Search Guard configuration is stored in an Elasticsearch index named searchguard. If you do configuration via UI, the changes go to the index. If you change the searchguard configuration (.yml) files manually and use sgadmin to apply, the changes go to the index, all the changes you did via UI are overwritten.
The recommendation is to configure authentication and authorization, apply it by sgadmin. Then you can proceed to configure other things via UI. Also, you can do updates to the sg_config.yml
file later, execute sgadmin and not overwrite the UI. Just execute sgadmin for the sg_config.yml
exclusively, for example:
"/Users/user/Development/kibana/dist/elasticsearch-7.7.1/plugins/search-guard-7/tools/sgadmin.sh" -t config -f "/Users/user/Development/kibana/dist/elasticsearch-7.7.1/plugins/search-guard-7/sgconfig/sg_config.yml" -icl -key "/Users/user/Development/kibana/dist/elasticsearch-7.7.1/config/kirk-key.pem" -cert "/Users/user/Development/kibana/dist/elasticsearch-7.7.1/config/kirk.pem" -cacert "/Users/user/Development/kibana/dist/elasticsearch-7.7.1/config/root-ca.pem" -nhnv
If you want to synchronize the configuration you have in the searchguard index and the configuration you have in the sgconfig/*.yml
files you can do the following:
-
Configure via UI. For example, add a user.
-
When you finished the configuration, download it using REST API, for example, to download all users:
curl -k -u admin:admin -X GET https://localhost:9200/_searchguard/api/internalusers?pretty
- Convert JSON response to YAML and put it to the related config file, for example,
sgconfig/sg_internal_users.yml
.