When asking questions, please provide the following information:
-
Search Guard and Elasticsearch version
-
Installed and used enterprise modules, if any
-
JVM version and operating system version
-
Search Guard configuration files
-
Elasticsearch log messages on debug level
-
Other installed Elasticsearch or Kibana plugins, if any
My configuration is as follows:
···
######################################################################################################
cluster.name: ops-elasticsearch-Alarm
node.name: ops-elasticsearch-Alarm-node04
node.master: false
node.data: true
path.data: /data/servers/elasticsearch-data
path.logs: /data/servers/elasticsearch-log
bootstrap.memory_lock: true
bootstrap.system_call_filter: false
indices.fielddata.cache.size: 50mb
network.host: 172.16.194.239
http.port: 9200
discovery.zen.minimum_master_nodes: 2
discovery.zen.fd.ping_timeout: 60s
discovery.zen.fd.ping_interval: 30s
discovery.zen.fd.ping_retries: 6
discovery.zen.ping.unicast.hosts: [“ops-elasticsearch-Alarm-master01”,“ops-elasticsearch-Alarm-master02”,“ops-elasticsearch-Alarm-master03”]
cluster.routing.allocation.node_initial_primaries_recoveries: 50
cluster.routing.allocation.node_concurrent_recoveries: 50
cluster.routing.allocation.cluster_concurrent_rebalance: 50
xpack.monitoring.collection.enabled: true
xpack.monitoring.enabled: true
xpack.graph.enabled: true
action.auto_create_index: “*”
searchguard.ssl.transport.keystore_type: JKS
searchguard.ssl.transport.keystore_filepath: node-ops-elasticsearch-Alarm-node04-keystore.jks
searchguard.ssl.transport.keystore_password: KtdzbtbwBKUo70Ze1u3X
searchguard.ssl.transport.truststore_type: JKS
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: KtdzbtbwBKUo70Ze1u3X
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: false
searchguard.ssl.http.keystore_filepath: node-ops-elasticsearch-Alarm-node04-keystore.jks
searchguard.ssl.http.keystore_password: KtdzbtbwBKUo70Ze1u3X
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: KtdzbtbwBKUo70Ze1u3X
http.compression: true
http.compression_level: 5
xpack.security.enabled: false
searchguard.nodes_dn:
- “CN=ops-elasticsearch-Alarm-node04,OU=SSL,O=Test,L=Test,C=DE”
######################################################################################################
Can I perform a series of configuration runs on a node?The current error is as follows:
######################################################################################################
Search Guard Admin v6
Will connect to 172.16.194.239:9300 … done
Unable to check whether cluster is sane: No user found for cluster:monitor/nodes/info
Connected as CN=node-ops-elasticsearch-Alarm-node04.example.com,OU=SSL,O=Test,L=Test,C=DE
ERR: CN=node-ops-elasticsearch-Alarm-node04.example.com,OU=SSL,O=Test,L=Test,C=DE is not an admin user
Seems you use a node certificate. This is not permitted, you have to use a client certificate and register it as admin_dn in elasticsearch.yml
######################################################################################################
As an experimental environment, do I have to have master and node nodes to complete the experiment?
######################################################################################################
I modified the script example.sh
######################################################################################################
#!/bin/bash
OPENSSL_VER=“$(openssl version)”
if [[ $OPENSSL_VER == “0.9” ]]; then
echo "Your OpenSSL version is too old: $OPENSSL_VER"
echo "Please install version 1.0.1 or later"
exit -1
else
echo “Your OpenSSL version is: $OPENSSL_VER”
fi
set -e
./clean.sh
./gen_root_ca.sh KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X
./gen_node_cert.sh ops-elasticsearch-Alarm-node01 KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X
./gen_node_cert.sh ops-elasticsearch-Alarm-node02 KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X
./gen_node_cert.sh ops-elasticsearch-Alarm-node03 KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X
./gen_node_cert.sh ops-elasticsearch-Alarm-node04 KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X
./gen_node_cert.sh ops-elasticsearch-Alarm-node05 KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X
./gen_client_node_cert.sh spock KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X
./gen_client_node_cert.sh kirk KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X
./gen_client_node_cert.sh logstash KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X
./gen_client_node_cert.sh filebeat KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X
./gen_client_node_cert.sh kibana KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X
./gen_node_cert_openssl.sh “/CN=ops-elasticsearch-Alarm-node01/OU=SSL/O=Test/L=Test/C=DE” “ops-elasticsearch-Alarm-node01” “ops-elasticsearch-Alarm-node01” KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X
./gen_node_cert_openssl.sh “/CN=ops-elasticsearch-Alarm-node02/OU=SSL/O=Test/L=Test/C=DE” “ops-elasticsearch-Alarm-node02” “ops-elasticsearch-Alarm-node02” KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X
./gen_node_cert_openssl.sh “/CN=ops-elasticsearch-Alarm-node03/OU=SSL/O=Test/L=Test/C=DE” “ops-elasticsearch-Alarm-node03” “ops-elasticsearch-Alarm-node03” KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X
./gen_node_cert_openssl.sh “/CN=ops-elasticsearch-Alarm-node04/OU=SSL/O=Test/L=Test/C=DE” “ops-elasticsearch-Alarm-node04” “ops-elasticsearch-Alarm-node04” KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X
./gen_node_cert_openssl.sh “/CN=ops-elasticsearch-Alarm-node05/OU=SSL/O=Test/L=Test/C=DE” “ops-elasticsearch-Alarm-node05” “ops-elasticsearch-Alarm-node05” KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X
######################################################################################################
How to empower the role?