Non-disruptive transition to rolling out SearchGuard
7 views
Skip to first unread message
Mat Martin
Jan 28, 2019, 4:03:00 AM1/28/19
to Search Guard Community Forum
We have an ELK stack running on our private corporate network, and I have been tasked with securing it. I am investigating options for rolling out SearchGuard without undue disruption.
We have a nuget package which client applications use for firing log messages into ElasticSearch. This just creates an http request, and fires it at the ElasticSearch REST API.
The choice of auth method will be influenced by what is least disruptive.
Is there a choice of auth such that we could run the "secure" and "insecure" methods in parallel, and then when everyone is using the secure channel, turn the insecure channel off?
Context
* Search Guard and Elasticsearch version: search-guard-6-6.5.2-23.2; elasticsearch-6.5.2
* Installed and used enterprise modules, if any
* JVM version and operating system version: 1.8.0_202
* Search Guard configuration files
* Elasticsearch log messages on debug level
* Other installed Elasticsearch or Kibana plugins, if any: no other plugins
Jochen Kressin
Jan 31, 2019, 11:05:50 AM1/31/19
to Search Guard Community Forum
You could, for example, use the anonymous authentication feature for that:
Usually, when a request does not carry any user credentials (basic auth, JWT, Kerberos ticket etc.) Search Guard would reject it. If you enable anonymous auth, Search Guard will assign all unauthenticated requests to a default "anonymous" user. You could then map this anonymous user to a Search Guard role that has sufficient/all permissions that your tools need. That way users/tools would not note any difference.
If everything is switched to secure channels, you can disable anonymous auth again. This can all be done on a running cluster without the need for a restart.
SG
Jan 31, 2019, 3:49:49 PM1/31/19
to search...@googlegroups.com
When you run a totally unsecured ES cluster you can not install Search Guard in a rolling manner without downtime because of inter-node TLS communication.
In other words: For the first inital Search Guard installation you need to take the whole cluster down, for subsequent updates there is no downtime anymore.
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/bc2bfe4e-0f46-4d6e-aee6-040b5dccbc50%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
In other words: For the first inital Search Guard installation you need to take the whole cluster down, for subsequent updates there is no downtime anymore.
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/bc2bfe4e-0f46-4d6e-aee6-040b5dccbc50%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages