Not executing initial sgadmin
28 views
Skip to first unread message
Natalie Goldman
Jan 17, 2019, 12:46:28 PM1/17/19
to Search Guard Community Forum
Dear Search Guard Community,
I am trying to install the Search Guard Plugin to elasticstack products running with/on a docker container and my final aim is to automate this partly with a script (attached) and some commands in the dockerfile.
My problem:
If I run sgadmin with the script this very classic error message appears:
"Search Guard Admin v6
Will connect to localhost:9300
ERR: Seems there is no Elasticsearch running on localhost:9300 - Will exit"
Will connect to localhost:9300
ERR: Seems there is no Elasticsearch running on localhost:9300 - Will exit"
If I execute sgadmin a second time (manually) in the container (exact parameters given in the script), the following message appears:
Will connect to localhost:9300 ... done
Unable to check whether cluster is sane: Cannot authenticate null
Connected as CN=kirk.localhost,OU=Ops,O=localhost\, Inc.,DC=localhost
ERR: CN=kirk.localhost,OU=Ops,O=localhost\, Inc.,DC=localhost is not an admin user
Seems you use a client certificate but this one is not registered as admin_dn
Make sure elasticsearch.yml on all nodes contains:
searchguard.authcz.admin_dn:
- "CN=kirk.localhost,OU=Ops,O=localhost\, Inc.,DC=localhost"
Unable to check whether cluster is sane: Cannot authenticate null
Connected as CN=kirk.localhost,OU=Ops,O=localhost\, Inc.,DC=localhost
ERR: CN=kirk.localhost,OU=Ops,O=localhost\, Inc.,DC=localhost is not an admin user
Seems you use a client certificate but this one is not registered as admin_dn
Make sure elasticsearch.yml on all nodes contains:
searchguard.authcz.admin_dn:
- "CN=kirk.localhost,OU=Ops,O=localhost\, Inc.,DC=localhost"
So both messages are mentioned in your documentation https://docs.search-guard.com/latest/troubleshooting-sgadmin.html and as far as I understand I did list
searchguard.authcz.admin_dn in my elasticsearch.yml and "kirk" is my amdin, because I declared "admin: true2 -right?!
Considering the elastic logs, there are "issues" with kibana and x-pack, but if I configure kibana (right now uncommented in the script) I still can't execute sg_admin (bellow).
I would be absolutly greatful for any answer. Thank you for Search Guard and your answersanyways <3
----
When asking questions, please provide the following information:
* Search Guard and Elasticsearch version
search-guard-6:6.4.2-23.1, elasticsearchversion 6.4.2
* Installed and used enterprise modules, if any
none
* JVM version and operating system version
openjdk version "1.8.0_181"
OpenJDK Runtime Environment (build 1.8.0_181-8u181-b13-0ubuntu0.16.04.1-b13)
OpenJDK 64-Bit Server VM (build 25.181-b13, mixed mode) running in a docker container
OpenJDK Runtime Environment (build 1.8.0_181-8u181-b13-0ubuntu0.16.04.1-b13)
OpenJDK 64-Bit Server VM (build 25.181-b13, mixed mode) running in a docker container
* Search Guard configuration files
attached
* Elasticsearch log messages on debug level
{"type":"log","@timestamp":"2019-01-17T17:14:26Z","tags":["warning","stats-collection"],"pid":295,"message":"Unable to fetch data from reporting collector"}
{"type":"error","@timestamp":"2019-01-17T17:14:36Z","tags":["warning","stats-collection"],"pid":295,"level":"error","error":{"message":"Authentication Exception","name":"Error","stack":"Authentication Exception :: {\"path\":\"/.kibana/_search\",\"query\":{\"ignore_unavailable\":true,\"filter_path\":\"aggregations.types.buckets\"},\"body\":\"{\\\"size\\\":0,\\\"query\\\":{\\\"terms\\\":{\\\"type\\\":[\\\"dashboard\\\",\\\"visualization\\\",\\\"search\\\",\\\"index-pattern\\\",\\\"graph-workspace\\\",\\\"timelion-sheet\\\"]}},\\\"aggs\\\":{\\\"types\\\":{\\\"terms\\\":{\\\"field\\\":\\\"type\\\",\\\"size\\\":6}}}}\",\"statusCode\":401,\"response\":\"Unauthorized\",\"wwwAuthenticateDirective\":\"Basic realm=\\\"Search Guard\\\"\"}\n at respond (/opt/kibana/node_modules/elasticsearch/src/lib/transport.js:307:15)\n at checkRespForFailure (/opt/kibana/node_modules/elasticsearch/src/lib/transport.js:266:7)\n at HttpConnector.<anonymous> (/opt/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:159:7)\n at IncomingMessage.bound (/opt/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js:729:21)\n at emitNone (events.js:111:20)\n at IncomingMessage.emit (events.js:208:7)\n at endReadableNT (_stream_readable.js:1064:12)\n at _combinedTickCallback (internal/process/next_tick.js:138:11)\n at process._tickCallback (internal/process/next_tick.js:180:9)"},"message":"Authentication Exception"}
{"type":"log","@timestamp":"2019-01-17T17:14:36Z","tags":["warning","stats-collection"],"pid":295,"message":"Unable to fetch data from kibana collector"}
{"type":"error","@timestamp":"2019-01-17T17:14:36Z","tags":["warning","stats-collection"],"pid":295,"level":"error","error":{"message":"Authentication Exception","name":"Error","stack":"Authentication Exception :: {\"path\":\"/.kibana/doc/config%3A6.4.2\",\"query\":{},\"statusCode\":401,\"response\":\"Unauthorized\",\"wwwAuthenticateDirective\":\"Basic realm=\\\"Search Guard\\\"\"}\n at respond (/opt/kibana/node_modules/elasticsearch/src/lib/transport.js:307:15)\n at checkRespForFailure (/opt/kibana/node_modules/elasticsearch/src/lib/transport.js:266:7)\n at HttpConnector.<anonymous> (/opt/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:159:7)\n at IncomingMessage.bound (/opt/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js:729:21)\n at emitNone (events.js:111:20)\n at IncomingMessage.emit (events.js:208:7)\n at endReadableNT (_stream_readable.js:1064:12)\n at _combinedTickCallback (internal/process/next_tick.js:138:11)\n at process._tickCallback (internal/process/next_tick.js:180:9)"},"message":"Authentication Exception"}
{"type":"log","@timestamp":"2019-01-17T17:14:36Z","tags":["warning","stats-collection"],"pid":295,"message":"Unable to fetch data from kibana_settings collector"}
{"type":"error","@timestamp":"2019-01-17T17:14:36Z","tags":["warning","stats-collection"],"pid":295,"level":"error","error":{"message":"Authentication Exception","name":"Error","stack":"Authentication Exception :: {\"path\":\"/.reporting-*/_search\",\"query\":{\"filter_path\":\"hits.total,aggregations.jobTypes.buckets,aggregations.objectTypes.buckets,aggregations.layoutTypes.buckets,aggregations.statusTypes.buckets\"},\"body\":\"{\\\"size\\\":0,\\\"aggs\\\":{\\\"jobTypes\\\":{\\\"terms\\\":{\\\"field\\\":\\\"jobtype\\\",\\\"size\\\":2}},\\\"objectTypes\\\":{\\\"terms\\\":{\\\"field\\\":\\\"meta.objectType.keyword\\\",\\\"size\\\":3}},\\\"layoutTypes\\\":{\\\"terms\\\":{\\\"field\\\":\\\"meta.layout.keyword\\\",\\\"size\\\":3}},\\\"statusTypes\\\":{\\\"terms\\\":{\\\"field\\\":\\\"status\\\",\\\"size\\\":4}}}}\",\"statusCode\":401,\"response\":\"Unauthorized\",\"wwwAuthenticateDirective\":\"Basic realm=\\\"Search Guard\\\"\"}\n at respond (/opt/kibana/node_modules/elasticsearch/src/lib/transport.js:307:15)\n at checkRespForFailure (/opt/kibana/node_modules/elasticsearch/src/lib/transport.js:266:7)\n at HttpConnector.<anonymous> (/opt/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:159:7)\n at IncomingMessage.bound (/opt/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js:729:21)\n at emitNone (events.js:111:20)\n at IncomingMessage.emit (events.js:208:7)\n at endReadableNT (_stream_readable.js:1064:12)\n at _combinedTickCallback (internal/process/next_tick.js:138:11)\n at process._tickCallback (internal/process/next_tick.js:180:9)"},"message":"Authentication Exception"}
{"type":"log","@timestamp":"2019-01-17T17:14:36Z","tags":["warning","stats-collection"],"pid":295,"message":"Unable to fetch data from reporting collector"}
{"type":"error","@timestamp":"2019-01-17T17:14:36Z","tags":["warning","stats-collection"],"pid":295,"level":"error","error":{"message":"Authentication Exception","name":"Error","stack":"Authentication Exception :: {\"path\":\"/.kibana/_search\",\"query\":{\"ignore_unavailable\":true,\"filter_path\":\"aggregations.types.buckets\"},\"body\":\"{\\\"size\\\":0,\\\"query\\\":{\\\"terms\\\":{\\\"type\\\":[\\\"dashboard\\\",\\\"visualization\\\",\\\"search\\\",\\\"index-pattern\\\",\\\"graph-workspace\\\",\\\"timelion-sheet\\\"]}},\\\"aggs\\\":{\\\"types\\\":{\\\"terms\\\":{\\\"field\\\":\\\"type\\\",\\\"size\\\":6}}}}\",\"statusCode\":401,\"response\":\"Unauthorized\",\"wwwAuthenticateDirective\":\"Basic realm=\\\"Search Guard\\\"\"}\n at respond (/opt/kibana/node_modules/elasticsearch/src/lib/transport.js:307:15)\n at checkRespForFailure (/opt/kibana/node_modules/elasticsearch/src/lib/transport.js:266:7)\n at HttpConnector.<anonymous> (/opt/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:159:7)\n at IncomingMessage.bound (/opt/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js:729:21)\n at emitNone (events.js:111:20)\n at IncomingMessage.emit (events.js:208:7)\n at endReadableNT (_stream_readable.js:1064:12)\n at _combinedTickCallback (internal/process/next_tick.js:138:11)\n at process._tickCallback (internal/process/next_tick.js:180:9)"},"message":"Authentication Exception"}
{"type":"log","@timestamp":"2019-01-17T17:14:36Z","tags":["warning","stats-collection"],"pid":295,"message":"Unable to fetch data from kibana collector"}
{"type":"error","@timestamp":"2019-01-17T17:14:36Z","tags":["warning","stats-collection"],"pid":295,"level":"error","error":{"message":"Authentication Exception","name":"Error","stack":"Authentication Exception :: {\"path\":\"/.kibana/doc/config%3A6.4.2\",\"query\":{},\"statusCode\":401,\"response\":\"Unauthorized\",\"wwwAuthenticateDirective\":\"Basic realm=\\\"Search Guard\\\"\"}\n at respond (/opt/kibana/node_modules/elasticsearch/src/lib/transport.js:307:15)\n at checkRespForFailure (/opt/kibana/node_modules/elasticsearch/src/lib/transport.js:266:7)\n at HttpConnector.<anonymous> (/opt/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:159:7)\n at IncomingMessage.bound (/opt/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js:729:21)\n at emitNone (events.js:111:20)\n at IncomingMessage.emit (events.js:208:7)\n at endReadableNT (_stream_readable.js:1064:12)\n at _combinedTickCallback (internal/process/next_tick.js:138:11)\n at process._tickCallback (internal/process/next_tick.js:180:9)"},"message":"Authentication Exception"}
{"type":"log","@timestamp":"2019-01-17T17:14:36Z","tags":["warning","stats-collection"],"pid":295,"message":"Unable to fetch data from kibana_settings collector"}
{"type":"error","@timestamp":"2019-01-17T17:14:36Z","tags":["warning","stats-collection"],"pid":295,"level":"error","error":{"message":"Authentication Exception","name":"Error","stack":"Authentication Exception :: {\"path\":\"/.reporting-*/_search\",\"query\":{\"filter_path\":\"hits.total,aggregations.jobTypes.buckets,aggregations.objectTypes.buckets,aggregations.layoutTypes.buckets,aggregations.statusTypes.buckets\"},\"body\":\"{\\\"size\\\":0,\\\"aggs\\\":{\\\"jobTypes\\\":{\\\"terms\\\":{\\\"field\\\":\\\"jobtype\\\",\\\"size\\\":2}},\\\"objectTypes\\\":{\\\"terms\\\":{\\\"field\\\":\\\"meta.objectType.keyword\\\",\\\"size\\\":3}},\\\"layoutTypes\\\":{\\\"terms\\\":{\\\"field\\\":\\\"meta.layout.keyword\\\",\\\"size\\\":3}},\\\"statusTypes\\\":{\\\"terms\\\":{\\\"field\\\":\\\"status\\\",\\\"size\\\":4}}}}\",\"statusCode\":401,\"response\":\"Unauthorized\",\"wwwAuthenticateDirective\":\"Basic realm=\\\"Search Guard\\\"\"}\n at respond (/opt/kibana/node_modules/elasticsearch/src/lib/transport.js:307:15)\n at checkRespForFailure (/opt/kibana/node_modules/elasticsearch/src/lib/transport.js:266:7)\n at HttpConnector.<anonymous> (/opt/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:159:7)\n at IncomingMessage.bound (/opt/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js:729:21)\n at emitNone (events.js:111:20)\n at IncomingMessage.emit (events.js:208:7)\n at endReadableNT (_stream_readable.js:1064:12)\n at _combinedTickCallback (internal/process/next_tick.js:138:11)\n at process._tickCallback (internal/process/next_tick.js:180:9)"},"message":"Authentication Exception"}
{"type":"log","@timestamp":"2019-01-17T17:14:36Z","tags":["warning","stats-collection"],"pid":295,"message":"Unable to fetch data from reporting collector"}
* Other installed Elasticsearch or Kibana plugins, if any
none
SG
Jan 17, 2019, 2:36:11 PM1/17/19
to search...@googlegroups.com
What you can try in your script is to wait until sgadmin.sh was successful like
until ./sgadmin.sh --fail-fast -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -key /etc/elasticsearch/kirk.key ; do
sleep 10
done
and to solve your admin certificate problem i think the configuration in elasticsearch.yml should look like
searchguard.authcz.admin_dn:
- CN=kirk.localhost,OU=Ops,O=localhost\, Inc.,DC=localhost
Please validate with "cat elasticsearch.yml" (maybe the \ needs to be escaped due to sed)
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/05bb786c-b751-420e-9718-ad02c513e225%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> <config_sg_sh.txt><elasticsearch.yml><config.yml>
until ./sgadmin.sh --fail-fast -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -key /etc/elasticsearch/kirk.key ; do
sleep 10
done
and to solve your admin certificate problem i think the configuration in elasticsearch.yml should look like
searchguard.authcz.admin_dn:
- CN=kirk.localhost,OU=Ops,O=localhost\, Inc.,DC=localhost
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/05bb786c-b751-420e-9718-ad02c513e225%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> <config_sg_sh.txt><elasticsearch.yml><config.yml>
Natalie Goldman
Jan 17, 2019, 5:39:09 PM1/17/19
to Search Guard Community Forum
Natalie Goldman
Jan 17, 2019, 5:48:10 PM1/17/19
to Search Guard Community Forum
It worked out! Thank you so, so much! To escape the / was the main issue in the script... I totally overlooked that. THANK YOU!
Reply all
Reply to author
Forward
0 new messages