Allow_default_init_sgindex vs sgadmin

If I use searchGuard in production, I replace the certs with my own certs and setup the securityconfigs correctly. Can I rely on searchguard.allow_default_init_sgindex: true to initialize security index during bootstrap? Is there any concern to use this configuration in production?

Also could you explain what is the difference between allow_default_init_sgindex: true config and sgadmin tool? Is that sgadmin can hot load the configs without requiring restarting the node, but allow_default_init_sgindex: true is used during bootstrap?


Are you using ODFE or Search Guard? Seems you posted a similar question already here: How to bootstrap a cluster to enable security plugin in production - Security - OpenSearch

I am evaluating both. feel there are a lot of similarities but some difference as well.

searchguard.allow_default_init_sgindex: true will initialize the cluster on bootstrapping only (that means once a cluster is initialized the setting become irrelevant. A cluster is initialized when the searchguard index exists and the configuration was loaded).

We do not recommend it for production usage (therefore the default is false) because for a normal setup the default config would be loaded (from plugins/search-guard-VERSION/sgconfig/) which is unsafe in case they are not modified before the node starts. Its also not predictable from which node the configs will be loaded. If you make sure that the configs on all nodes are production ready (with no default users and passwords) then you might use it in production.

In general we recommend to use sgadmin or the REST API to initialize it the first time and to update the configs when needed. This is all documented here: Security for Elasticsearch | Search Guard Documentation

Note: We do not support ODFE. Things might be different there.

Thanks so much for the detailed info!

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.