How the SearchGuard is Actually Storing the Data ? Is it storing data inside searchguard index ?
66 views
Skip to first unread message
Hardik Bhut
Jul 6, 2016, 8:50:14 AM7/6/16
to Search Guard
Hello All,Â
I just want to figure out like how the searchguard is internally storing the user,roles, and rolesmapping data? I think it's creating index called searchguard, but whenever I tried to look into that index I didn't get any data. When I looked into searchguard index mapping I found like, Whenever we are creating any user or role(via running sgadmin utility), It's getting updated in mapping. But I really want to know about, where the data is stored inside elasticsearch. IF it's strong in searchguard index, then How Can I retrieve those data ?Â
Let me know if any one need further clarifications. Your help will be really appreciated.
Here is the mapping of searchguard index :
{  "searchguard": {   "mappings": {     "internalusers": {      "properties": {        "admin": {         "properties": {           "hash": {            "type": "string"           }         }        },        "dlsflsuser": {         "properties": {           "hash": {            "type": "string"           }         }        },        "kibanaro": {         "properties": {           "hash": {            "type": "string"           }         }        },        "kibanaserver": {         "properties": {           "hash": {            "type": "string"           }         }        },        "kirk": {         "properties": {           "hash": {            "type": "string"           },           "roles": {            "type": "string"           }         }        },        "logstash": {         "properties": {           "hash": {            "type": "string"           }         }        },        "mister_picard": {         "properties": {           "hash": {            "type": "string"           },           "username": {            "type": "string"           }         }        },        "readall": {         "properties": {           "hash": {            "type": "string"           }         }        },        "spock": {         "properties": {           "hash": {            "type": "string"           },           "roles": {            "type": "string"           }         }        },        "test": {         "properties": {           "hash": {            "type": "string"           }         }        },        "worf": {         "properties": {           "hash": {            "type": "string"           }         }        }      }     },     "roles": {      "properties": {        "sg_all_access": {         "properties": {           "cluster": {            "type": "string"           },           "indices": {            "properties": {              "*": {               "properties": {                 "*": {                  "type": "string"                 }               }              }            }           }         }        },        "sg_kibana4": {         "properties": {           "indices": {            "properties": {              "*": {               "properties": {                 "*": {                  "type": "string"                 }               }              },              "?kibana": {               "properties": {                 "*": {                  "type": "string"                 }               }              }            }           }         }        },        "sg_kibana4_server": {         "properties": {           "cluster": {            "type": "string"           },           "indices": {            "properties": {              "?kibana": {               "properties": {                 "*": {                  "type": "string"                 }               }              }            }           }         }        },        "sg_kibana4_testindex": {         "properties": {           "indices": {            "properties": {              "?kibana": {               "properties": {                 "*": {                  "type": "string"                 }               }              },              "test*": {               "properties": {                 "*": {                  "type": "string"                 }               }              }            }           }         }        },        "sg_logstash": {         "properties": {           "cluster": {            "type": "string"           },           "indices": {            "properties": {              "*beat*": {               "properties": {                 "*": {                  "type": "string"                 }               }              },              "logstash-*": {               "properties": {                 "*": {                  "type": "string"                 }               }              }            }           }         }        },        "sg_readall": {         "properties": {           "indices": {            "properties": {              "*": {               "properties": {                 "*": {                  "type": "string"                 }               }              }            }           }         }        },        "sg_readonly_and_monitor": {         "properties": {           "cluster": {            "type": "string"           },           "indices": {            "properties": {              "*": {               "properties": {                 "*": {                  "type": "string"                 }               }              }            }           }         }        },        "sg_readonly_dlsfls": {         "properties": {           "indices": {            "properties": {              "/\\S*/": {               "properties": {                 "*": {                  "type": "string"                 },                 "_dls_": {                  "type": "string"                 },                 "_fls_": {                  "type": "string"                 }               }              }            }           }         }        },        "sg_role_starfleet": {         "properties": {           "indices": {            "properties": {              "pub*": {               "properties": {                 "*": {                  "type": "string"                 }               }              },              "sf": {               "properties": {                 "alumni": {                  "type": "string"                 },                 "public": {                  "type": "string"                 },                 "ships": {                  "type": "string"                 },                 "students": {                  "type": "string"                 }               }              }            }           }         }        },        "sg_role_starfleet_captains": {         "properties": {           "cluster": {            "type": "string"           },           "indices": {            "properties": {              "pub*": {               "properties": {                 "*": {                  "type": "string"                 }               }              },              "sf": {               "properties": {                 "*": {                  "type": "string"                 }               }              }            }           }         }        },        "sg_transport_client": {         "properties": {           "cluster": {            "type": "string"           }         }        }      }     },     "config": {      "properties": {        "searchguard": {         "properties": {           "dynamic": {            "properties": {              "authc": {               "properties": {                 "basic_internal_auth_domain": {                  "properties": {                    "authentication_backend": {                     "properties": {                       "type": {                        "type": "string"                       }                     }                    },                    "enabled": {                     "type": "boolean"                    },                    "http_authenticator": {                     "properties": {                       "challenge": {                        "type": "boolean"                       },                       "type": {                        "type": "string"                       }                     }                    },                    "order": {                     "type": "long"                    }                  }                 },                 "clientcert_auth_domain": {                  "properties": {                    "authentication_backend": {                     "properties": {                       "type": {                        "type": "string"                       }                     }                    },                    "enabled": {                     "type": "boolean"                    },                    "http_authenticator": {                     "properties": {                       "challenge": {                        "type": "boolean"                       },                       "type": {                        "type": "string"                       }                     }                    },                    "order": {                     "type": "long"                    }                  }                 },                 "host_auth_domain": {                  "properties": {                    "authentication_backend": {                     "properties": {                       "type": {                        "type": "string"                       }                     }                    },                    "enabled": {                     "type": "boolean"                    },                    "http_authenticator": {                     "properties": {                       "challenge": {                        "type": "boolean"                       },                       "type": {                        "type": "string"                       }                     }                    },                    "order": {                     "type": "long"                    }                  }                 },                 "jwt_auth_domain": {                  "properties": {                    "authentication_backend": {                     "properties": {                       "type": {                        "type": "string"                       }                     }                    },                    "enabled": {                     "type": "boolean"                    },                    "http_authenticator": {                     "properties": {                       "challenge": {                        "type": "boolean"                       },                       "config": {                        "properties": {                          "jwt_header": {                           "type": "string"                          },                          "signing_key": {                           "type": "string"                          }                        }                       },                       "type": {                        "type": "string"                       }                     }                    },                    "order": {                     "type": "long"                    }                  }                 },                 "kerberos_auth_domain": {                  "properties": {                    "authentication_backend": {                     "properties": {                       "type": {                        "type": "string"                       }                     }                    },                    "enabled": {                     "type": "boolean"                    },                    "http_authenticator": {                     "properties": {                       "challenge": {                        "type": "boolean"                       },                       "config": {                        "properties": {                          "acceptor_principal": {                           "type": "string"                          },                          "krb_debug": {                           "type": "boolean"                          },                          "strip_realm_from_principal": {                           "type": "boolean"                          }                        }                       },                       "type": {                        "type": "string"                       }                     }                    },                    "order": {                     "type": "long"                    }                  }                 },                 "ldap": {                  "properties": {                    "authentication_backend": {                     "properties": {                       "config": {                        "properties": {                          "enable_ssl": {                           "type": "boolean"                          },                          "enable_ssl_client_auth": {                           "type": "boolean"                          },                          "enable_start_tls": {                           "type": "boolean"                          },                          "hosts": {                           "type": "string"                          },                          "userbase": {                           "type": "string"                          },                          "usersearch": {                           "type": "string"                          },                          "verify_hostnames": {                           "type": "boolean"                          }                        }                       },                       "type": {                        "type": "string"                       }                     }                    },                    "enabled": {                     "type": "boolean"                    },                    "http_authenticator": {                     "properties": {                       "challenge": {                        "type": "boolean"                       },                       "type": {                        "type": "string"                       }                     }                    },                    "order": {                     "type": "long"                    }                  }                 },                 "proxy_auth_domain": {                  "properties": {                    "authentication_backend": {                     "properties": {                       "type": {                        "type": "string"                       }                     }                    },                    "enabled": {                     "type": "boolean"                    },                    "http_authenticator": {                     "properties": {                       "challenge": {                        "type": "boolean"                       },                       "config": {                        "properties": {                          "roles_header": {                           "type": "string"                          },                          "user_header": {                           "type": "string"                          }                        }                       },                       "type": {                        "type": "string"                       }                     }                    },                    "order": {                     "type": "long"                    }                  }                 }               }              },              "authz": {               "properties": {                 "roles_from_another_ldap": {                  "properties": {                    "authorization_backend": {                     "properties": {                       "type": {                        "type": "string"                       }                     }                    },                    "enabled": {                     "type": "boolean"                    }                  }                 },                 "roles_from_myldap": {                  "properties": {                    "authorization_backend": {                     "properties": {                       "config": {                        "properties": {                          "enable_ssl": {                           "type": "boolean"                          },                          "enable_ssl_client_auth": {                           "type": "boolean"                          },                          "enable_start_tls": {                           "type": "boolean"                          },                          "hosts": {                           "type": "string"                          },                          "resolve_nested_roles": {                           "type": "boolean"                          },                          "rolebase": {                           "type": "string"                          },                          "rolename": {                           "type": "string"                          },                          "rolesearch": {                           "type": "string"                          },                          "userbase": {                           "type": "string"                          },                          "userrolename": {                           "type": "string"                          },                          "usersearch": {                           "type": "string"                          },                          "verify_hostnames": {                           "type": "boolean"                          }                        }                       },                       "type": {                        "type": "string"                       }                     }                    },                    "enabled": {                     "type": "boolean"                    }                  }                 }               }              },              "http": {               "properties": {                 "anonymous_auth_enabled": {                  "type": "boolean"                 },                 "xff": {                  "properties": {                    "enabled": {                     "type": "boolean"                    },                    "internalProxies": {                     "type": "string"                    },                    "proxiesHeader": {                     "type": "string"                    },                    "remoteIpHeader": {                     "type": "string"                    }                  }                 }               }              }            }           }         }        }      }     },     "rolesmapping": {      "properties": {        "sg_all_access": {         "properties": {           "users": {            "type": "string"           }         }        },        "sg_kibana4": {         "properties": {           "backendroles": {            "type": "string"           },           "users": {            "type": "string"           }         }        },        "sg_kibana4_server": {         "properties": {           "users": {            "type": "string"           }         }        },        "sg_kibana4_testindex": {         "properties": {           "users": {            "type": "string"           }         }        },        "sg_logstash": {         "properties": {           "users": {            "type": "string"           }         }        },        "sg_public": {         "properties": {           "users": {            "type": "string"           }         }        },        "sg_readall": {         "properties": {           "users": {            "type": "string"           }         }        },        "sg_readonly_dlsfls": {         "properties": {           "users": {            "type": "string"           }         }        },        "sg_role_klingons1": {         "properties": {           "backendroles": {            "type": "string"           },           "hosts": {            "type": "string"           },           "users": {            "type": "string"           }         }        },        "sg_role_starfleet": {         "properties": {           "backendroles": {            "type": "string"           },           "hosts": {            "type": "string"           },           "users": {            "type": "string"           }         }        },        "sg_role_starfleet_captains": {         "properties": {           "backendroles": {            "type": "string"           }         }        }      }     },     "actiongroups": {      "properties": {        "ALL": {         "type": "string"        },        "CLUSTER_ALL": {         "type": "string"        },        "CLUSTER_MONITOR": {         "type": "string"        },        "CREATE_INDEX": {         "type": "string"        },        "CRUD": {         "type": "string"        },        "DATA_ACCESS": {         "type": "string"        },        "DELETE": {         "type": "string"        },        "GET": {         "type": "string"        },        "INDEX": {         "type": "string"        },        "MANAGE": {         "type": "string"        },        "MANAGE_ALIASES": {         "type": "string"        },        "MONITOR": {         "type": "string"        },        "READ": {         "type": "string"        },        "SEARCH": {         "type": "string"        },        "SUGGEST": {         "type": "string"        },        "WRITE": {         "type": "string"        }      }     }   }  }}...
SG
Jul 6, 2016, 8:55:21 AM7/6/16
to search...@googlegroups.com
Magic happens here: https://github.com/floragunncom/search-guard/blob/master/src/main/java/com/floragunn/searchguard/configuration/SearchGuardIndexSearcherWrapper.java
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/aa836989-3a57-4a5e-a4d2-54f50bdf9f81%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/aa836989-3a57-4a5e-a4d2-54f50bdf9f81%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Hardik Bhut
Jul 6, 2016, 9:23:59 AM7/6/16
to Search Guard
What magic happens there ? Â Can you tell me like, how can I retrieve ACL data from searchguard index. I looked into older posts, I found like there is type called ac and deals with ACL related data. But I didn't find any type like ac on searchguard index. Can you help me out ?Â
Hardik Bhut
Jul 8, 2016, 8:55:13 AM7/8/16
to Search Guard
Hello SG,
Thanks for your help. I really appreciate for it. I am able to retrieve data from searchguard index. I need to do changes in https://github.com/floragunncom/search-guard/blob/master/src/main/java/com/floragunn/searchguard/configuration/SearchGuardIndexSearcherWrapper.java file. I need to add one if condition inside IndexSearcher wrap function. Following is the changed function:Â
public final IndexSearcher wrap(final EngineConfig engineConfig, final IndexSearcher searcher) throws EngineException {Â Â Â Â if (log.isTraceEnabled()) {
      log.trace("IndexSearcher {} should be wrapped (reader is {})", searcher.getClass(), searcher.getIndexReader().getClass());
    }
    if(!shardReady) {
      return searcher;
    }
    // patch for getting data from searchguard index
    if(isSearchGuardIndexRequest()) {
      return dlsFlsWrap(engineConfig, searcher);
    }
    if (isSearchGuardIndexRequest() && !isAdminAuhtenticatedOrInternalRequest()) {
      return new IndexSearcher(new EmptyReader());
    }
    if (!isAdminAuhtenticatedOrInternalRequest()) {
      //if (settings == null || settings.getAsBoolean("searchguard.dynamic.dlsfls_enabled", true)) {
        return dlsFlsWrap(engineConfig, searcher);
      //}
    }
    return searcher;
  }
On Wednesday, July 6, 2016 at 6:25:21 PM UTC+5:30, SG wrote:
SG
Jul 12, 2016, 11:31:46 AM7/12/16
to search...@googlegroups.com
Can you explain WHY you need to retrieve the data stored in the searchguard index in that way? I do not recommend your approach because it breaks security.
Use sgadmin to update and retrieve searchguard index content.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/1d500dfd-f74f-4219-bdc4-7a495b3461ac%40googlegroups.com.
Use sgadmin to update and retrieve searchguard index content.
Reply all
Reply to author
Forward
0 new messages