Search Guard Refresh Interval Error
19 views
Skip to first unread message
Bishwajit Samanta
Nov 15, 2018, 7:04:41 AM11/15/18
to Search Guard Community Forum
Hi Team,
I am facing Search Guard refresh interval error. Though it seems cluster state is healthy, but some where permission issues coming. Can any one help me onto this.
Elasticsearch 6.3
Search Guard: 6.3
Output Logs::-
-------------------
root@k8sslave02:/usr/share/elasticsearch/plugins/search-guard-6/tools# /usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-6/sgconfig -icl -ks /etc/elasticsearch/admin-keystore.jks -kspass Alcatraz2.0 -ts /etc/elasticsearch/truststore.jks -tspass Alcatraz2.0 -nhnv -icl -h 127.0.0.1 -port 9740
Search Guard Admin v6
Will connect to 127.0.0.1:9740 ... done
Elasticsearch Version: 6.3.0
Search Guard Version: 6.3.0-22.3
Connected as CN=admin,OU=client,O=client,L=Test,C=DE
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: my-new-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
searchguard index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/
Will update 'sg/config' with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_config.yml
SUCC: Configuration for 'config' created or updated
Will update 'sg/roles' with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles.yml
SUCC: Configuration for 'roles' created or updated
Will update 'sg/rolesmapping' with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles_mapping.yml
SUCC: Configuration for 'rolesmapping' created or updated
Will update 'sg/internalusers' with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_internal_users.yml
SUCC: Configuration for 'internalusers' created or updated
Will update 'sg/actiongroups' with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_action_groups.yml
SUCC: Configuration for 'actiongroups' created or updated
Done with success
root@k8sslave02:/usr/share/elasticsearch/plugins/search-guard-6/tools# curl -XPUT --insecure -u admin:password123 "https://localhost:9640/*/_settings" -H 'Content-Type: application/json' -d '{ "index" : { "refresh_interval" : "180s" } }'
{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:admin/settings/update] and User [name=admin, roles=[], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [indices:admin/settings/update] and User [name=admin, roles=[], requestedTenant=null]"},"status":403}root@k8sslave02:/usr/share/elasticsearch/plugins/search-guard-6/tools#
root@k8sslave02:/usr/share/elasticsearch/plugins/search-guard-6/tools# curl -XGET -u admin:password123 --insecure https://localhost:9640/_cluster/health?pretty
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "no permissions for [cluster:monitor/health] and User [name=admin, roles=[], requestedTenant=null]"
}
],
"type" : "security_exception",
"reason" : "no permissions for [cluster:monitor/health] and User [name=admin, roles=[], requestedTenant=null]"
},
"status" : 403
}
root@k8sslave02:/usr/share/elasticsearch/plugins/search-guard-6/tools# systemctl status elasticsearch
● elasticsearch.service - Elasticsearch
Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; disabled; vendor preset: enabled)
Active: active (running) since Thu 2018-11-15 17:15:37 IST; 9min ago
Docs: http://www.elastic.co
Main PID: 866 (java)
Tasks: 57
Memory: 1.3G
CPU: 31.486s
CGroup: /system.slice/elasticsearch.service
├─866 /usr/bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+
└─932 /usr/share/elasticsearch/modules/x-pack/x-pack-ml/platform/linux-x86_64/bin/controller
Nov 15 17:15:37 k8sslave02 systemd[1]: Started Elasticsearch.
Jochen Kressin
Nov 15, 2018, 8:18:38 AM11/15/18
to Search Guard Community Forum
Maybe there's something wrong with the roles setup. Can you do a curl GET with your admin user against /_searchguard/authinfo?pretty and post the output here?
Bishwajit Samanta
Nov 15, 2018, 9:16:34 AM11/15/18
to search...@googlegroups.com
Hi Jochen,
Thank you for you reply, Please find the below curl response,
root@k8sslave02:~# curl -XGET --insecure -u admin:password123 "https://localhost:9640/*/_searchguard/authinfo?pretty"
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "no permissions for [indices:data/read/get] and User [name=admin, roles=[], requestedTenant=null]"
}
],
"type" : "security_exception",
"reason" : "no permissions for [indices:data/read/get] and User [name=admin, roles=[], requestedTenant=null]"
},
"status" : 403
}
--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9978f0f4-94f8-4dc5-88ef-0af942f0c695%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Bishwajit Samanta
Jochen Kressin
Nov 15, 2018, 10:46:25 AM11/15/18
to Search Guard Community Forum
This is not the output of the authinfo endpoint, you need to use:
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9978f0f4-94f8-4dc5-88ef-0af942f0c695%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Bishwajit Samanta
Bishwajit Samanta
Nov 15, 2018, 1:06:22 PM11/15/18
to search...@googlegroups.com
Sorry for my mistake, please find the below output:-
root@k8sslave02:~# curl -XGET --insecure -u admin:password123 "https://localhost:9640/_searchguard/authinfo?pretty"
{
"user" : "User [name=admin, roles=[], requestedTenant=null]",
"user_name" : "admin",
"user_requested_tenant" : null,
"remote_address" : "[::1]:45454",
"backend_roles" : [ ],
"custom_attribute_names" : [ ],
"sg_roles" : [
"sg_own_index"
],
"sg_tenants" : {
"admin" : true
},
"principal" : null,
"peer_certificates" : "0"
}
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9978f0f4-94f8-4dc5-88ef-0af942f0c695%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
----Bishwajit Samanta
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/894c599b-cc22-49f7-8440-8c3d40956db1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Bishwajit Samanta
Jochen Kressin
Nov 15, 2018, 1:32:26 PM11/15/18
to search...@googlegroups.com
You user does not have any SG roles assigned, apart from the sg_own_index demo role Search Guard ships with:
That is why you are seeing the "no permissions" error. You need to use the roles mapping to assign the user to one or more Search Guard roles:
"sg_roles" : [
"sg_own_index"
]The user also does not have any backend roles:
"backend_roles" : [ ]That is why you are seeing the "no permissions" error. You need to use the roles mapping to assign the user to one or more Search Guard roles:
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9978f0f4-94f8-4dc5-88ef-0af942f0c695%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Bishwajit Samanta
--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/894c599b-cc22-49f7-8440-8c3d40956db1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Bishwajit Samanta
Reply all
Reply to author
Forward
0 new messages