Search Guard for Elasticsearch 2 is coming Februar 2016
765 views
Skip to first unread message
in...@search-guard.com
Dec 12, 2015, 3:00:50 PM12/12/15
to Search Guard
Search Guard for Elasticsearch 2 is coming Februar 2016
in...@search-guard.com
Dec 27, 2015, 8:13:33 PM12/27/15
to Search Guard
first alpha released https://github.com/floragunncom/search-guard/tree/master2.1
Mike Niemaz
Jan 8, 2016, 10:20:24 AM1/8/16
to Search Guard
Unfortunately, it does not want to work for me :-(
Spent a lot of time trying though.
Any idea why the handshake is not happening?
Thanx,
--mike
************************************************
This is alpha software, do not use in production
************************************************
[2016-01-08 16:05:37,447][INFO ][plugins ] [Alcmena] loaded [search-guard-ssl, search-guard-2], sites [head]
[2016-01-08 16:05:37,464][INFO ][env ] [Alcmena] using [1] data paths, mounts [[/home/mike (/home/mike/.Private)]], net usable_space [85.9gb], net total_space [149.2gb], spins? [possibly], types [ecryptfs]
[2016-01-08 16:05:37,522][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL OpenSSL 1.0.1f 6 Jan 2014 available
[2016-01-08 16:05:37,522][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL available ciphers [ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA, SRP-DSS-AES-256-CBC-SHA, SRP-RSA-AES-256-CBC-SHA, SRP-AES-256-CBC-SHA, DHE-DSS-AES256-GCM-SHA384, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA256, DHE-DSS-AES256-SHA256, DHE-RSA-AES256-SHA, DHE-DSS-AES256-SHA, DHE-RSA-CAMELLIA256-SHA, DHE-DSS-CAMELLIA256-SHA, AECDH-AES256-SHA, ADH-AES256-GCM-SHA384, ADH-AES256-SHA256, ADH-AES256-SHA, ADH-CAMELLIA256-SHA, ECDH-RSA-AES256-GCM-SHA384, ECDH-ECDSA-AES256-GCM-SHA384, ECDH-RSA-AES256-SHA384, ECDH-ECDSA-AES256-SHA384, ECDH-RSA-AES256-SHA, ECDH-ECDSA-AES256-SHA, AES256-GCM-SHA384, AES256-SHA256, AES256-SHA, CAMELLIA256-SHA, PSK-AES256-CBC-SHA, ECDHE-RSA-DES-CBC3-SHA, ECDHE-ECDSA-DES-CBC3-SHA, SRP-DSS-3DES-EDE-CBC-SHA, SRP-RSA-3DES-EDE-CBC-SHA, SRP-3DES-EDE-CBC-SHA, EDH-RSA-DES-CBC3-SHA, EDH-DSS-DES-CBC3-SHA, AECDH-DES-CBC3-SHA, ADH-DES-CBC3-SHA, ECDH-RSA-DES-CBC3-SHA, ECDH-ECDSA-DES-CBC3-SHA, DES-CBC3-SHA, PSK-3DES-EDE-CBC-SHA, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA, SRP-DSS-AES-128-CBC-SHA, SRP-RSA-AES-128-CBC-SHA, SRP-AES-128-CBC-SHA, DHE-DSS-AES128-GCM-SHA256, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA256, DHE-DSS-AES128-SHA256, DHE-RSA-AES128-SHA, DHE-DSS-AES128-SHA, DHE-RSA-SEED-SHA, DHE-DSS-SEED-SHA, DHE-RSA-CAMELLIA128-SHA, DHE-DSS-CAMELLIA128-SHA, AECDH-AES128-SHA, ADH-AES128-GCM-SHA256, ADH-AES128-SHA256, ADH-AES128-SHA, ADH-SEED-SHA, ADH-CAMELLIA128-SHA, ECDH-RSA-AES128-GCM-SHA256, ECDH-ECDSA-AES128-GCM-SHA256, ECDH-RSA-AES128-SHA256, ECDH-ECDSA-AES128-SHA256, ECDH-RSA-AES128-SHA, ECDH-ECDSA-AES128-SHA, AES128-GCM-SHA256, AES128-SHA256, AES128-SHA, SEED-SHA, CAMELLIA128-SHA, PSK-AES128-CBC-SHA, ECDHE-RSA-RC4-SHA, ECDHE-ECDSA-RC4-SHA, AECDH-RC4-SHA, ADH-RC4-MD5, ECDH-RSA-RC4-SHA, ECDH-ECDSA-RC4-SHA, RC4-SHA, RC4-MD5, PSK-RC4-SHA, EDH-RSA-DES-CBC-SHA, EDH-DSS-DES-CBC-SHA, ADH-DES-CBC-SHA, DES-CBC-SHA, EXP-EDH-RSA-DES-CBC-SHA, EXP-EDH-DSS-DES-CBC-SHA, EXP-ADH-DES-CBC-SHA, EXP-DES-CBC-SHA, EXP-RC2-CBC-MD5, EXP-ADH-RC4-MD5, EXP-RC4-MD5]
[2016-01-08 16:05:37,522][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL ALPN supported false
[2016-01-08 16:05:37,540][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslTransportClientProvider:OPENSSL
[2016-01-08 16:05:37,540][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslTransportServerProvider:OPENSSL
[2016-01-08 16:05:37,540][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslHTTPProvider:null
[2016-01-08 16:05:37,576][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] isOpenSSL:true
[2016-01-08 16:05:37,576][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] isJDKSSL:false
[2016-01-08 16:05:37,804][INFO ][transport ] [Alcmena] Using [com.floragunn.searchguard.transport.SearchGuardTransportService] as transport service, overridden by [search-guard2]
[2016-01-08 16:05:37,805][INFO ][transport ] [Alcmena] Using [com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] as transport, overridden by [search-guard-ssl]
[2016-01-08 16:05:38,669][INFO ][node ] [Alcmena] initialized
[2016-01-08 16:05:38,670][INFO ][node ] [Alcmena] starting ...
[2016-01-08 16:05:38,743][INFO ][com.floragunn.searchguard.transport.SearchGuardTransportService] [Alcmena] publish_address {127.0.0.1:9300}, bound_addresses {127.0.0.1:9300}, {[::1]:9300}
[2016-01-08 16:05:38,749][DEBUG][action.admin.cluster.health] [Alcmena] no known master node, scheduling a retry
[2016-01-08 16:05:38,749][INFO ][discovery ] [Alcmena] elasticsearch/0MAXxFqgRaq3rYT2-sBoYw
[2016-01-08 16:05:38,946][ERROR][com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor] SslHandler found : handshake status: NOT_HANDSHAKING
[2016-01-08 16:05:38,946][ERROR][com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor] SslHandler found : handshake session: io.netty.handler.ssl.OpenSslEngine$OpenSslSession@7c5f9760
[2016-01-08 16:05:38,946][ERROR][com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor] SslHandler found : peer host: null
[2016-01-08 16:05:38,946][ERROR][com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor] SslHandler found : peer port: -1
[2016-01-08 16:05:38,946][ERROR][com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor] SslHandler found : task: null
[2016-01-08 16:05:38,946][ERROR][com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor] SslHandler found : sup protocols nb: 6
[2016-01-08 16:05:38,946][ERROR][com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor] SslHandler found : mode: false
[2016-01-08 16:05:38,946][ERROR][com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor] SslHandler found : protocol: TLSv1.2
[2016-01-08 16:05:38,947][ERROR][com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor] Can not verify SSL peer (SG 13) due to javax.net.ssl.SSLPeerUnverifiedException: peer not verified
javax.net.ssl.SSLPeerUnverifiedException: peer not verified
at io.netty.handler.ssl.OpenSslEngine$OpenSslSession.getPeerCertificates(OpenSslEngine.java:1626)
Spent a lot of time trying though.
Any idea why the handshake is not happening?
Thanx,
--mike
************************************************
This is alpha software, do not use in production
************************************************
[2016-01-08 16:05:37,447][INFO ][plugins ] [Alcmena] loaded [search-guard-ssl, search-guard-2], sites [head]
[2016-01-08 16:05:37,464][INFO ][env ] [Alcmena] using [1] data paths, mounts [[/home/mike (/home/mike/.Private)]], net usable_space [85.9gb], net total_space [149.2gb], spins? [possibly], types [ecryptfs]
[2016-01-08 16:05:37,522][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL OpenSSL 1.0.1f 6 Jan 2014 available
[2016-01-08 16:05:37,522][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL available ciphers [ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA, SRP-DSS-AES-256-CBC-SHA, SRP-RSA-AES-256-CBC-SHA, SRP-AES-256-CBC-SHA, DHE-DSS-AES256-GCM-SHA384, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA256, DHE-DSS-AES256-SHA256, DHE-RSA-AES256-SHA, DHE-DSS-AES256-SHA, DHE-RSA-CAMELLIA256-SHA, DHE-DSS-CAMELLIA256-SHA, AECDH-AES256-SHA, ADH-AES256-GCM-SHA384, ADH-AES256-SHA256, ADH-AES256-SHA, ADH-CAMELLIA256-SHA, ECDH-RSA-AES256-GCM-SHA384, ECDH-ECDSA-AES256-GCM-SHA384, ECDH-RSA-AES256-SHA384, ECDH-ECDSA-AES256-SHA384, ECDH-RSA-AES256-SHA, ECDH-ECDSA-AES256-SHA, AES256-GCM-SHA384, AES256-SHA256, AES256-SHA, CAMELLIA256-SHA, PSK-AES256-CBC-SHA, ECDHE-RSA-DES-CBC3-SHA, ECDHE-ECDSA-DES-CBC3-SHA, SRP-DSS-3DES-EDE-CBC-SHA, SRP-RSA-3DES-EDE-CBC-SHA, SRP-3DES-EDE-CBC-SHA, EDH-RSA-DES-CBC3-SHA, EDH-DSS-DES-CBC3-SHA, AECDH-DES-CBC3-SHA, ADH-DES-CBC3-SHA, ECDH-RSA-DES-CBC3-SHA, ECDH-ECDSA-DES-CBC3-SHA, DES-CBC3-SHA, PSK-3DES-EDE-CBC-SHA, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA, SRP-DSS-AES-128-CBC-SHA, SRP-RSA-AES-128-CBC-SHA, SRP-AES-128-CBC-SHA, DHE-DSS-AES128-GCM-SHA256, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA256, DHE-DSS-AES128-SHA256, DHE-RSA-AES128-SHA, DHE-DSS-AES128-SHA, DHE-RSA-SEED-SHA, DHE-DSS-SEED-SHA, DHE-RSA-CAMELLIA128-SHA, DHE-DSS-CAMELLIA128-SHA, AECDH-AES128-SHA, ADH-AES128-GCM-SHA256, ADH-AES128-SHA256, ADH-AES128-SHA, ADH-SEED-SHA, ADH-CAMELLIA128-SHA, ECDH-RSA-AES128-GCM-SHA256, ECDH-ECDSA-AES128-GCM-SHA256, ECDH-RSA-AES128-SHA256, ECDH-ECDSA-AES128-SHA256, ECDH-RSA-AES128-SHA, ECDH-ECDSA-AES128-SHA, AES128-GCM-SHA256, AES128-SHA256, AES128-SHA, SEED-SHA, CAMELLIA128-SHA, PSK-AES128-CBC-SHA, ECDHE-RSA-RC4-SHA, ECDHE-ECDSA-RC4-SHA, AECDH-RC4-SHA, ADH-RC4-MD5, ECDH-RSA-RC4-SHA, ECDH-ECDSA-RC4-SHA, RC4-SHA, RC4-MD5, PSK-RC4-SHA, EDH-RSA-DES-CBC-SHA, EDH-DSS-DES-CBC-SHA, ADH-DES-CBC-SHA, DES-CBC-SHA, EXP-EDH-RSA-DES-CBC-SHA, EXP-EDH-DSS-DES-CBC-SHA, EXP-ADH-DES-CBC-SHA, EXP-DES-CBC-SHA, EXP-RC2-CBC-MD5, EXP-ADH-RC4-MD5, EXP-RC4-MD5]
[2016-01-08 16:05:37,522][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL ALPN supported false
[2016-01-08 16:05:37,540][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslTransportClientProvider:OPENSSL
[2016-01-08 16:05:37,540][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslTransportServerProvider:OPENSSL
[2016-01-08 16:05:37,540][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslHTTPProvider:null
[2016-01-08 16:05:37,576][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] isOpenSSL:true
[2016-01-08 16:05:37,576][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] isJDKSSL:false
[2016-01-08 16:05:37,804][INFO ][transport ] [Alcmena] Using [com.floragunn.searchguard.transport.SearchGuardTransportService] as transport service, overridden by [search-guard2]
[2016-01-08 16:05:37,805][INFO ][transport ] [Alcmena] Using [com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] as transport, overridden by [search-guard-ssl]
[2016-01-08 16:05:38,669][INFO ][node ] [Alcmena] initialized
[2016-01-08 16:05:38,670][INFO ][node ] [Alcmena] starting ...
[2016-01-08 16:05:38,743][INFO ][com.floragunn.searchguard.transport.SearchGuardTransportService] [Alcmena] publish_address {127.0.0.1:9300}, bound_addresses {127.0.0.1:9300}, {[::1]:9300}
[2016-01-08 16:05:38,749][DEBUG][action.admin.cluster.health] [Alcmena] no known master node, scheduling a retry
[2016-01-08 16:05:38,749][INFO ][discovery ] [Alcmena] elasticsearch/0MAXxFqgRaq3rYT2-sBoYw
[2016-01-08 16:05:38,946][ERROR][com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor] SslHandler found : handshake status: NOT_HANDSHAKING
[2016-01-08 16:05:38,946][ERROR][com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor] SslHandler found : handshake session: io.netty.handler.ssl.OpenSslEngine$OpenSslSession@7c5f9760
[2016-01-08 16:05:38,946][ERROR][com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor] SslHandler found : peer host: null
[2016-01-08 16:05:38,946][ERROR][com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor] SslHandler found : peer port: -1
[2016-01-08 16:05:38,946][ERROR][com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor] SslHandler found : task: null
[2016-01-08 16:05:38,946][ERROR][com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor] SslHandler found : sup protocols nb: 6
[2016-01-08 16:05:38,946][ERROR][com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor] SslHandler found : mode: false
[2016-01-08 16:05:38,946][ERROR][com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor] SslHandler found : protocol: TLSv1.2
[2016-01-08 16:05:38,947][ERROR][com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor] Can not verify SSL peer (SG 13) due to javax.net.ssl.SSLPeerUnverifiedException: peer not verified
javax.net.ssl.SSLPeerUnverifiedException: peer not verified
at io.netty.handler.ssl.OpenSslEngine$OpenSslSession.getPeerCertificates(OpenSslEngine.java:1626)
SG
Jan 13, 2016, 4:14:32 PM1/13/16
to search...@googlegroups.com
set
searchguard.ssl.transport.enforce_hostname_verification: false
and/or disable open ssl
searchguard.ssl.transport.enable_openssl_if_available: false
BTW: Thats a very old OpenSSL version you're using
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e5978f1d-973d-4ab3-86ae-1d27310cb58a%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
searchguard.ssl.transport.enforce_hostname_verification: false
and/or disable open ssl
searchguard.ssl.transport.enable_openssl_if_available: false
BTW: Thats a very old OpenSSL version you're using
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e5978f1d-973d-4ab3-86ae-1d27310cb58a%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
SG
Jan 18, 2016, 12:09:29 PM1/18/16
to search...@googlegroups.com
seems thats a netty issue: https://github.com/netty/netty/issues/4722
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9BE722E7-FD5F-4CA1-B375-5D15ACE84AB3%40search-guard.com.
Dimitri K. E. Missoh
Jan 21, 2016, 4:41:27 AM1/21/16
to Search Guard
I'm giving a try to the alpha in the context of a big project here in Germany (I'm using ES 2.1.0).
I couldn't manage to make it work (expect the search-guard-ssl plugin which works fine). The error "[com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized" is thrown for each request, and there is not a clue on how to solve it.
I know it's an open source project but it's a pity that no resource is provided (in the documentation) on how to easily test it (like ES Shield does).
Cheers.
SG
Jan 21, 2016, 4:07:36 PM1/21/16
to search...@googlegroups.com, dimitri...@gmail.com
Hi Dimitri,
did you follow the instructions here?: https://github.com/floragunncom/search-guard/tree/master2.1
Have you pushed your initial configuration via plugins/search-guard-2/tools/sgadmin.sh ?
Thanks
did you follow the instructions here?: https://github.com/floragunncom/search-guard/tree/master2.1
Have you pushed your initial configuration via plugins/search-guard-2/tools/sgadmin.sh ?
Thanks
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/cf7b9888-9640-4e3f-99c2-da3649251799%40googlegroups.com.
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
Gabe N
Jan 26, 2016, 1:48:41 PM1/26/16
to Search Guard
When in February? Beginning, middle, end of February?
Thanks,
Gabe
in...@search-guard.com
Jan 30, 2016, 6:53:52 AM1/30/16
to Search Guard
assume end of february
apino.su...@gmail.com
Mar 21, 2016, 5:26:14 PM3/21/16
to Search Guard, dimitri...@gmail.com
Hi everyone,
I follow the instructions but i'm a bit lost : i use the vagrant scripts to generate keystore and trustore for transport ssl. That's ok !
Now i need use the sgadmin.sh script but keystore and trustore are needed ?
Can i use the kirk or spock keystore but how generate the trustore ?
Regards,
Ronny Bradston
Mar 22, 2016, 10:17:23 AM3/22/16
to search...@googlegroups.com
Hi,
Here is a simple configuration, I did and it worked:
Install search-guard ssl and search-guard plugins
Copy /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/kirk-keystore.jks and /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/truststore.jks into /etc/elasticsearch
Edit your /etc/elasticsearch/elasticsearch.yml as follow:
searchguard.enabled: true
security.manager.enabled: false
searchguard.authcz.admin_dn:
- "CN=kirk,OU=client,O=client,l=tEst, C=De"
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_filepath: kirk-keystore.jks
searchguard.ssl.transport.truststore_filepath: truststore.jks
Start elasticsearchHere is a simple configuration, I did and it worked:
Install search-guard ssl and search-guard plugins
Copy /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/kirk-keystore.jks and /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/truststore.jks into /etc/elasticsearch
Edit your /etc/elasticsearch/elasticsearch.yml as follow:
searchguard.enabled: true
security.manager.enabled: false
searchguard.authcz.admin_dn:
- "CN=kirk,OU=client,O=client,l=tEst, C=De"
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_filepath: kirk-keystore.jks
searchguard.ssl.transport.truststore_filepath: truststore.jks
Go into /usr/share/elasticsearch
Initialize searchguard as follow:plugins/search-guard-2/tools/sgadmin.sh -cd plugins/search-guard-2/sgconfig/ -ks plugins/search-guard-2/sgconfig/keystore.jks -ts plugins/search-guard-2/sgconfig/truststore.jks -nhnv
If everything works fine, searchguard index will be created and every user defined in /usr/share/elasticsearch/sgconfig/sg_internal_users.yml will be also created.
Hope that helps,
Ronny B.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/2928f921-79f0-4e49-8059-48bd23e6c4cd%40googlegroups.com.
apino.su...@gmail.com
Mar 22, 2016, 6:40:32 PM3/22/16
to Search Guard
Evening guys,
- passwords and aliases are needed but i added the lines in elasticsearch.yml.
- for sgadmin, keystore.jks is not found, so i use node-01-keystore.jks copied in /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/
- keystore and truststore password are needed but you can add them :
plugins/search-guard-2/tools/sgadmin.sh -cd plugins/search-guard-2/sgconfig/ -ks plugins/search-guard-2/sgconfig/keystore.jks -kspass ks_password -ts plugins/search-guard-2/sgconfig/truststore.jks -tspass ts_password -nhnv
Then sgadmin start but a new warning appear :
[WARN ] org.elasticsearch.client.transport - [Ramshot] node {#transport#-1}{127.0.0.1}{localhost/127.0.0.1:9300} not part of the cluster Cluster [elasticsearch], ignoring...
Exception in thread "main" NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{127.0.0.1}{localhost/127.0.0.1:9300}]]
Any ideas ?
in...@search-guard.com
Mar 26, 2016, 8:03:40 AM3/26/16
to Search Guard
There is now also a Vagrantfile for SG https://github.com/floragunncom/search-guard/blob/2.2/Vagrantfile
John Bakker
Apr 22, 2016, 6:35:11 AM4/22/16
to Search Guard, dimitri...@gmail.com
Did you ever manage to get this issue resolved ? I'm having exactly the same issue, when starting my elasticsearch cluster it gives me the following error:
[2016-04-21 08:30:50,817][WARN ][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized
Therefore I'm not able to execute this step
plugins/search-guard-2/tools/sgadmin.sh -cd plugins/search-guard-2/sgconfig/ -ks plugins/search-guard-2/sgconfig/keystore.jks -ts plugins/search-guard-2/sgconfig/truststore.jks -nhnvThe Manual that I'm using is
I already created a CA signed server certificate, added it to my keystore and all, but in the step when I want to run the initial configuration it is failing. with the following message in console, and the error above in my elasticsearch cluster log
[root@elasticsearch elasticsearch]# plugins/search-guard-2/tools/sgadmin.sh -cd plugins/search-guard-2/sgconfig/ csearch-keystore.jks -kspass elastic -ts /etc/elasticsearch/elasticsearch-truststore.ts -tspass elastic -host ela9300 -nhnv
Connect to elasticsearch.localdomain:9300
[08:34:31,181][WARN ] org.elasticsearch.client.transport - [Comet Man] node {#transport#-1}{192.168.168.149}{elas.168.149:9300} not part of the cluster Cluster [elasticsearch], ignoring...
Exception in thread "main" NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{h.localdomain/192.168.168.149:9300}]]
at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClient
at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.jav
at org.elasticsearch.client.transport.support.TransportProxyClient.execute(TransportProxyClient.java:55)
at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:288)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:348)
at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:848)
at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.health(AbstractClient.java:868)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:137)
Kind Regards,
John
Op donderdag 21 januari 2016 22:07:36 UTC+1 schreef in...@search-guard.com:
Dimitri Missoh
Apr 22, 2016, 3:46:41 PM4/22/16
to John Bakker, Search Guard
No, I'm sorry I did not. I just gave up and implemented my own security plugin instead.
And the current version of search guard doesn't support DLS what I actually need.
Regards,
Dimitri.
And the current version of search guard doesn't support DLS what I actually need.
Regards,
Dimitri.
SG
Apr 25, 2016, 4:42:07 PM4/25/16
to search...@googlegroups.com, John Bakker, dimitri...@gmail.com
Hi John, Hi Dimitri,
sorry to hear that.
Pls. check the vagrant demo to see a working installation: https://github.com/floragunncom/search-guard/blob/master/Vagrantfile
@Dimitri: We are interested in your DLS implementation, maybe you want share your thoughts with us?
Thx
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAJxY_m%2BPTiTZ%3Dx_n0GbmgwqU1K65WEaMx4jvMj%2BdcC6oE4JAow%40mail.gmail.com.
sorry to hear that.
Pls. check the vagrant demo to see a working installation: https://github.com/floragunncom/search-guard/blob/master/Vagrantfile
@Dimitri: We are interested in your DLS implementation, maybe you want share your thoughts with us?
Thx
Reply all
Reply to author
Forward
0 new messages