Tags: Legal
Licensing changes to Elasticsearch and Kibana
By Jochen Kressin
Elastic recently announced that it would change the license model of Elasticsearch and Kibana. While the main parts of the code had previously been published under the Aapache2 Open Source license, it will change to a dual-licensed model: Users can choose between the Elastic license and the SSPL License ("Server Side Public License"). We want to clarify some of the changes related to using Search Guard.
You can also visit the Elastic FAQ on this subject here: https://www.elastic.co/pricing/faq/licensing

What are the changes?

Elastic is changing the Apache 2.0-licensed source code of Elasticsearch and Kibana to be dual licensed under SSPL 1.0 and the Elastic License. Elastic will no longer produce an Apache 2.0 distribution which means Elasticsearch is no longer an Open Source project.
These changes take effect with version 7.11.0. So the last Open Source version of Elasticsearch and Kibana is 7.10.2. You can continue to use this and previous versions under the Apache license.
For version 7.11.0 and above, you can choose to use Elasticsearch and Kibana under either the Elastic License, or the SSPL license.

Effect on Search Guard users

The change in Elastic's license model does not affect the usage of Search Guard. You can use Search Guard with both the Open Source and non-Open Source versions of Elasticsearch and Kibana.
"This change does not affect how you build or license plugins to Elasticsearch or Kibana. For the avoidance of doubt, building a plugin to be used in Elasticsearch or Kibana does not constitute a derivative work, and will not have any impact on how you license the source code of your plugin."

What is SSPL?

SSPL is a source-available license created by MongoDB.
SSPL is based on GPLv3 and is considered a copyleft license. So, if you use the source code and create derivative works, those derivative works must also be published and licensed under SSPL.
If you offer Elasticsearch and/or Kibana as a service ("SaaS") to your users, you also have to release and make publicly available the complete source code of your management layer under SSPL.
The license generally allows free and unrestricted use, modification, and redistribution. However, if you offer the product (Elasticsearch or Kibana) as a service to users, restrictions apply:
SSPL has not been certified by the OSI as an open-source license. SSPL is a source available license. This is a huge change compared to the Apache License 2.0, which has no copyleft provisions and no restrictions on providing the product as a service.
You can see the MongoDB version of the SSPL license here https://www.mongodb.com/licensing/server-side-public-license.

Does this mean that Elasticsearch and Kibana are no longer Open Source?

Yes, Elasticsearch and Kibana are no longer Open Source software.
"Neither SSPL or the Elastic License have been approved by the OSI, so to prevent confusion, we no longer refer to Elasticsearch or Kibana as open source."
(from: Elastic FAQ)
I hope you find this information useful. Our conclusion on these changes is that under SSPL customers can continue to use Elasticsearch, Kibana AND Search Guard without any issues. At the same time, if you have any doubts we recommend consulting a suitably qualified lawyer and, of course if you wish to discuss with us please reach out.
DISCLAIMER - the above comments do not represent any legal opinion and should not be construed as legal advice under any circumstance. The views expressed are opinions designed to comment your questions. All marks belong to their respective owners.
Image: Shutterstock / Alex Gorka
Published: 2021-02-03
share
linkedIn icon
y icon
Questions? Drop us a line!
your message
newsletter
This form collects your name and email. Please take a look in our privacy policy for a better understanding on how we protect and manage your submitted data.
Other posts you may like
follow us
twitter iconfacebook iconlinkedIn iconyoutube icon
Search Guard Newsletter
For the latest product developments, new versions and cybersecurity news, sign up to our newsletter.