If I use searchGuard in production, I replace the certs with my own certs and setup the securityconfigs correctly. Can I rely on
searchguard.allow_default_init_sgindex: true to initialize security index during bootstrap? Is there any concern to use this configuration in production?
Also could you explain what is the difference between
allow_default_init_sgindex: true config and
sgadmin tool? Is that
sgadmin can hot load the configs without requiring restarting the node, but
allow_default_init_sgindex: true is used during bootstrap?
I am evaluating both. feel there are a lot of similarities but some difference as well.
searchguard.allow_default_init_sgindex: true will initialize the cluster on bootstrapping only (that means once a cluster is initialized the setting become irrelevant. A cluster is initialized when the searchguard index exists and the configuration was loaded).
We do not recommend it for production usage (therefore the default is
false) because for a normal setup the default config would be loaded (from plugins/search-guard-VERSION/sgconfig/) which is unsafe in case they are not modified before the node starts. Its also not predictable from which node the configs will be loaded. If you make sure that the configs on all nodes are production ready (with no default users and passwords) then you might use it in production.
In general we recommend to use sgadmin or the REST API to initialize it the first time and to update the configs when needed. This is all documented here: Security for Elasticsearch | Search Guard Documentation
Note: We do not support ODFE. Things might be different there.
Thanks so much for the detailed info!
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.