Hello, I am running ElasticSearch 6.1.3, with SearchGuard 6.1.3-20.
At the moment I have Ansible creating the entire setup, this installs some default users and roles.
Now my question is, if I go and create some roles via the GUI (API). If I then go and run sgadmin.sh with the existing config files will I lose the new roles I just created in the GUI?
How do other users balance out the two?
Thanks
Basically, you are right. The idea behind sgadmin is that you maintain your settings in the config files, e.g. on your local machine, and then upload it to the cluster. This will overwrite/replace the current settings in the SG index.
The REST API (or the config GUI for that matter) writes to the SG index directly without the need to keep settings in config files.
The question what approach is best really depends on your use case. A typical use case is: The administrator responsible for setting up ES / SG applies a default configuration via sgadmin during provisioning, e.g. via Puppet, Chef, Ansible etc. This could include an admin role which has access to the REST API / Config GUI, so changes in the roles and permission settings are possible after the initial install. The ES backup process already in place is extended to also include the SG settings: You can dump the current config settings from the SG index to files by using the -r/–retrieve switch of sgadmin. These files can then be re-applied to the same or any other cluster running SG via sgadmin again.
Can you tell us a bit more about your use case so we can advise?
Thanks.
···
On Friday, February 16, 2018 at 10:26:09 AM UTC+1, anthony.cleaves@actual-experience.com wrote:
Hello, I am running ElasticSearch 6.1.3, with SearchGuard 6.1.3-20.
At the moment I have Ansible creating the entire setup, this installs some default users and roles.
Now my question is, if I go and create some roles via the GUI (API). If I then go and run sgadmin.sh with the existing config files will I lose the new roles I just created in the GUI?
How do other users balance out the two?
Thanks
I think you answered what I needed to hear to be honest.
We will use config files unless we need to do somthing via the GUI then we can dump the output and update ansible.
Usecase for now is simple.
I install an entire cluster via Ansible, run sgadmin on a node and then add users from existing sg_config files.
Do you have an example how you would use the -r to retrieve a user list?
···
On Friday, 16 February 2018 09:42:18 UTC, Jochen Kressin wrote:
Basically, you are right. The idea behind sgadmin is that you maintain your settings in the config files, e.g. on your local machine, and then upload it to the cluster. This will overwrite/replace the current settings in the SG index.
The REST API (or the config GUI for that matter) writes to the SG index directly without the need to keep settings in config files.
The question what approach is best really depends on your use case. A typical use case is: The administrator responsible for setting up ES / SG applies a default configuration via sgadmin during provisioning, e.g. via Puppet, Chef, Ansible etc. This could include an admin role which has access to the REST API / Config GUI, so changes in the roles and permission settings are possible after the initial install. The ES backup process already in place is extended to also include the SG settings: You can dump the current config settings from the SG index to files by using the -r/–retrieve switch of sgadmin. These files can then be re-applied to the same or any other cluster running SG via sgadmin again.
Can you tell us a bit more about your use case so we can advise?
Thanks.
On Friday, February 16, 2018 at 10:26:09 AM UTC+1, anthony...@actual-experience.com wrote:
Hello, I am running ElasticSearch 6.1.3, with SearchGuard 6.1.3-20.
At the moment I have Ansible creating the entire setup, this installs some default users and roles.
Now my question is, if I go and create some roles via the GUI (API). If I then go and run sgadmin.sh with the existing config files will I lose the new roles I just created in the GUI?
How do other users balance out the two?
Thanks
Sure, there’s also one in the sgadmin example in the docs:
So you just use:
./sgadmin.sh \
-ks /path/to/keystore.jks \
-kspass changeit
-ts /path/to/truststore.jks \
-tspass changeit
-r
(can be executed with PEM certs as well of course)
This will dump the config to config files and place them in the current directory. You can also configure the download location by using the -cd switch.
···
On Friday, February 16, 2018 at 10:53:34 AM UTC+1, anthony.cleaves@actual-experience.com wrote:
I think you answered what I needed to hear to be honest.
We will use config files unless we need to do somthing via the GUI then we can dump the output and update ansible.
Usecase for now is simple.
I install an entire cluster via Ansible, run sgadmin on a node and then add users from existing sg_config files.
Do you have an example how you would use the -r to retrieve a user list?
On Friday, 16 February 2018 09:42:18 UTC, Jochen Kressin wrote:
Basically, you are right. The idea behind sgadmin is that you maintain your settings in the config files, e.g. on your local machine, and then upload it to the cluster. This will overwrite/replace the current settings in the SG index.
The REST API (or the config GUI for that matter) writes to the SG index directly without the need to keep settings in config files.
The question what approach is best really depends on your use case. A typical use case is: The administrator responsible for setting up ES / SG applies a default configuration via sgadmin during provisioning, e.g. via Puppet, Chef, Ansible etc. This could include an admin role which has access to the REST API / Config GUI, so changes in the roles and permission settings are possible after the initial install. The ES backup process already in place is extended to also include the SG settings: You can dump the current config settings from the SG index to files by using the -r/–retrieve switch of sgadmin. These files can then be re-applied to the same or any other cluster running SG via sgadmin again.
Can you tell us a bit more about your use case so we can advise?
Thanks.
On Friday, February 16, 2018 at 10:26:09 AM UTC+1, anthony...@actual-experience.com wrote:
Hello, I am running ElasticSearch 6.1.3, with SearchGuard 6.1.3-20.
At the moment I have Ansible creating the entire setup, this installs some default users and roles.
Now my question is, if I go and create some roles via the GUI (API). If I then go and run sgadmin.sh with the existing config files will I lose the new roles I just created in the GUI?
How do other users balance out the two?
Thanks