Errors from the client node
28 views
Skip to first unread message
Wei Hong
Jun 15, 2016, 1:22:59 AM6/15/16
to Search Guard
Here is my version:
elasticsearch2.2.0
search-guard-2-2.2.0.0-alpha2
search-guard-ssl-2.2.0.6
Before the installed sg2, the elasticsearch is green.
I have installed the sg2 in the 3 data nodes. 1 data node is used as the client node.
the client node's elasticsearch yml is:
searchguard.authcz.admin_dn:
"CN=kirk,OU=client,O=client,l=tEst, C=De"
#SSL
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_filepath: kirk-keystore.jks
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: kirk-keystore.jks
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.enable_openssl_if_available: true
searchguard.ssl.transport.enable_openssl_if_available: true
security.manager.enabled: false
the other two nodes elasticsearch yml is:
#SSL
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_filepath: node-1-keystore.jks
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: node-1-keystore.jks
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.enable_openssl_if_available: true
searchguard.ssl.transport.enable_openssl_if_available: true
security.manager.enabled: false
When i finished the configuration, I run the elasticsearch. There are some errors in the client node:
[internal:discovery/zen/unicast]]; nested: ElasticsearchSecurityException[Internal or shard requests not allowed from a client node];
Caused by: ElasticsearchSecurityException[Internal or shard requests not allowed from a client node]
at com.floragunn.searchguard.transport.SearchGuardTransportService.messageReceivedDecorate(SearchGuardTransportService.java:183)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor.messageReceived(SearchGuardSSLTransportService.java:107)
at org.elasticsearch.transport.netty.MessageChannelHandler.handleRequest(MessageChannelHandler.java:244)
at com.floragunn.searchguard.ssl.transport.SearchGuardMessageChannelHandler.handleRequest(SearchGuardMessageChannelHandler.java:57)
at org.elasticsearch.transport.netty.MessageChannelHandler.messageReceived(MessageChannelHandler.java:114)
at com.floragunn.searchguard.ssl.transport.SearchGuardMessageChannelHandler.messageReceived(SearchGuardMessageChannelHandler.java:45)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462)
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443)
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.elasticsearch.common.netty.OpenChannelsHandler.handleUpstream(OpenChannelsHandler.java:75)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462)
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443)
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at
Here, i have some questions:
elasticsearch2.2.0
search-guard-2-2.2.0.0-alpha2
search-guard-ssl-2.2.0.6
Before the installed sg2, the elasticsearch is green.
I have installed the sg2 in the 3 data nodes. 1 data node is used as the client node.
the client node's elasticsearch yml is:
searchguard.authcz.admin_dn:
"CN=kirk,OU=client,O=client,l=tEst, C=De"
#SSL
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_filepath: kirk-keystore.jks
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: kirk-keystore.jks
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.enable_openssl_if_available: true
searchguard.ssl.transport.enable_openssl_if_available: true
security.manager.enabled: false
the other two nodes elasticsearch yml is:
#SSL
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_filepath: node-1-keystore.jks
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: node-1-keystore.jks
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.enable_openssl_if_available: true
searchguard.ssl.transport.enable_openssl_if_available: true
security.manager.enabled: false
When i finished the configuration, I run the elasticsearch. There are some errors in the client node:
[internal:discovery/zen/unicast]]; nested: ElasticsearchSecurityException[Internal or shard requests not allowed from a client node];
Caused by: ElasticsearchSecurityException[Internal or shard requests not allowed from a client node]
at com.floragunn.searchguard.transport.SearchGuardTransportService.messageReceivedDecorate(SearchGuardTransportService.java:183)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor.messageReceived(SearchGuardSSLTransportService.java:107)
at org.elasticsearch.transport.netty.MessageChannelHandler.handleRequest(MessageChannelHandler.java:244)
at com.floragunn.searchguard.ssl.transport.SearchGuardMessageChannelHandler.handleRequest(SearchGuardMessageChannelHandler.java:57)
at org.elasticsearch.transport.netty.MessageChannelHandler.messageReceived(MessageChannelHandler.java:114)
at com.floragunn.searchguard.ssl.transport.SearchGuardMessageChannelHandler.messageReceived(SearchGuardMessageChannelHandler.java:45)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462)
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443)
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.elasticsearch.common.netty.OpenChannelsHandler.handleUpstream(OpenChannelsHandler.java:75)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462)
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443)
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at
Here, i have some questions:
1. In my cluster, i have 3 data nodes which can elect as the master node. I regard one data node as the client node. Is the try right?
2. Is the entry "searchguard.authcz.admin_dn:"CN=kirk,OU=client,O=client,l=tEst, C=De" " only put in the client node' elasticsearch.yml? There is no need in the other data nodes?
3.What is the error mean above?
Thanks very much!
SG
Jun 15, 2016, 3:59:29 AM6/15/16
to search...@googlegroups.com
Please upgrade to ES 2.3.3 with SG 2.3.3.0-rc1 and SG SSL 2.3.3.11
> 1. In my cluster, i have 3 data nodes which can elect as the master node. I regard one data node as the client node. Is the try right?
No, a #sgsn can never be a #sgnsnc (you have to use server certificates with the OID for all your nodes!)
See https://github.com/floragunncom/search-guard/wiki/Terminology for terminology
>
> 2. Is the entry "searchguard.authcz.admin_dn:"CN=kirk,OU=client,O=client,l=tEst, C=De" " only put in the client node' elasticsearch.yml? There is no need in the other data nodes?
elasticsearch.yml needs to be identical for all nodes
>
> 3.What is the error mean above?
That you try to join the cluster with a client certificate (without OID) instead of a server certificate
Meanwhile we have a good documentation for all this, pls. refer to https://github.com/floragunncom/search-guard-ssl-docs
You can also inspect the vagrant demos to see how it works:
- https://github.com/floragunncom/search-guard-ssl/blob/master/Vagrantfile
- https://github.com/floragunncom/search-guard/blob/master/Vagrantfile
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/326e237e-690d-4137-9a4a-ed8724223516%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> 1. In my cluster, i have 3 data nodes which can elect as the master node. I regard one data node as the client node. Is the try right?
See https://github.com/floragunncom/search-guard/wiki/Terminology for terminology
>
> 2. Is the entry "searchguard.authcz.admin_dn:"CN=kirk,OU=client,O=client,l=tEst, C=De" " only put in the client node' elasticsearch.yml? There is no need in the other data nodes?
>
> 3.What is the error mean above?
Meanwhile we have a good documentation for all this, pls. refer to https://github.com/floragunncom/search-guard-ssl-docs
You can also inspect the vagrant demos to see how it works:
- https://github.com/floragunncom/search-guard-ssl/blob/master/Vagrantfile
- https://github.com/floragunncom/search-guard/blob/master/Vagrantfile
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/326e237e-690d-4137-9a4a-ed8724223516%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Message has been deleted
Wei Hong
Jun 15, 2016, 4:50:48 AM6/15/16
to Search Guard
Really appreciate for your great help.
在 2016年6月15日星期三 UTC+8下午1:22:59,Wei Hong写道:
在 2016年6月15日星期三 UTC+8下午1:22:59,Wei Hong写道:
Reply all
Reply to author
Forward
0 new messages