Transport client giving access to all indices.
76 views
Skip to first unread message
Ajit Bhosale
Feb 6, 2018, 5:19:56 AM2/6/18
to Search Guard Community Forum
When asking questions, please provide the following information:
* Search Guard and Elasticsearch version 6.0.0
* Installed and used enterprise modules, if any No
* JVM version and operating system version
* Search Guard configuration files
* Elasticsearch log messages on debug level
* Other installed Elasticsearch or Kibana plugins, if any
Hi,
I have installed searchguard 6.0.0 and GUI working successfully. But from java side I am using transport client I have used PKI script and generated certificates.
I am using spock certificate but it is giving access to all indices. Not working as user wise roles and permissions.
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH,"C:\\Users\\c-kanchanka\\Desktop\\new_search_guard_file_pki\\spock.crtfull.pem")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, "C:\\Users\\c-kanchanka\\Desktop\\new_search_guard_file_pki\\spock.key.pem")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, "C:\\Users\\c-kanchanka\\Desktop\\new_search_guard_file_pki\\root-ca.pem")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, "false")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLED, "true")
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_ENABLED, "true")
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMCERT_FILEPATH, "C:\\Users\\c-kanchanka\\Desktop\\new_search_guard_file_pki\\spock.crtfull.pem")
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMKEY_FILEPATH, "C:\\Users\\c-kanchanka\\Desktop\\new_search_guard_file_pki\\spock.key.pem")
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, "C:\\Users\\c-kanchanka\\Desktop\\new_search_guard_file_pki\\root-ca.pem")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, "C:\\Users\\c-kanchanka\\Desktop\\new_search_guard_file_pki\\spock.key.pem")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, "C:\\Users\\c-kanchanka\\Desktop\\new_search_guard_file_pki\\root-ca.pem")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, "false")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLED, "true")
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_ENABLED, "true")
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMCERT_FILEPATH, "C:\\Users\\c-kanchanka\\Desktop\\new_search_guard_file_pki\\spock.crtfull.pem")
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMKEY_FILEPATH, "C:\\Users\\c-kanchanka\\Desktop\\new_search_guard_file_pki\\spock.key.pem")
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, "C:\\Users\\c-kanchanka\\Desktop\\new_search_guard_file_pki\\root-ca.pem")
and in elastisearch.yml file I have written below entry.
searchguard.ssl.transport.pemcert_filepath: spock.crtfull.pem
searchguard.ssl.transport.pemkey_filepath: spock.key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:
- CN=spock,OU=client,O=client,L=Test,C=DE
Please provide solution to restrict access to all indices.
Thanks,
Ajit
SG
Feb 6, 2018, 5:38:48 AM2/6/18
to search...@googlegroups.com
spock is registed as admin certificate
> searchguard.authcz.admin_dn:
> - CN=spock,OU=client,O=client,L=Test,C=DE
and therefore bypass all permission checks.
See http://docs.search-guard.com/latest/tls-in-production
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/499ffa92-74fc-4316-9c04-08727bcd43f3%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> searchguard.authcz.admin_dn:
> - CN=spock,OU=client,O=client,L=Test,C=DE
and therefore bypass all permission checks.
See http://docs.search-guard.com/latest/tls-in-production
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/499ffa92-74fc-4316-9c04-08727bcd43f3%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Ajit Bhosale
Feb 6, 2018, 6:15:39 AM2/6/18
to Search Guard Community Forum
How can I overcome with this problem. Please let me know How could I enable permissions check at java side using transport client other than adminuser?
Ajit Bhosale
Feb 6, 2018, 7:16:50 AM2/6/18
to Search Guard Community Forum
Thanks, Working fine now for me.
Reply all
Reply to author
Forward
0 new messages