Transport client not working with sarchguard.
62 views
Skip to first unread message
Ajit Bhosale
Feb 1, 2018, 2:37:33 AM2/1/18
to Search Guard Community Forum
When asking questions, please provide the following information:
* Search Guard and Elasticsearch version 6.0.0
* Installed and used enterprise modules, if any No
* JVM version and operating system version 1.7
* Search Guard configuration files
* Elasticsearch log messages on debug level
* Other installed Elasticsearch or Kibana plugins, if any
Hi,
I am using searchguard 6. And from java side I have implemented below configuration.
Settings settings = Settings.builder()
.put("cluster.name", "searchguard_demo")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH,"C:\\Users\\c-ajitb\\Desktop\\SearchguardFiles\\esnode.pem")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, "C:\\Users\\c-ajitb\\Desktop\\SearchguardFiles\\esnode-key.pem")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, "C:\\Users\\c-ajitb\\Desktop\\SearchguardFiles\\root-ca.pem")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, "false")
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_ENABLED, "true")
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMCERT_FILEPATH, "C:\\Users\\c-ajitb\\Desktop\\SearchguardFiles\\esnode.pem")
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMKEY_FILEPATH, "C:\\Users\\c-ajitb\\Desktop\\SearchguardFiles\\esnode-key.pem")
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, "C:\\Users\\c-ajitb\\Desktop\\SearchguardFiles\\root-ca.pem")
TransportClient transclient = new PreBuiltTransportClient(settings,SearchGuardSSLPlugin.class).addTransportAddress(new TransportAddress(InetAddress.getByName("172.21.153.176"), 9300));
transclient.threadPool().getThreadContext().putHeader("Authorization", "Basic "+Base64.getEncoder().encodeToString("admin:admin".getBytes()));
GetResponse getResponse = transclient.prepareGet("testindex", "testtype", "1").get();
System.out.println("Response="+getResponse.getSource());
But I am getting below exception.
ElasticsearchSecurityException[No user found for indices:data/read/get]
I have given admin credentials.
Please reply and provide solution.
Thanks,
Ajit
SG
Feb 1, 2018, 5:39:02 PM2/1/18
to search...@googlegroups.com
esnode.pem is not a correct certificate i guess (because its a node and not a client certificate)
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/50a1e4b0-e3ed-417f-bd53-bee716e9eeba%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/50a1e4b0-e3ed-417f-bd53-bee716e9eeba%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
kanchank...@gmail.com
Feb 2, 2018, 1:37:05 AM2/2/18
to Search Guard Community Forum
but same configuration is autogenerated in elasticsearch yml file from there only I have checked and apply in code.
please reply what changes needed.
in elasticsearch.yml
searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:
- CN=kirk,OU=client,O=client,L=test, C=de
kanchank...@gmail.com
Feb 2, 2018, 2:48:31 AM2/2/18
to Search Guard Community Forum
Thanks I changed file used kirk.pem and kirk-key.pem files it worked. but It is giving permission to all user to all index.but from kibana i created some user and provided roles and permissions to perticulat index but permissions are not working.
SG
Feb 2, 2018, 2:58:28 AM2/2/18
to search...@googlegroups.com
you need to get familiar with the different types of certificates in Search Guard,
see http://docs.search-guard.com/latest/tls-in-production
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/2aa573cb-7ded-4777-9d3a-119650bb1c87%40googlegroups.com.
see http://docs.search-guard.com/latest/tls-in-production
kanchank...@gmail.com
Feb 2, 2018, 5:14:42 AM2/2/18
to Search Guard Community Forum
please could you let me know what I should replace to work permission as I given in kibana.If I need to change kirk files so what should be procedure to create it.
Reply all
Reply to author
Forward
0 new messages