Search guard certificate based user role mapping issue
51 views
Skip to first unread message
nis...@factweavers.com
Dec 31, 2018, 11:35:09 AM12/31/18
to Search Guard Community Forum
Hello,
* Search Guard version: 5
* Elasticsearch version: 5.6.13
* Operating system: Ubuntu 16.04/ CentOS 6
* Search guard edition: Community
* Java version: 1.8
**Issue**
The certificate based user role can't be changed for Java transport client (To restrict java api to delete and write data to Elasticsearch).
* Node, Client and Admin (.pem and .key) certificate's were generated using the Offline TLS tool. Updated "elasticsearch.yml" with the content generated in snippet during the creation of certificate.
* New user were addded to "sg_internal_users.yml" with hashed password. Over the HTTPS (curl -k -u username:password https://localhost:9200) I'm able to alert the user roles and permission to access the Elasticsearch. Using sgadmin I have pushed the configuration changes to search guard.
* In the case of transport client with search guard, using java API I'm able to perform indexing, search and delete operation in Elasticsearch with the generated certificate's. I'm using the admin certificate for the following transport client settings
Settings settings = Settings.builder()
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, "/home/user/sg/certs/example-admin.key")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH, "/home/user/sg/certs/example-admin.pem")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, "/home/user/sg/certs/root-ca.pem")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, false)
.put("cluster.name", "sg_test").build();
* In order to modify the role of the (example-admin.key) certificate, I have added the certificate DN in "sg_roles_mapping.yml" and provided the permission to only read data from Elasticsearch. Using the sgadmin new configuration changes were updated to search guard.
The roles are not getting updated for the certificate based user, I'm unable to restrict the java client from indexing or deleting data from Elasticsearch.
Please help me to modify the search guard role and permission (certificate based user) for Java transport client.
Thanks.
SG
Jan 1, 2019, 9:27:37 AM1/1/19
to search...@googlegroups.com
Can you post you rolesmapping file?
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/601f5639-f59b-4a6e-b909-9b0427d79fec%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/601f5639-f59b-4a6e-b909-9b0427d79fec%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
nis...@factweavers.com
Jan 9, 2019, 5:14:42 AM1/9/19
to Search Guard Community Forum
Hello,
We had added the below mapping in the config file to enable just readall, the roles mapping file is also attached, any help would be greatly appreciated, Thanks.
sg_readall:
users:
- readall
- 'CN=fw.example.com, OU=Ops, O="Example Com\, Inc.", DC=example, DC=com'
Search Guard
Jan 10, 2019, 4:53:40 PM1/10/19
to Search Guard Community Forum
Pls post also elasticsearch.yml and sg_config.yml
SG
Jan 12, 2019, 11:16:06 AM1/12/19
to search...@googlegroups.com
You should not add the admin_dn (CN=fw.example.com,OU=Ops,O="Example Com, Inc.",DC=Example,DC=com) somewhere
in the sg_roles_mapping.yml file.
To connect via transport client use a other (additional non-admin) client certificate and not the admin certificate (except you
want to deal with the search guard index like sgadmin). Put hte dn of the other client certificate in the sg_roles_mapping.yml file
See:
https://search-guard.com/searchguard-elasicsearch-transport-clients/
https://search-guard.com/transport-client-authentication-authorization/
https://docs.search-guard.com/latest/elasticsearch-transport-clients-search-guard
Also make sure you enable the clientcert_auth_domain
clientcert_auth_domain:
enabled: true
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: null
challenge: false
authentication_backend:
type: noop
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/22b77d2d-612f-44e2-bf91-d98227ddf2e8%40googlegroups.com.
in the sg_roles_mapping.yml file.
To connect via transport client use a other (additional non-admin) client certificate and not the admin certificate (except you
want to deal with the search guard index like sgadmin). Put hte dn of the other client certificate in the sg_roles_mapping.yml file
See:
https://search-guard.com/searchguard-elasicsearch-transport-clients/
https://search-guard.com/transport-client-authentication-authorization/
https://docs.search-guard.com/latest/elasticsearch-transport-clients-search-guard
Also make sure you enable the clientcert_auth_domain
clientcert_auth_domain:
enabled: true
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: null
challenge: false
authentication_backend:
type: noop
> For more options, visit https://groups.google.com/d/optout.
> <elasticsearch.yml><sg_config.yml>
Reply all
Reply to author
Forward
0 new messages