Getting "no permissions for [cluster:monitor/health]" on SearchGuard 6
790 views
Skip to first unread message
ihjaz Mohamed
Mar 9, 2018, 1:18:29 AM3/9/18
to Search Guard Community Forum
* Search Guard and Elasticsearch version
SearchGuard 6 - 6.2.2-21
Elasticsearch - 6.2.2
* Installed and used enterprise modules, if any
none
* JVM version and operating system version
OpenJDK Runtime Environment (build 1.8.0_161-b14)OpenJDK 64-Bit Server VM (build 25.161-b14, mixed mode)
Red Hat Enterprise Linux Server release 7.4 (Maipo)
* Search Guard configuration files
* Elasticsearch log messages on debug level
* Other installed Elasticsearch or Kibana plugins, if any
Kibana Searchguard plugin.
Hi,
I have an elasticsearch cluster with two nodes.I use different admin certificates on different nodes of the cluster and only the admin DN of the respective node is mentioned in the elasticseach.yml .
When I initialize the cluster for the first time, it completes successfully. After that if I try initializing it from the other node of the cluster it fails with the below error.
ERR: Cannot retrieve cluster state due to: no permissions for [cluster:monitor/health] and User [name=C=US,O=Avaya,CN=Breeze44-sm100.inblrlab.avaya.com, roles=[], requestedTenant=null].
Root cause: ElasticsearchSecurityException[no permissions for [cluster:monitor/health] and User [name=C=US,O=Avaya,CN=Breeze44-sm100.inblrlab.avaya.com, roles=[], requestedTenant=null]] (org.elasticsearch.ElasticsearchSecurityException/org.elasticsearch.ElasticsearchSecurityException)This used to work on Searchguard 5 without any issues.
After some trial and error I was able to get around this by adding the admin DN of the other node in the elasticsearch yml file. But I don't want to do this as there is no way for one node to find the admin DN of the other node.
Is this some new security check added in the Searchguard 6 ? Is there a way to disable this check so that it can work the way it used to on Searchguard 5?
Search Guard
Mar 12, 2018, 11:53:37 AM3/12/18
to Search Guard Community Forum
This is unsupported and you should not do that. It was also unsupported for 5.x and i think it was pure luck that it works.
We need to have the elasticsearch.yml to be the same on all nodes (there are exceptions but in general the values of all settings should be equal on all nodes).
Why you want to have different admin certs for different nodes? What is you use case or your requirement here?
ihjaz Mohamed
Mar 13, 2018, 2:23:15 AM3/13/18
to Search Guard Community Forum
Hi,
I have two existing cert stores on my product used for different types of communication like one for HTTP and one for SIP.
So I use one of them as the node certificate and the other one as the admin certificate for each node.So the admin DN on each node will be different.
SG
Mar 16, 2018, 11:03:02 AM3/16/18
to search...@googlegroups.com
you may not want to do that
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/492c9c15-dd44-480a-9b94-fac00866ad8d%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/492c9c15-dd44-480a-9b94-fac00866ad8d%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages