Search guard certificate based user role mapping issue
已查看 51 次
跳至第一个未读帖子
nis...@factweavers.com
2018年12月31日 11:35:092018/12/31
收件人 Search Guard Community Forum
Hello,
* Search Guard version: 5
* Elasticsearch version: 5.6.13
* Operating system: Ubuntu 16.04/ CentOS 6
* Search guard edition: Community
* Java version: 1.8
**Issue**
The certificate based user role can't be changed for Java transport client (To restrict java api to delete and write data to Elasticsearch).
* Node, Client and Admin (.pem and .key) certificate's were generated using the Offline TLS tool. Updated "elasticsearch.yml" with the content generated in snippet during the creation of certificate.
* New user were addded to "sg_internal_users.yml" with hashed password. Over the HTTPS (curl -k -u username:password https://localhost:9200) I'm able to alert the user roles and permission to access the Elasticsearch. Using sgadmin I have pushed the configuration changes to search guard.
* In the case of transport client with search guard, using java API I'm able to perform indexing, search and delete operation in Elasticsearch with the generated certificate's. I'm using the admin certificate for the following transport client settings
Settings settings = Settings.builder()
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, "/home/user/sg/certs/example-admin.key")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH, "/home/user/sg/certs/example-admin.pem")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, "/home/user/sg/certs/root-ca.pem")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, false)
.put("cluster.name", "sg_test").build();
* In order to modify the role of the (example-admin.key) certificate, I have added the certificate DN in "sg_roles_mapping.yml" and provided the permission to only read data from Elasticsearch. Using the sgadmin new configuration changes were updated to search guard.
The roles are not getting updated for the certificate based user, I'm unable to restrict the java client from indexing or deleting data from Elasticsearch.
Please help me to modify the search guard role and permission (certificate based user) for Java transport client.
Thanks.
SG
2019年1月1日 09:27:372019/1/1
收件人 search...@googlegroups.com
Can you post you rolesmapping file?
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/601f5639-f59b-4a6e-b909-9b0427d79fec%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/601f5639-f59b-4a6e-b909-9b0427d79fec%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
nis...@factweavers.com
2019年1月9日 05:14:422019/1/9
收件人 Search Guard Community Forum
Hello,
We had added the below mapping in the config file to enable just readall, the roles mapping file is also attached, any help would be greatly appreciated, Thanks.
sg_readall:
users:
- readall
- 'CN=fw.example.com, OU=Ops, O="Example Com\, Inc.", DC=example, DC=com'
Search Guard
2019年1月10日 16:53:402019/1/10
收件人 Search Guard Community Forum
Pls post also elasticsearch.yml and sg_config.yml
SG
2019年1月12日 11:16:062019/1/12
收件人 search...@googlegroups.com
You should not add the admin_dn (CN=fw.example.com,OU=Ops,O="Example Com, Inc.",DC=Example,DC=com) somewhere
in the sg_roles_mapping.yml file.
To connect via transport client use a other (additional non-admin) client certificate and not the admin certificate (except you
want to deal with the search guard index like sgadmin). Put hte dn of the other client certificate in the sg_roles_mapping.yml file
See:
https://search-guard.com/searchguard-elasicsearch-transport-clients/
https://search-guard.com/transport-client-authentication-authorization/
https://docs.search-guard.com/latest/elasticsearch-transport-clients-search-guard
Also make sure you enable the clientcert_auth_domain
clientcert_auth_domain:
enabled: true
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: null
challenge: false
authentication_backend:
type: noop
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/22b77d2d-612f-44e2-bf91-d98227ddf2e8%40googlegroups.com.
in the sg_roles_mapping.yml file.
To connect via transport client use a other (additional non-admin) client certificate and not the admin certificate (except you
want to deal with the search guard index like sgadmin). Put hte dn of the other client certificate in the sg_roles_mapping.yml file
See:
https://search-guard.com/searchguard-elasicsearch-transport-clients/
https://search-guard.com/transport-client-authentication-authorization/
https://docs.search-guard.com/latest/elasticsearch-transport-clients-search-guard
Also make sure you enable the clientcert_auth_domain
clientcert_auth_domain:
enabled: true
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: null
challenge: false
authentication_backend:
type: noop
> For more options, visit https://groups.google.com/d/optout.
> <elasticsearch.yml><sg_config.yml>
回复全部
回复作者
转发
0 个新帖子