Apache 2.0.
Here is the non-free code for SearchGuard 6.x:
https://github.com/floragunncom/search-guard-enterprise-modules/tree/6.4.x
It does have a restrictive license:
https://github.com/floragunncom/search-guard-enterprise-modules/blob/6.4.x/LICENSE
The README does not mention anything about Custom Authentication Modules, nor are any of the Custom Authentication Module interfaces included in the non-free code.