Search Guard configuration is stored in an Elasticsearch index named searchguard. If you do configuration via UI, the changes go to the index. If you change the searchguard configuration (.yml) files manually and use sgadmin to apply, the changes go to the index, all the changes you did via UI are overwritten.
The recommendation is to configure authentication and authorization, apply it by sgadmin. Then you can proceed to configure other things via UI. Also, you can do updates to the
sg_config.yml file later, execute sgadmin and not overwrite the UI. Just execute sgadmin for the
sg_config.yml exclusively, for example:
"/Users/user/Development/kibana/dist/elasticsearch-7.7.1/plugins/search-guard-7/tools/sgadmin.sh" -t config -f "/Users/user/Development/kibana/dist/elasticsearch-7.7.1/plugins/search-guard-7/sgconfig/sg_config.yml" -icl -key "/Users/user/Development/kibana/dist/elasticsearch-7.7.1/config/kirk-key.pem" -cert "/Users/user/Development/kibana/dist/elasticsearch-7.7.1/config/kirk.pem" -cacert "/Users/user/Development/kibana/dist/elasticsearch-7.7.1/config/root-ca.pem" -nhnv
If you want to synchronize the configuration you have in the searchguard index and the configuration you have in the
sgconfig/*.yml files you can do the following:
Configure via UI. For example, add a user.
When you finished the configuration, download it using REST API, for example, to download all users:
curl -k -u admin:admin -X GET https://localhost:9200/_searchguard/api/internalusers?pretty
- Convert JSON response to YAML and put it to the related config file, for example,