Searchguard cluster configuration
376 views
Skip to the first unread message
sankar dunga
30 Oct 2017, 7:40:53 am30/10/17
to Search Guard Community Forum
Hi All,
I struck with suarchguard configuration for cluster environme. Below is my environment
I struck with suarchguard configuration for cluster environme. Below is my environment
* Search Guard and Elasticsearch version: 5.5
* JVM version and operating system version: 1.8
elasticsearch.yml
-------------------------------------------------------
cluster.name: log-collector
path.data: /var/lib/elasticsearch/log-collector
path.logs: /var/log/elasticsearch
node.master: true
node.data: false
bootstrap.memory_lock: true # this one added new
indices.fielddata.cache.size: 40%
indices.breaker.fielddata.limit: 60%
indices.breaker.request.limit: 40%
indices.breaker.total.limit: 70%
bootstrap.system_call_filter: false
network.host: 0.0.0.0
network.publish_host: _eth0_
######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks
searchguard.ssl.transport.keystore_password: changeit
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: changeit
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: node-0-keystore.jks
searchguard.ssl.http.keystore_password: changeit
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: changeit
searchguard.authcz.admin_dn:
- CN=spock,OU=client,O=client,L=test,C=de
searchguard.nodes_dn:
- CN=node-0-example.com,OU=SSL,O=test,L=test,C=de
######## End Search Guard Demo Configuration ########
"/etc/elasticsearch/elasticsearch.yml" 46L, 2015C
cluster.name: log-collector
path.data: /var/lib/elasticsearch/log-collector
path.logs: /var/log/elasticsearch
node.master: true
node.data: false
bootstrap.memory_lock: true # this one added new
indices.fielddata.cache.size: 40%
indices.breaker.fielddata.limit: 60%
indices.breaker.request.limit: 40%
indices.breaker.total.limit: 70%
bootstrap.system_call_filter: false
network.host: 0.0.0.0
network.publish_host: _eth0_
######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks
searchguard.ssl.transport.keystore_password: changeit
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: changeit
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: node-0-keystore.jks
searchguard.ssl.http.keystore_password: changeit
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: changeit
searchguard.authcz.admin_dn:
- CN=spock,OU=client,O=client,L=test,C=de
searchguard.nodes_dn:
- CN=node-0-example.com,OU=SSL,O=test,L=test,C=de
######## End Search Guard Demo Configuration ########
"/etc/elasticsearch/elasticsearch.yml" 46L, 2015C
-------------------------------------------------------
Generated a node certificate using gen_node_cert.sh from PKI scripts... with updated IP configuration
-------------------------------------------------------
I've executed sgadmin
/usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-5/sgconfig -cn log-collector -kspass changeit -ks /etc/elasticsearch/spock-keystore.jks -tspass changeit -ts /etc/elasticsearch/truststore.jks -nhnv --diagnose
I see below error in Master node
[root@LOG-COLLECTOR tools]# ./sgadmin_demo.sh
Search Guard Admin v5
Will connect to 10.207.99.125:9300 ... done
### LICENSE NOTICE Search Guard ###
If you use one or more of the following features in production
make sure you have a valid Search Guard license
(See https://floragunn.com/searchguard-validate-license)
* Kibana Multitenancy
* LDAP authentication/authorization
* Active Directory authentication/authorization
* REST Management API
* JSON Web Token (JWT) authentication/authorization
* Kerberos authentication/authorization
* Document- and Fieldlevel Security (DLS/FLS)
* Auditlogging
In case of any doubt mail to <sa...@floragunn.com>
###################################
Diagnostic trace written to: /usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin_diag_trace_2017-Oct-30_10-50-35.txt
Contacting elasticsearch cluster 'log-collector' and wait for YELLOW clusterstate ...
Clustername: log-collector
Clusterstate: YELLOW
Number of nodes: 1
Number of data nodes: 0
searchguard index already exists, so we do not need to create one.
INFO: searchguard index state is YELLOW, it seems you miss some replicas
Populate config from /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/
Will update 'config' with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_config.yml
FAIL: Configuration for 'config' failed because of UnavailableShardsException[[searchguard][0] primary shard is not active Timeout: [1m], request: [BulkShardRequest [[searchguard][0]] containing [index {[searchguard][config][0], source[n/a, actual length: [3.1kb], max length: 2kb]}] and a refresh]]
Will update 'roles' with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_roles.yml
FAIL: Configuration for 'roles' failed because of UnavailableShardsException[[searchguard][0] primary shard is not active Timeout: [1m], request: [BulkShardRequest [[searchguard][0]] containing [index {[searchguard][roles][0], source[n/a, actual length: [3.4kb], max length: 2kb]}] and a refresh]]
Will update 'rolesmapping' with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_roles_mapping.yml
FAIL: Configuration for 'rolesmapping' failed because of UnavailableShardsException[[searchguard][0] primary shard is not active Timeout: [1m], request: [BulkShardRequest [[searchguard][0]] containing [index {[searchguard][rolesmapping][0], source[{"rolesmapping":"eyJzZ19hbGxfYWNjZXNzIjp7InVzZXJzIjpbImFkbWluIl19LCJzZ19sb2dzdGFzaCI6eyJ1c2VycyI6WyJsb2dzdGFzaCJdfSwic2dfa2liYW5hX3NlcnZlciI6eyJ1c2VycyI6WyJraWJhbmFzZXJ2ZXIiXX0sInNnX2tpYmFuYSI6eyJiYWNrZW5kcm9sZXMiOlsia2liYW5hcm9sZSJdfSwic2dfbW9uaXRvciI6eyJiYWNrZW5kcm9sZXMiOlsia2liYW5hcm9sZSJdfSwic2dfYWxlcnRpbmciOnsiYmFja2VuZHJvbGVzIjpbImtpYmFuYXJvbGUiXX0sInNnX3B1YmxpYyI6eyJ1c2VycyI6WyIqIl19LCJzZ19yZWFkYWxsIjp7InVzZXJzIjpbInJlYWRhbGwiXX0sInNnX293bl9pbmRleCI6eyJ1c2VycyI6WyIqIl19LCJzZ19yb2xlX3N0YXJmbGVldCI6eyJiYWNrZW5kcm9sZXMiOlsic3RhcmZsZWV0IiwiY2FwdGFpbnMiLCJkZWZlY3RvcnMiLCJjbj1sZGFwcm9sZSxvdT1ncm91cHMsZGM9ZXhhbXBsZSxkYz1jb20iXSwiaG9zdHMiOlsiKi5zdGFyZmxlZXRpbnRyYW5ldC5jb20iXSwidXNlcnMiOlsid29yZiIsInJpa2VyIiwidHJvaWQiXX0sInNnX3JvbGVfc3RhcmZsZWV0X2NhcHRhaW5zIjp7ImJhY2tlbmRyb2xlcyI6WyJjYXB0YWlucyJdfSwic2dfcm9sZV9rbGluZ29uczEiOnsiYmFja2VuZHJvbGVzIjpbImtsaW5nb24iXSwiaG9zdHMiOlsiKi5rbGluZ29uZ292LmtsaSJdLCJ1c2VycyI6WyJ3b3JmIl19LCJzZ19raWJhbmFfdGVzdGluZGV4Ijp7InVzZXJzIjpbInRlc3QiXX0sInNnX3JlYWRvbmx5X2Rsc2ZscyI6eyJ1c2VycyI6WyJkbHNmbHN1c2VyIl19fQ=="}]}] and a refresh]]
Search Guard Admin v5
Will connect to 10.207.99.125:9300 ... done
### LICENSE NOTICE Search Guard ###
If you use one or more of the following features in production
make sure you have a valid Search Guard license
(See https://floragunn.com/searchguard-validate-license)
* Kibana Multitenancy
* LDAP authentication/authorization
* Active Directory authentication/authorization
* REST Management API
* JSON Web Token (JWT) authentication/authorization
* Kerberos authentication/authorization
* Document- and Fieldlevel Security (DLS/FLS)
* Auditlogging
In case of any doubt mail to <sa...@floragunn.com>
###################################
Diagnostic trace written to: /usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin_diag_trace_2017-Oct-30_10-50-35.txt
Contacting elasticsearch cluster 'log-collector' and wait for YELLOW clusterstate ...
Clustername: log-collector
Clusterstate: YELLOW
Number of nodes: 1
Number of data nodes: 0
searchguard index already exists, so we do not need to create one.
INFO: searchguard index state is YELLOW, it seems you miss some replicas
Populate config from /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/
Will update 'config' with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_config.yml
FAIL: Configuration for 'config' failed because of UnavailableShardsException[[searchguard][0] primary shard is not active Timeout: [1m], request: [BulkShardRequest [[searchguard][0]] containing [index {[searchguard][config][0], source[n/a, actual length: [3.1kb], max length: 2kb]}] and a refresh]]
Will update 'roles' with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_roles.yml
FAIL: Configuration for 'roles' failed because of UnavailableShardsException[[searchguard][0] primary shard is not active Timeout: [1m], request: [BulkShardRequest [[searchguard][0]] containing [index {[searchguard][roles][0], source[n/a, actual length: [3.4kb], max length: 2kb]}] and a refresh]]
Will update 'rolesmapping' with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_roles_mapping.yml
FAIL: Configuration for 'rolesmapping' failed because of UnavailableShardsException[[searchguard][0] primary shard is not active Timeout: [1m], request: [BulkShardRequest [[searchguard][0]] containing [index {[searchguard][rolesmapping][0], source[{"rolesmapping":"eyJzZ19hbGxfYWNjZXNzIjp7InVzZXJzIjpbImFkbWluIl19LCJzZ19sb2dzdGFzaCI6eyJ1c2VycyI6WyJsb2dzdGFzaCJdfSwic2dfa2liYW5hX3NlcnZlciI6eyJ1c2VycyI6WyJraWJhbmFzZXJ2ZXIiXX0sInNnX2tpYmFuYSI6eyJiYWNrZW5kcm9sZXMiOlsia2liYW5hcm9sZSJdfSwic2dfbW9uaXRvciI6eyJiYWNrZW5kcm9sZXMiOlsia2liYW5hcm9sZSJdfSwic2dfYWxlcnRpbmciOnsiYmFja2VuZHJvbGVzIjpbImtpYmFuYXJvbGUiXX0sInNnX3B1YmxpYyI6eyJ1c2VycyI6WyIqIl19LCJzZ19yZWFkYWxsIjp7InVzZXJzIjpbInJlYWRhbGwiXX0sInNnX293bl9pbmRleCI6eyJ1c2VycyI6WyIqIl19LCJzZ19yb2xlX3N0YXJmbGVldCI6eyJiYWNrZW5kcm9sZXMiOlsic3RhcmZsZWV0IiwiY2FwdGFpbnMiLCJkZWZlY3RvcnMiLCJjbj1sZGFwcm9sZSxvdT1ncm91cHMsZGM9ZXhhbXBsZSxkYz1jb20iXSwiaG9zdHMiOlsiKi5zdGFyZmxlZXRpbnRyYW5ldC5jb20iXSwidXNlcnMiOlsid29yZiIsInJpa2VyIiwidHJvaWQiXX0sInNnX3JvbGVfc3RhcmZsZWV0X2NhcHRhaW5zIjp7ImJhY2tlbmRyb2xlcyI6WyJjYXB0YWlucyJdfSwic2dfcm9sZV9rbGluZ29uczEiOnsiYmFja2VuZHJvbGVzIjpbImtsaW5nb24iXSwiaG9zdHMiOlsiKi5rbGluZ29uZ292LmtsaSJdLCJ1c2VycyI6WyJ3b3JmIl19LCJzZ19raWJhbmFfdGVzdGluZGV4Ijp7InVzZXJzIjpbInRlc3QiXX0sInNnX3JlYWRvbmx5X2Rsc2ZscyI6eyJ1c2VycyI6WyJkbHNmbHN1c2VyIl19fQ=="}]}] and a refresh]]
-------------------------------------------------------
Someone please help me to understand the problem and certificate generation / configuration.
Thanks in advance
SG
1 Nov 2017, 4:27:13 pm1/11/17
to search...@googlegroups.com
You have no data node (Number of data nodes: 0)
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/709618e2-43f8-4f38-ab9b-9a89c91fd156%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/709618e2-43f8-4f38-ab9b-9a89c91fd156%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages