why search guard can not get Authorization user & password?
322 views
Skip to first unread message
Huang Angle
Feb 6, 2018, 1:41:44 AM2/6/18
to Search Guard Community Forum
ES version : 5.6.3
Search guard version: search-guard-5-5.6.3-18
My application uses transport client java api to search es . According this url: https://floragunn.com/searchguard-elasicsearch-transport-clients/ , It works fine .
However, According the article of "the Transport client authentication and authorization(https://floragunn.com/transport-client-authentication-authorization/ )", ES only read the user client which is assigned in client certificate, can not read the authorization header's user and pwd.
my code demo:
try {
String cur_path=System.getProperty("user.dir");
System.out.print(cur_path);
Settings.Builder settingsBuilder =
Settings.builder()
.put("searchguard.ssl.transport.enabled", true)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH,cur_path+"\\src\\test\\java\\es_login\\es_login\\hkz123-keystore.jks")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, cur_path+"\\src\\test\\java\\es_login\\es_login\\truststore.jks")
//.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "changeit")
//.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "changeit")
.put("searchguard.ssl.transport.enforce_hostname_verification",false)
.put("client.transport.sniff", true)
.put("cluster.name", "elasticsearch")
.put("searchguard.ssl.transport.resolve_hostname", false)
.put("path.home",".");
Settings settings = settingsBuilder.build();
TransportClient client = new PreBuiltTransportClient(settings,SearchGuardPlugin.class)
.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName("192.168.2.102"), 9300));
System.out.println("Basic "+encodeBasicHeader("tca", "tca"));
client.threadPool().getThreadContext().putHeader("Authorization", "Basic "+encodeBasicHeader("tca", "tca"));
SearchResponse response = client.prepareSearch("get-together")
.setQuery(boolQuery()
.must(matchQuery("tags.keyword","elasticsearch"))
).setFrom(0).setSize(60).execute().actionGet()
;
SearchHits hits = response.getHits();
for (int i = 0; i < 2; i++) {
System.out.println(hits.getAt(i).getSource().get("organizer"));
}
} catch (UnknownHostException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
ES log:
[2018-02-06T11:44:27,351][INFO ][c.f.s.c.PrivilegesEvaluator] No cluster-level perm match for User [name=CN=hkz123,OU=client,O=client,L=Test,C=DE, roles=[]] [IndexType [index=index, type=*], IndexType [index=get-together, type=*], IndexType [index=horse, type=*], IndexType [index=test-index, type=*], IndexType [index=myindex, type=*], IndexType [index=dangerdata, type=*], IndexType [index=new-index, type=*], IndexType [index=searchguard, type=*], IndexType [index=.kibana, type=*]] [Action [[cluster:monitor/state]]] [RolesChecked [sg_own_index, sg_public]]
[2018-02-06T11:44:27,351][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {}
According the log, Search guard use hkz123 which is client certificate access es, not the tca:tca, Why?
elasticsearch.yml:
######## Start Search Guard Demo Configuration ########
#searchguard.disabled: true
searchguard.ssl.transport.keystore_filepath: node-1-keystore.jks
searchguard.ssl.transport.truststore_filepath: truststore_1.jks
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: node-1-keystore.jks
searchguard.ssl.http.truststore_filepath: truststore_1.jks
searchguard.ssl.http.clientauth_mode: NONE
searchguard.authcz.admin_dn:
- CN=hkz,OU=client,O=client,L=test, C=de
#searchguard.authcz.impersonation_dn:
# "CN=hkz123,OU=client,O=client,L=Test,C=DE":
# - '*'
node.max_local_storage_nodes: 3
######## End Search Guard Demo Configuration ########
sg_internal_users.yml:
tca:
hash: $2a$12$G1./WsW7s0dPoJZCH9Bxqe08CgOHtrdZej7yN6iv02bTIRf5UITYG
#password is: admin
CN=hkz123,OU=client,O=client,L=Test,C=DE:
hash: "_transport_only"
sg_roles_mapping.yml:
sg_readall:
users:
- readall
- tca
SG
Feb 6, 2018, 5:35:14 AM2/6/18
to search...@googlegroups.com
Have a look here https://groups.google.com/d/msgid/search-guard/5e2d6f6e-b77a-494a-88d4-4884255bbd2b%40googlegroups.com?utm_medium=email&utm_source=footer and mind the
StoredContext ctx = client.threadPool().getThreadContext().stashContext();
try {
client.threadPool().getThreadContext().putHeader("Authorization", "basic "+encodeBasicHeader("user", "pass"));
//use tc in context of "user"...
} finally {
ctx.close(); //restore original context
}
pattern
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/5e2d6f6e-b77a-494a-88d4-4884255bbd2b%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
StoredContext ctx = client.threadPool().getThreadContext().stashContext();
try {
client.threadPool().getThreadContext().putHeader("Authorization", "basic "+encodeBasicHeader("user", "pass"));
//use tc in context of "user"...
} finally {
ctx.close(); //restore original context
}
pattern
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/5e2d6f6e-b77a-494a-88d4-4884255bbd2b%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Huang Angle
Feb 9, 2018, 1:40:33 AM2/9/18
to Search Guard Community Forum
I use the pattern to access elasticsearch , but the access es's user still is the client user who is stored in keystore.jks.
After read the codes in " https://github.com/floragunncom/search-guard/blob/5.6.0/src/test/java/com/floragunn/searchguard/SGTests.java#L1992",I add
.put("request.headers.sg_impersonate_as", "admin") in settings and it work. However , I dont understand ,can anyone explain?
try {
String cur_path=System.getProperty("user.dir");
System.out.print(cur_path);
Settings.Builder settingsBuilder =
Settings.builder()
.put("searchguard.ssl.transport.enabled", true)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH,cur_path+"\\src\\test\\java\\es_login\\es_login\\hkz-keystore.jks")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, cur_path+"\\src\\test\\java\\es_login\\es_login\\truststore.jks")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "tca")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "tca")
.put("searchguard.ssl.transport.enforce_hostname_verification",false)
.put("client.transport.sniff", true)
.put("cluster.name", "elasticsearch")
.put("request.headers.sg_impersonate_as", "admin")
.put("searchguard.ssl.transport.resolve_hostname", false)
.put("path.home",".");
Settings settings = settingsBuilder.build();
TransportClient client = new PreBuiltTransportClient(settings,SearchGuardPlugin.class)
.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName("192.168.2.102"), 9300));
StoredContext ctx=client.threadPool().getThreadContext().stashContext();
try{
client.threadPool().getThreadContext().putHeader("Authorization", "Basic "+encodeBasicHeader("admin", "admin"));
.....
} finally {
ctx.close(); //restore original context }
在 2018年2月6日星期二 UTC+8下午6:35:14,Search Guard写道:
Reply all
Reply to author
Forward
0 new messages