> plugins/search-guard-5/tools/sgadmin.sh -h myhost -cd plugins/search-guard-5/sgconfig/ -ks mykeystore.jks -kspass kspass -ts mytruststore.jks -tspass tspass -nhnv -icl
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: mycluster
Clusterstate: GREEN
Number of nodes: 3
Number of data nodes: 2
ERR: An unexpected ElasticsearchSecurityException occured: no permissions for indices:admin/exists
Trace:
ElasticsearchSecurityException[no permissions for indices:admin/exists]
at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:147)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:168)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:142)
at org.elasticsearch.action.support.HandledTransportAction$TransportHandler.messageReceived(HandledTransportAction.java:64)
at org.elasticsearch.action.support.HandledTransportAction$TransportHandler.messageReceived(HandledTransportAction.java:54)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceivedDecorate(SearchGuardSSLRequestHandler.java:177)
at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:191)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:139)
at com.floragunn.searchguard.SearchGuardPlugin$2$1.messageReceived(SearchGuardPlugin.java:336)
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69)
at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544)
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)
at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:110)
at org.elasticsearch.transport.TcpTransport.handleRequest(TcpTransport.java:1501)
at org.elasticsearch.transport.TcpTransport.messageReceived(TcpTransport.java:1385)
at org.elasticsearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:74)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:310)
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:297)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:413)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1267)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858)
at java.lang.Thread.run(Thread.java:745)
{
"CLUSTER_ALL" : [
"cluster:*"
],
"ALL" : [
"indices:*"
],
"CRUD" : [
"READ",
"WRITE"
],
"SEARCH" : [
"indices:data/read/search*",
"indices:data/read/msearch*",
"SUGGEST"
],
"MONITOR" : [
"indices:monitor/*"
],
"DATA_ACCESS" : [
"indices:data/*",
"indices:admin/mapping/put"
],
"CREATE_INDEX" : [
"indices:admin/create",
"indices:admin/mapping/put"
],
"WRITE" : [
"indices:data/write*",
"indices:admin/mapping/put"
],
"MANAGE_ALIASES" : [
"indices:admin/aliases*"
],
"READ" : [
"indices:data/read*"
],
"DELETE" : [
"indices:data/write/delete*"
],
"CLUSTER_COMPOSITE_OPS" : [
"indices:data/write/bulk",
"indices:admin/aliases*",
"CLUSTER_COMPOSITE_OPS_RO"
],
"CLUSTER_COMPOSITE_OPS_RO" : [
"indices:data/read/mget",
"indices:data/read/msearch",
"indices:data/read/mtv",
"indices:data/read/coordinate-msearch*",
"indices:admin/aliases/exists*",
"indices:admin/aliases/get*"
],
"GET" : [
"indices:data/read/get*",
"indices:data/read/mget*"
],
"MANAGE" : [
"indices:monitor/*",
"indices:admin/*"
],
"CLUSTER_MONITOR" : [
"cluster:monitor/*"
],
"INDEX" : [
"indices:data/write/index*",
"indices:data/write/update*",
"indices:admin/mapping/put"
],
"SUGGEST" : [
"indices:data/read/suggest*"
]
}
{
"sg_all_access" : {
"cluster" : [
"*"
],
"indices" : {
"*" : {
"*" : [
"*"
]
}
}
},
"sg_kibana" : {
"cluster" : [
"CLUSTER_MONITOR",
"CLUSTER_COMPOSITE_OPS_RO"
],
"indices" : {
"*" : {
"*" : [
"READ",
"indices:admin/mappings/fields/get*"
]
},
"?kibana" : {
"*" : [
"ALL"
]
}
}
},
"sg_public" : {
"cluster" : [
"cluster:monitor/main",
"CLUSTER_COMPOSITE_OPS_RO"
]
},
"sg_own_index" : {
"cluster" : [
"CLUSTER_COMPOSITE_OPS"
],
"indices" : {
"${user_name}" : {
"*" : [
"ALL"
]
}
}
},
"sg_logstash" : {
"cluster" : [
"indices:admin/template/get",
"indices:admin/template/put",
"CLUSTER_MONITOR",
"CLUSTER_COMPOSITE_OPS"
],
"indices" : {
"*beat*" : {
"*" : [
"CRUD",
"CREATE_INDEX"
]
},
"logstash-*" : {
"*" : [
"CRUD",
"CREATE_INDEX"
]
}
}
},
"sg_readall" : {
"cluster" : [
"CLUSTER_COMPOSITE_OPS_RO"
],
"indices" : {
"*" : {
"*" : [
"READ"
]
}
}
}
}
{
"sg_all_access" : {
"users" : [
"admin"
]
},
"sg_kibana" : {
"users" : [
"kibana"
]
},
"sg_logstash" : {
"users" : [
"logstash"
]
},
"sg_readall" : {
"users" : [
"ronly1"
]
}
}
# --------------------------------- Search Guard SSL Configuration -------------
#
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: node1-keystore.jks
searchguard.ssl.http.keystore_password: node1pass
searchguard.ssl.http.truststore_filepath: mytruststore.jks
searchguard.ssl.http.truststore_password: tspass
searchguard.ssl.transport.keystore_filepath: node1-keystore.jks
searchguard.ssl.transport.keystore_password: node1pass
searchguard.ssl.transport.truststore_filepath: mytruststore.jks
searchguard.ssl.transport.truststore_password: tspass
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.authcz.admin_dn:
- CN=sgadmin
- CN=node1-keystore
> keytool -list -keystore plugins/search-guard-5/sgconfig/sgadmin-keystore.jks -storepass sgpass
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
cn=sgadmin, Apr 5, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): **:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**
> keytool -list -keystore plugins/search-guard-5/sgconfig/node1-keystore.jks -storepass node1pass
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
cn=node1-keystore, Apr 5, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): **:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**
> keytool -list -keystore plugins/search-guard-5/sgconfig/mytruststore.jks -storepass tspass
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
root-ca-chain, Apr 5, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): **:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**