I am currently using elasticsearch 6.2.2 and corresponding search-guard. I have already installed the kibana plugin and got into the GUI.
I am wondering how to change the password for the demo users like admin. The document said set ‘read_only’ to false and apply the sgadmin but I am not sure how to use sgadmin to apply the new changes. What I did before is just to follow the instruction and apply the default configuration.
My purpose is to have my own admin account for the later use case.
First, remove the readonly flag from the roles definition (sg_roles.yml) and if you like also for the internal users (sg_internalusers.yml).
If you are using the demo installer, execute sgadmin_demo.sh to apply the changed configuration.
If you have installed Search Guard without the demo installer please refer to the documentation on how to use sgadmin on the command line:
On Sunday, April 15, 2018 at 2:16:40 PM UTC-7, Xiaoyu Wu wrote:
I am currently using elasticsearch 6.2.2 and corresponding search-guard. I have already installed the kibana plugin and got into the GUI.
I am wondering how to change the password for the demo users like admin. The document said set ‘read_only’ to false and apply the sgadmin but I am not sure how to use sgadmin to apply the new changes. What I did before is just to follow the instruction and apply the default configuration.
My purpose is to have my own admin account for the later use case.
I did not use the demo installer.
I checked the documentation but it is kinda difficult for me to understand the entire implementation. What I did so far is just:
./sgadmin.sh \
-cd /path/to/sgconfig/ \
-cacert /path/to/root-ca.pem \
-cert /path/to/kirk.crt.pem \
-key /path/to/kirk.key.pem \
-keypass changeit
-nhnv
-icl
It seems it only applies the default configuration. I did remove the readonly flag in the yml file.
Could you give me a simple example in this case?
在 2018年4月15日星期日 UTC-4下午7:17:14,Jochen Kressin写道:
First, remove the readonly flag from the roles definition (sg_roles.yml) and if you like also for the internal users (sg_internalusers.yml).
If you are using the demo installer, execute sgadmin_demo.sh to apply the changed configuration.
If you have installed Search Guard without the demo installer please refer to the documentation on how to use sgadmin on the command line:
https://docs.search-guard.com/latest/sgadmin
On Sunday, April 15, 2018 at 2:16:40 PM UTC-7, Xiaoyu Wu wrote:
I am currently using elasticsearch 6.2.2 and corresponding search-guard. I have already installed the kibana plugin and got into the GUI.
I am wondering how to change the password for the demo users like admin. The document said set ‘read_only’ to false and apply the sgadmin but I am not sure how to use sgadmin to apply the new changes. What I did before is just to follow the instruction and apply the default configuration.
My purpose is to have my own admin account for the later use case.
What is the output of the sgadmin tool when you run the command you posted? And what do you see in the Elasticsearch logs when you run sgadmin?
On Sunday, April 15, 2018 at 4:34:56 PM UTC-7, Xiaoyu Wu wrote:
I did not use the demo installer.
I checked the documentation but it is kinda difficult for me to understand the entire implementation. What I did so far is just:
./sgadmin.sh \ -cd /path/to/sgconfig/ \ -cacert /path/to/root-ca.pem \ -cert /path/to/kirk.crt.pem \ -key /path/to/kirk.key.pem \ -keypass changeit -nhnv -iclIt seems it only applies the default configuration. I did remove the readonly flag in the yml file.
Could you give me a simple example in this case?
在 2018年4月15日星期日 UTC-4下午7:17:14,Jochen Kressin写道:
First, remove the readonly flag from the roles definition (sg_roles.yml) and if you like also for the internal users (sg_internalusers.yml).
If you are using the demo installer, execute sgadmin_demo.sh to apply the changed configuration.
If you have installed Search Guard without the demo installer please refer to the documentation on how to use sgadmin on the command line:
https://docs.search-guard.com/latest/sgadmin
On Sunday, April 15, 2018 at 2:16:40 PM UTC-7, Xiaoyu Wu wrote:
I am currently using elasticsearch 6.2.2 and corresponding search-guard. I have already installed the kibana plugin and got into the GUI.
I am wondering how to change the password for the demo users like admin. The document said set ‘read_only’ to false and apply the sgadmin but I am not sure how to use sgadmin to apply the new changes. What I did before is just to follow the instruction and apply the default configuration.
My purpose is to have my own admin account for the later use case.
This is the output of sgadmin tool,
searchguard index already exists, so we do not need to create one.
Populate config from /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/
Will update ‘sg/config’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_config.yml
SUCC: Configuration for ‘config’ created or updated
Will update ‘sg/roles’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_roles.yml
SUCC: Configuration for ‘roles’ created or updated
Will update ‘sg/rolesmapping’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_roles_mapping.yml
SUCC: Configuration for ‘rolesmapping’ created or updated
Will update ‘sg/internalusers’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_internal_users.yml
SUCC: Configuration for ‘internalusers’ created or updated
Will update ‘sg/actiongroups’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_action_groups.yml
SUCC: Configuration for ‘actiongroups’ created or updated
Done with success
And when I restarted the Kibana, it threw me the error saying “An error occurred while checking your credentials, make sure you have an Elasticsearch cluster secured by Search Guard running.”
在 2018年4月15日星期日 UTC-4下午7:56:32,Jochen Kressin写道:
What is the output of the sgadmin tool when you run the command you posted? And what do you see in the Elasticsearch logs when you run sgadmin?
On Sunday, April 15, 2018 at 4:34:56 PM UTC-7, Xiaoyu Wu wrote:
I did not use the demo installer.
I checked the documentation but it is kinda difficult for me to understand the entire implementation. What I did so far is just:
./sgadmin.sh \ -cd /path/to/sgconfig/ \ -cacert /path/to/root-ca.pem \ -cert /path/to/kirk.crt.pem \ -key /path/to/kirk.key.pem \ -keypass changeit -nhnv -iclIt seems it only applies the default configuration. I did remove the readonly flag in the yml file.
Could you give me a simple example in this case?
在 2018年4月15日星期日 UTC-4下午7:17:14,Jochen Kressin写道:
First, remove the readonly flag from the roles definition (sg_roles.yml) and if you like also for the internal users (sg_internalusers.yml).
If you are using the demo installer, execute sgadmin_demo.sh to apply the changed configuration.
If you have installed Search Guard without the demo installer please refer to the documentation on how to use sgadmin on the command line:
https://docs.search-guard.com/latest/sgadmin
On Sunday, April 15, 2018 at 2:16:40 PM UTC-7, Xiaoyu Wu wrote:
I am currently using elasticsearch 6.2.2 and corresponding search-guard. I have already installed the kibana plugin and got into the GUI.
I am wondering how to change the password for the demo users like admin. The document said set ‘read_only’ to false and apply the sgadmin but I am not sure how to use sgadmin to apply the new changes. What I did before is just to follow the instruction and apply the default configuration.
My purpose is to have my own admin account for the later use case.
sgadmin will replace the current configuration in your cluster with the files located in:
/Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/
So if you want to make changes to the configuration, the easiest way of doing so is to change these files, and then run sgadmin again. According to the output sgadmin has succeeded with uploading the configuration. So your sgadmin command seems fine.
There seems to be something wrong with your Kibana configuration and/or the Search Guard configuration.
What is the output of the Elasticsearch log file? Do you see any error there?
What is the Kibana configuration your are using? Please post it here.
Did you try to restart Kibana and reload the login page?
On Sunday, April 15, 2018 at 4:59:02 PM UTC-7, Xiaoyu Wu wrote:
This is the output of sgadmin tool,
searchguard index already exists, so we do not need to create one.
Populate config from /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/
Will update ‘sg/config’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_config.yml
SUCC: Configuration for ‘config’ created or updated
Will update ‘sg/roles’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_roles.yml
SUCC: Configuration for ‘roles’ created or updated
Will update ‘sg/rolesmapping’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_roles_mapping.yml
SUCC: Configuration for ‘rolesmapping’ created or updated
Will update ‘sg/internalusers’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_internal_users.yml
SUCC: Configuration for ‘internalusers’ created or updated
Will update ‘sg/actiongroups’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_action_groups.yml
SUCC: Configuration for ‘actiongroups’ created or updated
Done with success
And when I restarted the Kibana, it threw me the error saying “An error occurred while checking your credentials, make sure you have an Elasticsearch cluster secured by Search Guard running.”
在 2018年4月15日星期日 UTC-4下午7:56:32,Jochen Kressin写道:
What is the output of the sgadmin tool when you run the command you posted? And what do you see in the Elasticsearch logs when you run sgadmin?
On Sunday, April 15, 2018 at 4:34:56 PM UTC-7, Xiaoyu Wu wrote:
I did not use the demo installer.
I checked the documentation but it is kinda difficult for me to understand the entire implementation. What I did so far is just:
./sgadmin.sh \ -cd /path/to/sgconfig/ \ -cacert /path/to/root-ca.pem \ -cert /path/to/kirk.crt.pem \ -key /path/to/kirk.key.pem \ -keypass changeit -nhnv -iclIt seems it only applies the default configuration. I did remove the readonly flag in the yml file.
Could you give me a simple example in this case?
在 2018年4月15日星期日 UTC-4下午7:17:14,Jochen Kressin写道:
First, remove the readonly flag from the roles definition (sg_roles.yml) and if you like also for the internal users (sg_internalusers.yml).
If you are using the demo installer, execute sgadmin_demo.sh to apply the changed configuration.
If you have installed Search Guard without the demo installer please refer to the documentation on how to use sgadmin on the command line:
https://docs.search-guard.com/latest/sgadmin
On Sunday, April 15, 2018 at 2:16:40 PM UTC-7, Xiaoyu Wu wrote:
I am currently using elasticsearch 6.2.2 and corresponding search-guard. I have already installed the kibana plugin and got into the GUI.
I am wondering how to change the password for the demo users like admin. The document said set ‘read_only’ to false and apply the sgadmin but I am not sure how to use sgadmin to apply the new changes. What I did before is just to follow the instruction and apply the default configuration.
My purpose is to have my own admin account for the later use case.
I checked localhost:9200/_authinfo and the elasticsearch looks good.
This is a part of my kibana config (the rest is the default)
elasticsearch.username: “kibanaserver”
elasticsearch.password: “kibanaserver”
elasticsearch.ssl.verificationMode: none
searchguard.basicauth.login.showbrandimage: true
searchguard.basicauth.login.brandimage: https://www.symantec.com/content/dam/symantec/images/common/symantec-logo-top.png
searchguard.cookie.name: ‘searchguard_authentication’
#searchguard.basicauth.login.title
#searchguard.basicauth.login.subtitle
This is the output of elasticsearch log,
[2018-04-15T20:07:25,113][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Search Guard License Info: SearchGuardLicense [uid=00000000-0000-0000-0000-000000000000, type=TRIAL, issueDate=2018-04-15, expiryDate=2018-06-15, issuedTo=The world, issuer=floragunn GmbH, startDate=2018-04-15, majorVersion=6, clusterName=*, allowedNodeCount=2147483647, msgs=, expiresInDays=60, isExpired=false, valid=true, action=, prodUsage=Yes, one cluster with all commercial features and unlimited nodes per cluster., clusterService=org.elasticsearch.cluster.service.ClusterService@2e500df4, getMsgs()=, getExpiresInDays()=60, isExpired()=false, isValid()=true, getAction()=, getProdUsage()=Yes, one cluster with all commercial features and unlimited nodes per cluster.]
[2018-04-15T20:07:25,113][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Search Guard License Type: TRIAL, valid
[2018-04-15T20:07:25,114][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Node ‘LhPFJNW’ initialized
[2018-04-15T20:07:25,364][INFO ][o.e.c.r.a.AllocationService] [LhPFJNW] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[.kibana][0]] …]).
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=, requestedTenant=null] [IndexType [index=watcher_alarms, type=*]] [Action [[indices:admin/get]]] [RolesChecked [sg_kibana_server, sg_own_index]]
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {sg_own_index=[IndexType [index=watcher_alarms, type=]], sg_kibana_server=[IndexType [index=watcher_alarms, type=]]}
在 2018年4月15日星期日 UTC-4下午8:05:10,Jochen Kressin写道:
sgadmin will replace the current configuration in your cluster with the files located in:
/Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/
So if you want to make changes to the configuration, the easiest way of doing so is to change these files, and then run sgadmin again. According to the output sgadmin has succeeded with uploading the configuration. So your sgadmin command seems fine.
There seems to be something wrong with your Kibana configuration and/or the Search Guard configuration.
What is the output of the Elasticsearch log file? Do you see any error there?
What is the Kibana configuration your are using? Please post it here.
Did you try to restart Kibana and reload the login page?
On Sunday, April 15, 2018 at 4:59:02 PM UTC-7, Xiaoyu Wu wrote:
This is the output of sgadmin tool,
searchguard index already exists, so we do not need to create one.
Populate config from /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/
Will update ‘sg/config’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_config.yml
SUCC: Configuration for ‘config’ created or updated
Will update ‘sg/roles’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_roles.yml
SUCC: Configuration for ‘roles’ created or updated
Will update ‘sg/rolesmapping’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_roles_mapping.yml
SUCC: Configuration for ‘rolesmapping’ created or updated
Will update ‘sg/internalusers’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_internal_users.yml
SUCC: Configuration for ‘internalusers’ created or updated
Will update ‘sg/actiongroups’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_action_groups.yml
SUCC: Configuration for ‘actiongroups’ created or updated
Done with success
And when I restarted the Kibana, it threw me the error saying “An error occurred while checking your credentials, make sure you have an Elasticsearch cluster secured by Search Guard running.”
在 2018年4月15日星期日 UTC-4下午7:56:32,Jochen Kressin写道:
What is the output of the sgadmin tool when you run the command you posted? And what do you see in the Elasticsearch logs when you run sgadmin?
On Sunday, April 15, 2018 at 4:34:56 PM UTC-7, Xiaoyu Wu wrote:
I did not use the demo installer.
I checked the documentation but it is kinda difficult for me to understand the entire implementation. What I did so far is just:
./sgadmin.sh \ -cd /path/to/sgconfig/ \ -cacert /path/to/root-ca.pem \ -cert /path/to/kirk.crt.pem \ -key /path/to/kirk.key.pem \ -keypass changeit -nhnv -iclIt seems it only applies the default configuration. I did remove the readonly flag in the yml file.
Could you give me a simple example in this case?
在 2018年4月15日星期日 UTC-4下午7:17:14,Jochen Kressin写道:
First, remove the readonly flag from the roles definition (sg_roles.yml) and if you like also for the internal users (sg_internalusers.yml).
If you are using the demo installer, execute sgadmin_demo.sh to apply the changed configuration.
If you have installed Search Guard without the demo installer please refer to the documentation on how to use sgadmin on the command line:
https://docs.search-guard.com/latest/sgadmin
On Sunday, April 15, 2018 at 2:16:40 PM UTC-7, Xiaoyu Wu wrote:
I am currently using elasticsearch 6.2.2 and corresponding search-guard. I have already installed the kibana plugin and got into the GUI.
I am wondering how to change the password for the demo users like admin. The document said set ‘read_only’ to false and apply the sgadmin but I am not sure how to use sgadmin to apply the new changes. What I did before is just to follow the instruction and apply the default configuration.
My purpose is to have my own admin account for the later use case.
So it seems you also have installed X-Pack and there is an error with your watcher configuration:
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=, requestedTenant=null] [IndexType [index=watcher_alarms, type=*]] [Action [[indices:admin/get]]] [RolesChecked [sg_kibana_server, sg_own_index]]
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {sg_own_index=[IndexType [index=watcher_alarms, type=]], sg_kibana_server=[IndexType [index=watcher_alarms, type=]]}
Please post at least:
kibana.yml
elasticsearch.yml
sg_roles.yml
Just remove any sensitive information like paths and passwords.
On Sunday, April 15, 2018 at 5:11:26 PM UTC-7, Xiaoyu Wu wrote:
I checked localhost:9200/_authinfo and the elasticsearch looks good.
This is a part of my kibana config (the rest is the default)
elasticsearch.username: “kibanaserver”
elasticsearch.password: “kibanaserver”
elasticsearch.ssl.verificationMode: none
Login Page
searchguard.basicauth.login.showbrandimage: true
searchguard.basicauth.login.brandimage: https://www.symantec.com/content/dam/symantec/images/common/symantec-logo-top.png
searchguard.cookie.name: ‘searchguard_authentication’
#searchguard.basicauth.login.title
#searchguard.basicauth.login.subtitle
This is the output of elasticsearch log,
[2018-04-15T20:07:25,113][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Search Guard License Info: SearchGuardLicense [uid=00000000-0000-0000-0000-000000000000, type=TRIAL, issueDate=2018-04-15, expiryDate=2018-06-15, issuedTo=The world, issuer=floragunn GmbH, startDate=2018-04-15, majorVersion=6, clusterName=*, allowedNodeCount=2147483647, msgs=, expiresInDays=60, isExpired=false, valid=true, action=, prodUsage=Yes, one cluster with all commercial features and unlimited nodes per cluster., clusterService=org.elasticsearch.cluster.service.ClusterService@2e500df4, getMsgs()=, getExpiresInDays()=60, isExpired()=false, isValid()=true, getAction()=, getProdUsage()=Yes, one cluster with all commercial features and unlimited nodes per cluster.]
[2018-04-15T20:07:25,113][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Search Guard License Type: TRIAL, valid
[2018-04-15T20:07:25,114][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Node ‘LhPFJNW’ initialized
[2018-04-15T20:07:25,364][INFO ][o.e.c.r.a.AllocationService] [LhPFJNW] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[.kibana][0]] …]).
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=, requestedTenant=null] [IndexType [index=watcher_alarms, type=*]] [Action [[indices:admin/get]]] [RolesChecked [sg_kibana_server, sg_own_index]]
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {sg_own_index=[IndexType [index=watcher_alarms, type=]], sg_kibana_server=[IndexType [index=watcher_alarms, type=]]}
在 2018年4月15日星期日 UTC-4下午8:05:10,Jochen Kressin写道:
sgadmin will replace the current configuration in your cluster with the files located in:
/Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/
So if you want to make changes to the configuration, the easiest way of doing so is to change these files, and then run sgadmin again. According to the output sgadmin has succeeded with uploading the configuration. So your sgadmin command seems fine.
There seems to be something wrong with your Kibana configuration and/or the Search Guard configuration.
What is the output of the Elasticsearch log file? Do you see any error there?
What is the Kibana configuration your are using? Please post it here.
Did you try to restart Kibana and reload the login page?
On Sunday, April 15, 2018 at 4:59:02 PM UTC-7, Xiaoyu Wu wrote:
This is the output of sgadmin tool,
searchguard index already exists, so we do not need to create one.
Populate config from /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/
Will update ‘sg/config’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_config.yml
SUCC: Configuration for ‘config’ created or updated
Will update ‘sg/roles’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_roles.yml
SUCC: Configuration for ‘roles’ created or updated
Will update ‘sg/rolesmapping’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_roles_mapping.yml
SUCC: Configuration for ‘rolesmapping’ created or updated
Will update ‘sg/internalusers’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_internal_users.yml
SUCC: Configuration for ‘internalusers’ created or updated
Will update ‘sg/actiongroups’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_action_groups.yml
SUCC: Configuration for ‘actiongroups’ created or updated
Done with success
And when I restarted the Kibana, it threw me the error saying “An error occurred while checking your credentials, make sure you have an Elasticsearch cluster secured by Search Guard running.”
在 2018年4月15日星期日 UTC-4下午7:56:32,Jochen Kressin写道:
What is the output of the sgadmin tool when you run the command you posted? And what do you see in the Elasticsearch logs when you run sgadmin?
On Sunday, April 15, 2018 at 4:34:56 PM UTC-7, Xiaoyu Wu wrote:
I did not use the demo installer.
I checked the documentation but it is kinda difficult for me to understand the entire implementation. What I did so far is just:
./sgadmin.sh \ -cd /path/to/sgconfig/ \ -cacert /path/to/root-ca.pem \ -cert /path/to/kirk.crt.pem \ -key /path/to/kirk.key.pem \ -keypass changeit -nhnv -iclIt seems it only applies the default configuration. I did remove the readonly flag in the yml file.
Could you give me a simple example in this case?
在 2018年4月15日星期日 UTC-4下午7:17:14,Jochen Kressin写道:
First, remove the readonly flag from the roles definition (sg_roles.yml) and if you like also for the internal users (sg_internalusers.yml).
If you are using the demo installer, execute sgadmin_demo.sh to apply the changed configuration.
If you have installed Search Guard without the demo installer please refer to the documentation on how to use sgadmin on the command line:
https://docs.search-guard.com/latest/sgadmin
On Sunday, April 15, 2018 at 2:16:40 PM UTC-7, Xiaoyu Wu wrote:
I am currently using elasticsearch 6.2.2 and corresponding search-guard. I have already installed the kibana plugin and got into the GUI.
I am wondering how to change the password for the demo users like admin. The document said set ‘read_only’ to false and apply the sgadmin but I am not sure how to use sgadmin to apply the new changes. What I did before is just to follow the instruction and apply the default configuration.
My purpose is to have my own admin account for the later use case.
I used to login the kibana page successfully until I customized the login page.
This is the ES config,
#cluster.name: my-application
#node.name: node-1
#node.attr.rack: r1
#path.data: /path/to/data
#path.logs: /path/to/logs
#bootstrap.memory_lock: true
#network.host: 192.168.0.1
#http.port: 9200
#discovery.zen.ping.unicast.hosts: [“host1”, “host2”]
#discovery.zen.minimum_master_nodes:
#gateway.recover_after_nodes: 3
#action.destructive_requires_name: true
searchguard.authcz.admin_dn:
searchguard.ssl.transport.pemkey_filepath: node-0.key.pem
#searchguard.ssl.transport.pemkey_password: “secret”
searchguard.ssl.transport.pemcert_filepath: node-0.crt.pem
searchguard.ssl.transport.pemtrustedcas_filepath: chain-ca.pem
searchguard.restapi.roles_enabled: [“sg_all_access”]
This is the Kibana,
#server.port: 5601
#server.host: “localhost”
#server.basePath: “”
#server.maxPayloadBytes: 1048576
#server.name: “your-hostname”
#elasticsearch.url: “http://localhost:9200”
#elasticsearch.preserveHost: true
#kibana.index: “.kibana”
#kibana.defaultAppId: “home”
#elasticsearch.username: “kibana”
#elasticsearch.password: “BioEPQ1o51gAyIsQYaWc”
#server.ssl.enabled: false
#server.ssl.certificate: /path/to/your/server.crt
#server.ssl.key: /path/to/your/server.key
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key
#elasticsearch.ssl.certificateAuthorities: [ “/path/to/your/CA.pem” ]
#elasticsearch.ssl.verificationMode: full
#elasticsearch.pingTimeout: 1500
#elasticsearch.requestTimeout: 30000
#elasticsearch.requestHeadersWhitelist: [ authorization ]
#elasticsearch.customHeaders: {}
#elasticsearch.shardTimeout: 0
#elasticsearch.startupTimeout: 5000
#pid.file: /var/run/kibana.pid
#logging.dest: stdout
#logging.silent: false
#logging.quiet: false
#logging.verbose: false
#ops.interval: 5000
#i18n.defaultLocale: “en”
sentinl:
settings:
email:
active: true
user: ------
password: -------
host: -------
ssl: true
timeout: 10000
elasticsearch.username: “kibanaserver”
elasticsearch.password: “kibanaserver”
elasticsearch.ssl.verificationMode: none
searchguard.basicauth.login.showbrandimage: true
searchguard.basicauth.login.brandimage: https://www.symantec.com/content/dam/symantec/images/common/symantec-logo-top.png
searchguard.cookie.name: ‘searchguard_authentication’
#searchguard.basicauth.login.title
#searchguard.basicauth.login.subtitle
This is the sg_roles,
#<sg_role_name>:
sg_all_access:
readonly: true
cluster:
indices:
‘*’:
‘*’:
tenants:
admin_tenant: RW
sg_readall:
readonly: true
cluster:
indices:
‘*’:
‘*’:
sg_readall_and_monitor:
cluster:
CLUSTER_MONITOR
CLUSTER_COMPOSITE_OPS_RO
indices:
‘*’:
‘*’:
sg_kibana_user:
readonly: true
cluster:
MONITOR
CLUSTER_COMPOSITE_OPS_RO
indices:
‘?kibana’:
‘*’:
MANAGE
INDEX
READ
DELETE
‘*’:
‘*’:
sg_kibana_server:
readonly: true
cluster:
CLUSTER_MONITOR
CLUSTER_COMPOSITE_OPS
cluster:admin/xpack/monitoring*
indices:admin/template*
indices:
‘?kibana’:
‘*’:
‘?reporting*’:
‘*’:
‘?monitoring*’:
‘*’:
sg_logstash:
cluster:
CLUSTER_MONITOR
CLUSTER_COMPOSITE_OPS
indices:admin/template/get
indices:admin/template/put
indices:
‘logstash-*’:
‘*’:
CRUD
CREATE_INDEX
‘beat’:
‘*’:
CRUD
CREATE_INDEX
sg_manage_snapshots:
cluster:
indices:
‘*’:
‘*’:
“indices:data/write/index”
“indices:admin/create”
sg_own_index:
cluster:
indices:
‘${user_name}’:
‘*’:
sg_xp_monitoring:
readonly: true
indices:
‘?monitor*’:
‘*’:
sg_xp_alerting:
readonly: true
cluster:
indices:data/read/scroll
cluster:admin/xpack/watcher*
cluster:monitor/xpack/watcher*
indices:
‘?watches*’:
‘*’:
‘?watcher-history-*’:
‘*’:
‘?triggered_watches’:
‘*’:
‘*’:
‘*’:
READ
indices:admin/aliases/get
sg_xp_machine_learning:
readonly: true
cluster:
cluster:admin/persistent*
cluster:internal/xpack/ml*
indices:data/read/scroll*
cluster:admin/xpack/ml*
cluster:monitor/xpack/ml*
indices:
‘*’:
‘*’:
READ
indices:admin/get*
‘?ml-*’:
‘*’:
sg_readonly_and_monitor:
cluster:
CLUSTER_MONITOR
CLUSTER_COMPOSITE_OPS_RO
indices:
‘*’:
‘*’:
sg_monitor:
cluster:
cluster:admin/xpack/monitoring/*
cluster:admin/ingest/pipeline/put
cluster:admin/ingest/pipeline/get
indices:admin/template/get
indices:admin/template/put
CLUSTER_MONITOR
CLUSTER_COMPOSITE_OPS
indices:
‘?monitor*’:
‘*’:
‘?marvel*’:
‘*’:
‘?kibana*’:
‘*’:
‘*’:
‘*’:
sg_alerting:
cluster:
indices:data/read/scroll
cluster:admin/xpack/watcher/watch/put
cluster:admin/xpack/watcher*
CLUSTER_MONITOR
CLUSTER_COMPOSITE_OPS
indices:
‘?kibana*’:
‘*’:
‘?watches*’:
‘*’:
‘?watcher-history-*’:
‘*’:
‘?triggered_watches’:
‘*’:
‘*’:
‘*’:
在 2018年4月15日星期日 UTC-4下午8:15:42,Jochen Kressin写道:
So it seems you also have installed X-Pack and there is an error with your watcher configuration:
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=, requestedTenant=null] [IndexType [index=watcher_alarms, type=*]] [Action [[indices:admin/get]]] [RolesChecked [sg_kibana_server, sg_own_index]]
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {sg_own_index=[IndexType [index=watcher_alarms, type=]], sg_kibana_server=[IndexType [index=watcher_alarms, type=]]}
Please post at least:
- kibana.yml
- elasticsearch.yml
- sg_roles.yml
Just remove any sensitive information like paths and passwords.
On Sunday, April 15, 2018 at 5:11:26 PM UTC-7, Xiaoyu Wu wrote:
I checked localhost:9200/_authinfo and the elasticsearch looks good.
This is a part of my kibana config (the rest is the default)
elasticsearch.username: “kibanaserver”
elasticsearch.password: “kibanaserver”
elasticsearch.ssl.verificationMode: none
Login Page
searchguard.basicauth.login.showbrandimage: true
searchguard.basicauth.login.brandimage: https://www.symantec.com/content/dam/symantec/images/common/symantec-logo-top.png
searchguard.cookie.name: ‘searchguard_authentication’
#searchguard.basicauth.login.title
#searchguard.basicauth.login.subtitle
This is the output of elasticsearch log,
[2018-04-15T20:07:25,113][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Search Guard License Info: SearchGuardLicense [uid=00000000-0000-0000-0000-000000000000, type=TRIAL, issueDate=2018-04-15, expiryDate=2018-06-15, issuedTo=The world, issuer=floragunn GmbH, startDate=2018-04-15, majorVersion=6, clusterName=*, allowedNodeCount=2147483647, msgs=, expiresInDays=60, isExpired=false, valid=true, action=, prodUsage=Yes, one cluster with all commercial features and unlimited nodes per cluster., clusterService=org.elasticsearch.cluster.service.ClusterService@2e500df4, getMsgs()=, getExpiresInDays()=60, isExpired()=false, isValid()=true, getAction()=, getProdUsage()=Yes, one cluster with all commercial features and unlimited nodes per cluster.]
[2018-04-15T20:07:25,113][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Search Guard License Type: TRIAL, valid
[2018-04-15T20:07:25,114][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Node ‘LhPFJNW’ initialized
[2018-04-15T20:07:25,364][INFO ][o.e.c.r.a.AllocationService] [LhPFJNW] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[.kibana][0]] …]).
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=, requestedTenant=null] [IndexType [index=watcher_alarms, type=*]] [Action [[indices:admin/get]]] [RolesChecked [sg_kibana_server, sg_own_index]]
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {sg_own_index=[IndexType [index=watcher_alarms, type=]], sg_kibana_server=[IndexType [index=watcher_alarms, type=]]}
在 2018年4月15日星期日 UTC-4下午8:05:10,Jochen Kressin写道:
sgadmin will replace the current configuration in your cluster with the files located in:
/Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/
So if you want to make changes to the configuration, the easiest way of doing so is to change these files, and then run sgadmin again. According to the output sgadmin has succeeded with uploading the configuration. So your sgadmin command seems fine.
There seems to be something wrong with your Kibana configuration and/or the Search Guard configuration.
What is the output of the Elasticsearch log file? Do you see any error there?
What is the Kibana configuration your are using? Please post it here.
Did you try to restart Kibana and reload the login page?
On Sunday, April 15, 2018 at 4:59:02 PM UTC-7, Xiaoyu Wu wrote:
This is the output of sgadmin tool,
searchguard index already exists, so we do not need to create one.
Populate config from /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/
Will update ‘sg/config’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_config.yml
SUCC: Configuration for ‘config’ created or updated
Will update ‘sg/roles’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_roles.yml
SUCC: Configuration for ‘roles’ created or updated
Will update ‘sg/rolesmapping’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_roles_mapping.yml
SUCC: Configuration for ‘rolesmapping’ created or updated
Will update ‘sg/internalusers’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_internal_users.yml
SUCC: Configuration for ‘internalusers’ created or updated
Will update ‘sg/actiongroups’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_action_groups.yml
SUCC: Configuration for ‘actiongroups’ created or updated
Done with success
And when I restarted the Kibana, it threw me the error saying “An error occurred while checking your credentials, make sure you have an Elasticsearch cluster secured by Search Guard running.”
在 2018年4月15日星期日 UTC-4下午7:56:32,Jochen Kressin写道:
What is the output of the sgadmin tool when you run the command you posted? And what do you see in the Elasticsearch logs when you run sgadmin?
On Sunday, April 15, 2018 at 4:34:56 PM UTC-7, Xiaoyu Wu wrote:
I did not use the demo installer.
I checked the documentation but it is kinda difficult for me to understand the entire implementation. What I did so far is just:
./sgadmin.sh \ -cd /path/to/sgconfig/ \ -cacert /path/to/root-ca.pem \ -cert /path/to/kirk.crt.pem \ -key /path/to/kirk.key.pem \ -keypass changeit -nhnv -iclIt seems it only applies the default configuration. I did remove the readonly flag in the yml file.
Could you give me a simple example in this case?
在 2018年4月15日星期日 UTC-4下午7:17:14,Jochen Kressin写道:
First, remove the readonly flag from the roles definition (sg_roles.yml) and if you like also for the internal users (sg_internalusers.yml).
If you are using the demo installer, execute sgadmin_demo.sh to apply the changed configuration.
If you have installed Search Guard without the demo installer please refer to the documentation on how to use sgadmin on the command line:
https://docs.search-guard.com/latest/sgadmin
On Sunday, April 15, 2018 at 2:16:40 PM UTC-7, Xiaoyu Wu wrote:
I am currently using elasticsearch 6.2.2 and corresponding search-guard. I have already installed the kibana plugin and got into the GUI.
I am wondering how to change the password for the demo users like admin. The document said set ‘read_only’ to false and apply the sgadmin but I am not sure how to use sgadmin to apply the new changes. What I did before is just to follow the instruction and apply the default configuration.
My purpose is to have my own admin account for the later use case.
This is the output of Kibana,
log [00:07:55.456] [info][Sentinl][scheduler] scheduled watcher sentinl-watcher:524238a0-345b-11e8-a95a-9954b3f36dde, to run every every 2 minutes
/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hoek/lib/index.js:736
throw new Error(msgs.join(' ') || 'Unknown error');
^
Error: Header value cannot contain or convert into non-ascii characters: set-cookie
at Object.exports.assert (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hoek/lib/index.js:736:11)
at internals.Response._header (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hapi/lib/response.js:141:22)
at request.connection.states.format (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hapi/lib/transmit.js:507:22)
at Items.serial (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/statehood/lib/index.js:436:16)
at done (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/items/lib/index.js:31:25)
at exports.prepareValue (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/statehood/lib/index.js:431:20)
at internals.sign (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/statehood/lib/index.js:461:20)
at process.nextTick (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hoek/lib/index.js:858:22)
at _combinedTickCallback (internal/process/next_tick.js:73:7)
at process._tickDomainCallback (internal/process/next_tick.js:128:9)
在 2018年4月15日星期日 UTC-4下午8:20:39,Xiaoyu Wu写道:
I used to login the kibana page successfully until I customized the login page.
This is the ES config,
======================== Elasticsearch Configuration =========================
NOTE: Elasticsearch comes with reasonable defaults for most settings.
Before you set out to tweak and tune the configuration, make sure you
understand what are you trying to accomplish and the consequences.
The primary way of configuring a node is via this file. This template lists
the most important settings you may want to configure for a production cluster.
Please consult the documentation for further information on configuration options:
https://www.elastic.co/guide/en/elasticsearch/reference/index.html
---------------------------------- Cluster -----------------------------------
Use a descriptive name for your cluster:
#cluster.name: my-application
------------------------------------ Node ------------------------------------
Use a descriptive name for the node:
#node.name: node-1
Add custom attributes to the node:
#node.attr.rack: r1
----------------------------------- Paths ------------------------------------
Path to directory where to store the data (separate multiple locations by comma):
#path.data: /path/to/data
Path to log files:
#path.logs: /path/to/logs
----------------------------------- Memory -----------------------------------
Lock the memory on startup:
#bootstrap.memory_lock: true
Make sure that the heap size is set to about half the memory available
on the system and that the owner of the process is allowed to use this
limit.
Elasticsearch performs poorly when the system is swapping the memory.
---------------------------------- Network -----------------------------------
Set the bind address to a specific IP (IPv4 or IPv6):
#network.host: 192.168.0.1
Set a custom port for HTTP:
#http.port: 9200
For more information, consult the network module documentation.
--------------------------------- Discovery ----------------------------------
Pass an initial list of hosts to perform discovery when new node is started:
The default list of hosts is [“127.0.0.1”, “[::1]”]
#discovery.zen.ping.unicast.hosts: [“host1”, “host2”]
Prevent the “split brain” by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):
#discovery.zen.minimum_master_nodes:
For more information, consult the zen discovery module documentation.
---------------------------------- Gateway -----------------------------------
Block initial recovery after a full cluster restart until N nodes are started:
#gateway.recover_after_nodes: 3
For more information, consult the gateway module documentation.
---------------------------------- Various -----------------------------------
Require explicit names when deleting indices:
#action.destructive_requires_name: true
---------------------------------- Search Guard ------------------------------
searchguard.authcz.admin_dn:
- CN=kirk,OU=client,O=client,L=Test,C=DE
Relative path to the certificates key file (PKCS #8), must be placed under the config/ dir
searchguard.ssl.transport.pemkey_filepath: node-0.key.pem
Key password (omit this setting if the key has no password)
#searchguard.ssl.transport.pemkey_password: “secret”
X509 node certificate chain in PEM format, must be placed under the config/ dir
searchguard.ssl.transport.pemcert_filepath: node-0.crt.pem
Trusted certificates
searchguard.ssl.transport.pemtrustedcas_filepath: chain-ca.pem
searchguard.restapi.roles_enabled: [“sg_all_access”]
This is the Kibana,
Kibana is served by a back end server. This setting specifies the port to use.
#server.port: 5601
Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
The default is ‘localhost’, which usually means remote machines will not be able to connect.
To allow connections from remote users, set this parameter to a non-loopback address.
#server.host: “localhost”
Enables you to specify a path to mount Kibana at if you are running behind a proxy. This only affects
the URLs generated by Kibana, your proxy is expected to remove the basePath value before forwarding requests
to Kibana. This setting cannot end in a slash.
#server.basePath: “”
The maximum payload size in bytes for incoming server requests.
#server.maxPayloadBytes: 1048576
The Kibana server’s name. This is used for display purposes.
#server.name: “your-hostname”
The URL of the Elasticsearch instance to use for all your queries.
#elasticsearch.url: “http://localhost:9200”
When this setting’s value is true Kibana uses the hostname specified in the server.host
setting. When the value of this setting is false, Kibana uses the hostname of the host
that connects to this Kibana instance.
#elasticsearch.preserveHost: true
Kibana uses an index in Elasticsearch to store saved searches, visualizations and
dashboards. Kibana creates a new index if the index doesn’t already exist.
#kibana.index: “.kibana”
The default application to load.
#kibana.defaultAppId: “home”
If your Elasticsearch is protected with basic authentication, these settings provide
the username and password that the Kibana server uses to perform maintenance on the Kibana
index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
is proxied through the Kibana server.
#elasticsearch.username: “kibana”
#elasticsearch.password: “BioEPQ1o51gAyIsQYaWc”
Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
These settings enable SSL for outgoing requests from the Kibana server to the browser.
#server.ssl.enabled: false
#server.ssl.certificate: /path/to/your/server.crt
#server.ssl.key: /path/to/your/server.key
Optional settings that provide the paths to the PEM-format SSL certificate and key files.
These files validate that your Elasticsearch backend uses the same key files.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key
Optional setting that enables you to specify a path to the PEM file for the certificate
authority for your Elasticsearch instance.
#elasticsearch.ssl.certificateAuthorities: [ “/path/to/your/CA.pem” ]
To disregard the validity of SSL certificates, change this setting’s value to ‘none’.
#elasticsearch.ssl.verificationMode: full
Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
the elasticsearch.requestTimeout setting.
#elasticsearch.pingTimeout: 1500
Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
must be a positive integer.
#elasticsearch.requestTimeout: 30000
List of Kibana client-side headers to send to Elasticsearch. To send no client-side
headers, set this value to (an empty list).
#elasticsearch.requestHeadersWhitelist: [ authorization ]
Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten
by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.
#elasticsearch.customHeaders: {}
Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
#elasticsearch.shardTimeout: 0
Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying.
#elasticsearch.startupTimeout: 5000
Specifies the path where Kibana creates the process ID file.
#pid.file: /var/run/kibana.pid
Enables you specify a file where Kibana stores log output.
#logging.dest: stdout
Set the value of this setting to true to suppress all logging output.
#logging.silent: false
Set the value of this setting to true to suppress all logging output other than error messages.
#logging.quiet: false
Set the value of this setting to true to log all events, including system usage information
and all requests.
#logging.verbose: false
Set the interval in milliseconds to sample system and process performance
metrics. Minimum is 100ms. Defaults to 5000.
#ops.interval: 5000
The default locale. This locale can be used in certain circumstances to substitute any missing
translations.
#i18n.defaultLocale: “en”
Config of Sentinl
sentinl:
settings:
email:
active: true
user: ------
password: -------
host: -------
ssl: true
timeout: 10000
elasticsearch.username: “kibanaserver”
elasticsearch.password: “kibanaserver”
elasticsearch.ssl.verificationMode: none
Login Page
searchguard.basicauth.login.showbrandimage: true
searchguard.basicauth.login.brandimage: https://www.symantec.com/content/dam/symantec/images/common/symantec-logo-top.png
searchguard.cookie.name: ‘searchguard_authentication’
#searchguard.basicauth.login.title
#searchguard.basicauth.login.subtitle
This is the sg_roles,
#<sg_role_name>:
cluster:
- ‘’
indices:
‘’:
‘’:
- ‘’
dls: ‘’
fls:
- ‘’
- ‘’
When a user make a request to Elasticsearch then the following roles will be evaluated to see if the user has
permissions for the request. A request is always associated with an action and is executed against and index (or alias)
and a type. If a request is executed against all indices (or all types) then the asterix (‘*’) is needed.
Every role a user has will be examined if it allows the action against an index (or type). At least one role must match
for the request to be successful. If no role match then the request will be denied. Currently a match must happen within
one single role - that means that permissions can not span multiple roles.
For , and simple wildcards and regular expressions are possible.
A asterix (*) will match any character sequence (or an empty sequence)
A question mark (?) will match any single character (but NOT empty character)
Example: ‘myindex’ will match ‘my_first_index’ as well as ‘myindex’ but not ‘myindex1’
Example: ‘?kibana’ will match ‘.kibana’ but not ‘kibana’
To use a full blown regex you have to pre- and apend a ‘/’ to use regex instead of simple wildcards
‘//’
Example: ‘/\S*/’ will match any non whitespace characters
Important:
Index, alias or type names can not contain dots (.) in the or expression.
Reason is that we currently parse the config file into a elasticsearch settings object which cannot cope with dots in keys.
Workaround: Just configure something like ‘?kibana’ instead of ‘.kibana’ or ‘my?index’ instead of ‘my.index’
This limitation will likely removed with Search Guard 6
DLS (Document level security) - NOT FREE FOR COMMERCIAL
http://docs.search-guard.com/v6/document-level-security
FLS (Field level security) - NOT FREE FOR COMMERCIAL
http://docs.search-guard.com/v6/field-level-security
Kibana multitenancy - NOT FREE FOR COMMERCIAL
http://docs.search-guard.com/v6/kibana-multi-tenancy
Allows everything, but no changes to searchguard configuration index
sg_all_access:
readonly: true
cluster:
- UNLIMITED
indices:
‘*’:
‘*’:
- UNLIMITED
tenants:
admin_tenant: RW
Read all, but no write permissions
sg_readall:
readonly: true
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘*’:
‘*’:
- READ
Read all and monitor, but no write permissions
sg_readall_and_monitor:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘*’:
‘*’:
- READ
For users which use kibana, access to indices must be granted separately
sg_kibana_user:
readonly: true
cluster:
- MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘?kibana’:
‘*’:
- MANAGE
- INDEX
- READ
- DELETE
‘*’:
‘*’:
- indices:data/read/field_caps*
For the kibana server
sg_kibana_server:
readonly: true
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- cluster:admin/xpack/monitoring*
- indices:admin/template*
indices:
‘?kibana’:
‘*’:
- INDICES_ALL
‘?reporting*’:
‘*’:
- INDICES_ALL
‘?monitoring*’:
‘*’:
- INDICES_ALL
For logstash and beats
sg_logstash:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- indices:admin/template/get
- indices:admin/template/put
indices:
‘logstash-*’:
‘*’:
- CRUD
- CREATE_INDEX
‘beat’:
‘*’:
- CRUD
- CREATE_INDEX
Allows adding and modifying repositories and creating and restoring snapshots
sg_manage_snapshots:
cluster:
- MANAGE_SNAPSHOTS
indices:
‘*’:
‘*’:
- “indices:data/write/index”
- “indices:admin/create”
Allows each user to access own named index
sg_own_index:
cluster:
- CLUSTER_COMPOSITE_OPS
indices:
‘${user_name}’:
‘*’:
- INDICES_ALL
X-Pack COMPATIBILITY
sg_xp_monitoring:
readonly: true
indices:
‘?monitor*’:
‘*’:
- INDICES_ALL
sg_xp_alerting:
readonly: true
cluster:
- indices:data/read/scroll
- cluster:admin/xpack/watcher*
- cluster:monitor/xpack/watcher*
indices:
‘?watches*’:
‘*’:
- INDICES_ALL
‘?watcher-history-*’:
‘*’:
- INDICES_ALL
‘?triggered_watches’:
‘*’:
- INDICES_ALL
‘*’:
‘*’:
- READ
- indices:admin/aliases/get
sg_xp_machine_learning:
readonly: true
cluster:
- cluster:admin/persistent*
- cluster:internal/xpack/ml*
- indices:data/read/scroll*
- cluster:admin/xpack/ml*
- cluster:monitor/xpack/ml*
indices:
‘*’:
‘*’:
- READ
- indices:admin/get*
‘?ml-*’:
‘*’:
- “*”
LEGACY ROLES, FOR COMPATIBILITY ONLY
WILL BE REMOVED IN SG7, DO NOT USE ANYMORE
sg_readonly_and_monitor:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘*’:
‘*’:
- READ
Make xpack monitoring work
sg_monitor:
cluster:
- cluster:admin/xpack/monitoring/*
- cluster:admin/ingest/pipeline/put
- cluster:admin/ingest/pipeline/get
- indices:admin/template/get
- indices:admin/template/put
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
‘?monitor*’:
‘*’:
- INDICES_ALL
‘?marvel*’:
‘*’:
- INDICES_ALL
‘?kibana*’:
‘*’:
- READ
‘*’:
‘*’:
- indices:data/read/field_caps
Make xpack alerting work
sg_alerting:
cluster:
- indices:data/read/scroll
- cluster:admin/xpack/watcher/watch/put
- cluster:admin/xpack/watcher*
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
‘?kibana*’:
‘*’:
- READ
‘?watches*’:
‘*’:
- INDICES_ALL
‘?watcher-history-*’:
‘*’:
- INDICES_ALL
‘?triggered_watches’:
‘*’:
- INDICES_ALL
‘*’:
‘*’:
- READ
在 2018年4月15日星期日 UTC-4下午8:15:42,Jochen Kressin写道:
So it seems you also have installed X-Pack and there is an error with your watcher configuration:
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=, requestedTenant=null] [IndexType [index=watcher_alarms, type=*]] [Action [[indices:admin/get]]] [RolesChecked [sg_kibana_server, sg_own_index]]
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {sg_own_index=[IndexType [index=watcher_alarms, type=]], sg_kibana_server=[IndexType [index=watcher_alarms, type=]]}
Please post at least:
- kibana.yml
- elasticsearch.yml
- sg_roles.yml
Just remove any sensitive information like paths and passwords.
On Sunday, April 15, 2018 at 5:11:26 PM UTC-7, Xiaoyu Wu wrote:
I checked localhost:9200/_authinfo and the elasticsearch looks good.
This is a part of my kibana config (the rest is the default)
elasticsearch.username: “kibanaserver”
elasticsearch.password: “kibanaserver”
elasticsearch.ssl.verificationMode: none
Login Page
searchguard.basicauth.login.showbrandimage: true
searchguard.basicauth.login.brandimage: https://www.symantec.com/content/dam/symantec/images/common/symantec-logo-top.png
searchguard.cookie.name: ‘searchguard_authentication’
#searchguard.basicauth.login.title
#searchguard.basicauth.login.subtitle
This is the output of elasticsearch log,
[2018-04-15T20:07:25,113][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Search Guard License Info: SearchGuardLicense [uid=00000000-0000-0000-0000-000000000000, type=TRIAL, issueDate=2018-04-15, expiryDate=2018-06-15, issuedTo=The world, issuer=floragunn GmbH, startDate=2018-04-15, majorVersion=6, clusterName=*, allowedNodeCount=2147483647, msgs=, expiresInDays=60, isExpired=false, valid=true, action=, prodUsage=Yes, one cluster with all commercial features and unlimited nodes per cluster., clusterService=org.elasticsearch.cluster.service.ClusterService@2e500df4, getMsgs()=, getExpiresInDays()=60, isExpired()=false, isValid()=true, getAction()=, getProdUsage()=Yes, one cluster with all commercial features and unlimited nodes per cluster.]
[2018-04-15T20:07:25,113][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Search Guard License Type: TRIAL, valid
[2018-04-15T20:07:25,114][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Node ‘LhPFJNW’ initialized
[2018-04-15T20:07:25,364][INFO ][o.e.c.r.a.AllocationService] [LhPFJNW] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[.kibana][0]] …]).
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=, requestedTenant=null] [IndexType [index=watcher_alarms, type=*]] [Action [[indices:admin/get]]] [RolesChecked [sg_kibana_server, sg_own_index]]
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {sg_own_index=[IndexType [index=watcher_alarms, type=]], sg_kibana_server=[IndexType [index=watcher_alarms, type=]]}
在 2018年4月15日星期日 UTC-4下午8:05:10,Jochen Kressin写道:
sgadmin will replace the current configuration in your cluster with the files located in:
/Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/
So if you want to make changes to the configuration, the easiest way of doing so is to change these files, and then run sgadmin again. According to the output sgadmin has succeeded with uploading the configuration. So your sgadmin command seems fine.
There seems to be something wrong with your Kibana configuration and/or the Search Guard configuration.
What is the output of the Elasticsearch log file? Do you see any error there?
What is the Kibana configuration your are using? Please post it here.
Did you try to restart Kibana and reload the login page?
On Sunday, April 15, 2018 at 4:59:02 PM UTC-7, Xiaoyu Wu wrote:
This is the output of sgadmin tool,
searchguard index already exists, so we do not need to create one.
Populate config from /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/
Will update ‘sg/config’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_config.yml
SUCC: Configuration for ‘config’ created or updated
Will update ‘sg/roles’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_roles.yml
SUCC: Configuration for ‘roles’ created or updated
Will update ‘sg/rolesmapping’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_roles_mapping.yml
SUCC: Configuration for ‘rolesmapping’ created or updated
Will update ‘sg/internalusers’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_internal_users.yml
SUCC: Configuration for ‘internalusers’ created or updated
Will update ‘sg/actiongroups’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_action_groups.yml
SUCC: Configuration for ‘actiongroups’ created or updated
Done with success
And when I restarted the Kibana, it threw me the error saying “An error occurred while checking your credentials, make sure you have an Elasticsearch cluster secured by Search Guard running.”
在 2018年4月15日星期日 UTC-4下午7:56:32,Jochen Kressin写道:
What is the output of the sgadmin tool when you run the command you posted? And what do you see in the Elasticsearch logs when you run sgadmin?
On Sunday, April 15, 2018 at 4:34:56 PM UTC-7, Xiaoyu Wu wrote:
I did not use the demo installer.
I checked the documentation but it is kinda difficult for me to understand the entire implementation. What I did so far is just:
./sgadmin.sh \ -cd /path/to/sgconfig/ \ -cacert /path/to/root-ca.pem \ -cert /path/to/kirk.crt.pem \ -key /path/to/kirk.key.pem \ -keypass changeit -nhnv -iclIt seems it only applies the default configuration. I did remove the readonly flag in the yml file.
Could you give me a simple example in this case?
在 2018年4月15日星期日 UTC-4下午7:17:14,Jochen Kressin写道:
First, remove the readonly flag from the roles definition (sg_roles.yml) and if you like also for the internal users (sg_internalusers.yml).
If you are using the demo installer, execute sgadmin_demo.sh to apply the changed configuration.
If you have installed Search Guard without the demo installer please refer to the documentation on how to use sgadmin on the command line:
https://docs.search-guard.com/latest/sgadmin
On Sunday, April 15, 2018 at 2:16:40 PM UTC-7, Xiaoyu Wu wrote:
I am currently using elasticsearch 6.2.2 and corresponding search-guard. I have already installed the kibana plugin and got into the GUI.
I am wondering how to change the password for the demo users like admin. The document said set ‘read_only’ to false and apply the sgadmin but I am not sure how to use sgadmin to apply the new changes. What I did before is just to follow the instruction and apply the default configuration.
My purpose is to have my own admin account for the later use case.
This line in kibana.yml looks suspicious:
searchguard.cookie.name: ‘searchguard_authentication’
And corresponds to the error:
Error: Header value cannot contain or convert into non-ascii characters: set-cookie
Please try to use regular double quotes or comment this line out for the moment.
On Sunday, April 15, 2018 at 5:29:07 PM UTC-7, Xiaoyu Wu wrote:
This is the output of Kibana,
log [00:07:55.456] [info][Sentinl][scheduler] scheduled watcher sentinl-watcher:524238a0-345b-11e8-a95a-9954b3f36dde, to run every every 2 minutes
/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hoek/lib/index.js:736
throw new Error(msgs.join(' ') || 'Unknown error');
^
Error: Header value cannot contain or convert into non-ascii characters: set-cookie
at Object.exports.assert (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hoek/lib/index.js:736:11)
at internals.Response._header (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hapi/lib/response.js:141:22)
at request.connection.states.format (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hapi/lib/transmit.js:507:22)
at Items.serial (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/statehood/lib/index.js:436:16)
at done (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/items/lib/index.js:31:25)
at exports.prepareValue (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/statehood/lib/index.js:431:20)
at internals.sign (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/statehood/lib/index.js:461:20)
at process.nextTick (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hoek/lib/index.js:858:22)
at _combinedTickCallback (internal/process/next_tick.js:73:7)
at process._tickDomainCallback (internal/process/next_tick.js:128:9)
在 2018年4月15日星期日 UTC-4下午8:20:39,Xiaoyu Wu写道:
I used to login the kibana page successfully until I customized the login page.
This is the ES config,
======================== Elasticsearch Configuration =========================
NOTE: Elasticsearch comes with reasonable defaults for most settings.
Before you set out to tweak and tune the configuration, make sure you
understand what are you trying to accomplish and the consequences.
The primary way of configuring a node is via this file. This template lists
the most important settings you may want to configure for a production cluster.
Please consult the documentation for further information on configuration options:
https://www.elastic.co/guide/en/elasticsearch/reference/index.html
---------------------------------- Cluster -----------------------------------
Use a descriptive name for your cluster:
#cluster.name: my-application
------------------------------------ Node ------------------------------------
Use a descriptive name for the node:
#node.name: node-1
Add custom attributes to the node:
#node.attr.rack: r1
----------------------------------- Paths ------------------------------------
Path to directory where to store the data (separate multiple locations by comma):
#path.data: /path/to/data
Path to log files:
#path.logs: /path/to/logs
----------------------------------- Memory -----------------------------------
Lock the memory on startup:
#bootstrap.memory_lock: true
Make sure that the heap size is set to about half the memory available
on the system and that the owner of the process is allowed to use this
limit.
Elasticsearch performs poorly when the system is swapping the memory.
---------------------------------- Network -----------------------------------
Set the bind address to a specific IP (IPv4 or IPv6):
#network.host: 192.168.0.1
Set a custom port for HTTP:
#http.port: 9200
For more information, consult the network module documentation.
--------------------------------- Discovery ----------------------------------
Pass an initial list of hosts to perform discovery when new node is started:
The default list of hosts is [“127.0.0.1”, “[::1]”]
#discovery.zen.ping.unicast.hosts: [“host1”, “host2”]
Prevent the “split brain” by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):
#discovery.zen.minimum_master_nodes:
For more information, consult the zen discovery module documentation.
---------------------------------- Gateway -----------------------------------
Block initial recovery after a full cluster restart until N nodes are started:
#gateway.recover_after_nodes: 3
For more information, consult the gateway module documentation.
---------------------------------- Various -----------------------------------
Require explicit names when deleting indices:
#action.destructive_requires_name: true
---------------------------------- Search Guard ------------------------------
searchguard.authcz.admin_dn:
- CN=kirk,OU=client,O=client,L=Test,C=DE
Relative path to the certificates key file (PKCS #8), must be placed under the config/ dir
searchguard.ssl.transport.pemkey_filepath: node-0.key.pem
Key password (omit this setting if the key has no password)
#searchguard.ssl.transport.pemkey_password: “secret”
X509 node certificate chain in PEM format, must be placed under the config/ dir
searchguard.ssl.transport.pemcert_filepath: node-0.crt.pem
Trusted certificates
searchguard.ssl.transport.pemtrustedcas_filepath: chain-ca.pem
searchguard.restapi.roles_enabled: [“sg_all_access”]
This is the Kibana,
Kibana is served by a back end server. This setting specifies the port to use.
#server.port: 5601
Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
The default is ‘localhost’, which usually means remote machines will not be able to connect.
To allow connections from remote users, set this parameter to a non-loopback address.
#server.host: “localhost”
Enables you to specify a path to mount Kibana at if you are running behind a proxy. This only affects
the URLs generated by Kibana, your proxy is expected to remove the basePath value before forwarding requests
to Kibana. This setting cannot end in a slash.
#server.basePath: “”
The maximum payload size in bytes for incoming server requests.
#server.maxPayloadBytes: 1048576
The Kibana server’s name. This is used for display purposes.
#server.name: “your-hostname”
The URL of the Elasticsearch instance to use for all your queries.
#elasticsearch.url: “http://localhost:9200”
When this setting’s value is true Kibana uses the hostname specified in the server.host
setting. When the value of this setting is false, Kibana uses the hostname of the host
that connects to this Kibana instance.
#elasticsearch.preserveHost: true
Kibana uses an index in Elasticsearch to store saved searches, visualizations and
dashboards. Kibana creates a new index if the index doesn’t already exist.
#kibana.index: “.kibana”
The default application to load.
#kibana.defaultAppId: “home”
If your Elasticsearch is protected with basic authentication, these settings provide
the username and password that the Kibana server uses to perform maintenance on the Kibana
index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
is proxied through the Kibana server.
#elasticsearch.username: “kibana”
#elasticsearch.password: “BioEPQ1o51gAyIsQYaWc”
Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
These settings enable SSL for outgoing requests from the Kibana server to the browser.
#server.ssl.enabled: false
#server.ssl.certificate: /path/to/your/server.crt
#server.ssl.key: /path/to/your/server.key
Optional settings that provide the paths to the PEM-format SSL certificate and key files.
These files validate that your Elasticsearch backend uses the same key files.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key
Optional setting that enables you to specify a path to the PEM file for the certificate
authority for your Elasticsearch instance.
#elasticsearch.ssl.certificateAuthorities: [ “/path/to/your/CA.pem” ]
To disregard the validity of SSL certificates, change this setting’s value to ‘none’.
#elasticsearch.ssl.verificationMode: full
Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
the elasticsearch.requestTimeout setting.
#elasticsearch.pingTimeout: 1500
Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
must be a positive integer.
#elasticsearch.requestTimeout: 30000
List of Kibana client-side headers to send to Elasticsearch. To send no client-side
headers, set this value to (an empty list).
#elasticsearch.requestHeadersWhitelist: [ authorization ]
Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten
by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.
#elasticsearch.customHeaders: {}
Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
#elasticsearch.shardTimeout: 0
Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying.
#elasticsearch.startupTimeout: 5000
Specifies the path where Kibana creates the process ID file.
#pid.file: /var/run/kibana.pid
Enables you specify a file where Kibana stores log output.
#logging.dest: stdout
Set the value of this setting to true to suppress all logging output.
#logging.silent: false
Set the value of this setting to true to suppress all logging output other than error messages.
#logging.quiet: false
Set the value of this setting to true to log all events, including system usage information
and all requests.
#logging.verbose: false
Set the interval in milliseconds to sample system and process performance
metrics. Minimum is 100ms. Defaults to 5000.
#ops.interval: 5000
The default locale. This locale can be used in certain circumstances to substitute any missing
translations.
#i18n.defaultLocale: “en”
Config of Sentinl
sentinl:
settings:
email:
active: true
user: ------
password: -------
host: -------
ssl: true
timeout: 10000
elasticsearch.username: “kibanaserver”
elasticsearch.password: “kibanaserver”
elasticsearch.ssl.verificationMode: none
Login Page
searchguard.basicauth.login.showbrandimage: true
searchguard.basicauth.login.brandimage: https://www.symantec.com/content/dam/symantec/images/common/symantec-logo-top.png
searchguard.cookie.name: ‘searchguard_authentication’
#searchguard.basicauth.login.title
#searchguard.basicauth.login.subtitle
This is the sg_roles,
#<sg_role_name>:
cluster:
- ‘’
indices:
‘’:
‘’:
- ‘’
dls: ‘’
fls:
- ‘’
- ‘’
When a user make a request to Elasticsearch then the following roles will be evaluated to see if the user has
permissions for the request. A request is always associated with an action and is executed against and index (or alias)
and a type. If a request is executed against all indices (or all types) then the asterix (‘*’) is needed.
Every role a user has will be examined if it allows the action against an index (or type). At least one role must match
for the request to be successful. If no role match then the request will be denied. Currently a match must happen within
one single role - that means that permissions can not span multiple roles.
For , and simple wildcards and regular expressions are possible.
A asterix (*) will match any character sequence (or an empty sequence)
A question mark (?) will match any single character (but NOT empty character)
Example: ‘myindex’ will match ‘my_first_index’ as well as ‘myindex’ but not ‘myindex1’
Example: ‘?kibana’ will match ‘.kibana’ but not ‘kibana’
To use a full blown regex you have to pre- and apend a ‘/’ to use regex instead of simple wildcards
‘//’
Example: ‘/\S*/’ will match any non whitespace characters
Important:
Index, alias or type names can not contain dots (.) in the or expression.
Reason is that we currently parse the config file into a elasticsearch settings object which cannot cope with dots in keys.
Workaround: Just configure something like ‘?kibana’ instead of ‘.kibana’ or ‘my?index’ instead of ‘my.index’
This limitation will likely removed with Search Guard 6
DLS (Document level security) - NOT FREE FOR COMMERCIAL
http://docs.search-guard.com/v6/document-level-security
FLS (Field level security) - NOT FREE FOR COMMERCIAL
http://docs.search-guard.com/v6/field-level-security
Kibana multitenancy - NOT FREE FOR COMMERCIAL
http://docs.search-guard.com/v6/kibana-multi-tenancy
Allows everything, but no changes to searchguard configuration index
sg_all_access:
readonly: true
cluster:
- UNLIMITED
indices:
‘*’:
‘*’:
- UNLIMITED
tenants:
admin_tenant: RW
Read all, but no write permissions
sg_readall:
readonly: true
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘*’:
‘*’:
- READ
Read all and monitor, but no write permissions
sg_readall_and_monitor:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘*’:
‘*’:
- READ
For users which use kibana, access to indices must be granted separately
sg_kibana_user:
readonly: true
cluster:
- MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘?kibana’:
‘*’:
- MANAGE
- INDEX
- READ
- DELETE
‘*’:
‘*’:
- indices:data/read/field_caps*
For the kibana server
sg_kibana_server:
readonly: true
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- cluster:admin/xpack/monitoring*
- indices:admin/template*
indices:
‘?kibana’:
‘*’:
- INDICES_ALL
‘?reporting*’:
‘*’:
- INDICES_ALL
‘?monitoring*’:
‘*’:
- INDICES_ALL
For logstash and beats
sg_logstash:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- indices:admin/template/get
- indices:admin/template/put
indices:
‘logstash-*’:
‘*’:
- CRUD
- CREATE_INDEX
‘beat’:
‘*’:
- CRUD
- CREATE_INDEX
Allows adding and modifying repositories and creating and restoring snapshots
sg_manage_snapshots:
cluster:
- MANAGE_SNAPSHOTS
indices:
‘*’:
‘*’:
- “indices:data/write/index”
- “indices:admin/create”
Allows each user to access own named index
sg_own_index:
cluster:
- CLUSTER_COMPOSITE_OPS
indices:
‘${user_name}’:
‘*’:
- INDICES_ALL
X-Pack COMPATIBILITY
sg_xp_monitoring:
readonly: true
indices:
‘?monitor*’:
‘*’:
- INDICES_ALL
sg_xp_alerting:
readonly: true
cluster:
- indices:data/read/scroll
- cluster:admin/xpack/watcher*
- cluster:monitor/xpack/watcher*
indices:
‘?watches*’:
‘*’:
- INDICES_ALL
‘?watcher-history-*’:
‘*’:
- INDICES_ALL
‘?triggered_watches’:
‘*’:
- INDICES_ALL
‘*’:
‘*’:
- READ
- indices:admin/aliases/get
sg_xp_machine_learning:
readonly: true
cluster:
- cluster:admin/persistent*
- cluster:internal/xpack/ml*
- indices:data/read/scroll*
- cluster:admin/xpack/ml*
- cluster:monitor/xpack/ml*
indices:
‘*’:
‘*’:
- READ
- indices:admin/get*
‘?ml-*’:
‘*’:
- “*”
LEGACY ROLES, FOR COMPATIBILITY ONLY
WILL BE REMOVED IN SG7, DO NOT USE ANYMORE
sg_readonly_and_monitor:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘*’:
‘*’:
- READ
Make xpack monitoring work
sg_monitor:
cluster:
- cluster:admin/xpack/monitoring/*
- cluster:admin/ingest/pipeline/put
- cluster:admin/ingest/pipeline/get
- indices:admin/template/get
- indices:admin/template/put
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
‘?monitor*’:
‘*’:
- INDICES_ALL
‘?marvel*’:
‘*’:
- INDICES_ALL
‘?kibana*’:
‘*’:
- READ
‘*’:
‘*’:
- indices:data/read/field_caps
Make xpack alerting work
sg_alerting:
cluster:
- indices:data/read/scroll
- cluster:admin/xpack/watcher/watch/put
- cluster:admin/xpack/watcher*
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
‘?kibana*’:
‘*’:
- READ
‘?watches*’:
‘*’:
- INDICES_ALL
‘?watcher-history-*’:
‘*’:
- INDICES_ALL
‘?triggered_watches’:
‘*’:
- INDICES_ALL
‘*’:
‘*’:
- READ
在 2018年4月15日星期日 UTC-4下午8:15:42,Jochen Kressin写道:
So it seems you also have installed X-Pack and there is an error with your watcher configuration:
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=, requestedTenant=null] [IndexType [index=watcher_alarms, type=*]] [Action [[indices:admin/get]]] [RolesChecked [sg_kibana_server, sg_own_index]]
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {sg_own_index=[IndexType [index=watcher_alarms, type=]], sg_kibana_server=[IndexType [index=watcher_alarms, type=]]}
Please post at least:
- kibana.yml
- elasticsearch.yml
- sg_roles.yml
Just remove any sensitive information like paths and passwords.
On Sunday, April 15, 2018 at 5:11:26 PM UTC-7, Xiaoyu Wu wrote:
I checked localhost:9200/_authinfo and the elasticsearch looks good.
This is a part of my kibana config (the rest is the default)
elasticsearch.username: “kibanaserver”
elasticsearch.password: “kibanaserver”
elasticsearch.ssl.verificationMode: none
Login Page
searchguard.basicauth.login.showbrandimage: true
searchguard.basicauth.login.brandimage: https://www.symantec.com/content/dam/symantec/images/common/symantec-logo-top.png
searchguard.cookie.name: ‘searchguard_authentication’
#searchguard.basicauth.login.title
#searchguard.basicauth.login.subtitle
This is the output of elasticsearch log,
[2018-04-15T20:07:25,113][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Search Guard License Info: SearchGuardLicense [uid=00000000-0000-0000-0000-000000000000, type=TRIAL, issueDate=2018-04-15, expiryDate=2018-06-15, issuedTo=The world, issuer=floragunn GmbH, startDate=2018-04-15, majorVersion=6, clusterName=*, allowedNodeCount=2147483647, msgs=, expiresInDays=60, isExpired=false, valid=true, action=, prodUsage=Yes, one cluster with all commercial features and unlimited nodes per cluster., clusterService=org.elasticsearch.cluster.service.ClusterService@2e500df4, getMsgs()=, getExpiresInDays()=60, isExpired()=false, isValid()=true, getAction()=, getProdUsage()=Yes, one cluster with all commercial features and unlimited nodes per cluster.]
[2018-04-15T20:07:25,113][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Search Guard License Type: TRIAL, valid
[2018-04-15T20:07:25,114][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Node ‘LhPFJNW’ initialized
[2018-04-15T20:07:25,364][INFO ][o.e.c.r.a.AllocationService] [LhPFJNW] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[.kibana][0]] …]).
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=, requestedTenant=null] [IndexType [index=watcher_alarms, type=*]] [Action [[indices:admin/get]]] [RolesChecked [sg_kibana_server, sg_own_index]]
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {sg_own_index=[IndexType [index=watcher_alarms, type=]], sg_kibana_server=[IndexType [index=watcher_alarms, type=]]}
在 2018年4月15日星期日 UTC-4下午8:05:10,Jochen Kressin写道:
sgadmin will replace the current configuration in your cluster with the files located in:
/Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/
So if you want to make changes to the configuration, the easiest way of doing so is to change these files, and then run sgadmin again. According to the output sgadmin has succeeded with uploading the configuration. So your sgadmin command seems fine.
There seems to be something wrong with your Kibana configuration and/or the Search Guard configuration.
What is the output of the Elasticsearch log file? Do you see any error there?
What is the Kibana configuration your are using? Please post it here.
Did you try to restart Kibana and reload the login page?
On Sunday, April 15, 2018 at 4:59:02 PM UTC-7, Xiaoyu Wu wrote:
This is the output of sgadmin tool,
searchguard index already exists, so we do not need to create one.
Populate config from /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/
Will update ‘sg/config’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_config.yml
SUCC: Configuration for ‘config’ created or updated
Will update ‘sg/roles’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_roles.yml
SUCC: Configuration for ‘roles’ created or updated
Will update ‘sg/rolesmapping’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_roles_mapping.yml
SUCC: Configuration for ‘rolesmapping’ created or updated
Will update ‘sg/internalusers’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_internal_users.yml
SUCC: Configuration for ‘internalusers’ created or updated
Will update ‘sg/actiongroups’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_action_groups.yml
SUCC: Configuration for ‘actiongroups’ created or updated
Done with success
And when I restarted the Kibana, it threw me the error saying “An error occurred while checking your credentials, make sure you have an Elasticsearch cluster secured by Search Guard running.”
在 2018年4月15日星期日 UTC-4下午7:56:32,Jochen Kressin写道:
What is the output of the sgadmin tool when you run the command you posted? And what do you see in the Elasticsearch logs when you run sgadmin?
On Sunday, April 15, 2018 at 4:34:56 PM UTC-7, Xiaoyu Wu wrote:
I did not use the demo installer.
I checked the documentation but it is kinda difficult for me to understand the entire implementation. What I did so far is just:
./sgadmin.sh \ -cd /path/to/sgconfig/ \ -cacert /path/to/root-ca.pem \ -cert /path/to/kirk.crt.pem \ -key /path/to/kirk.key.pem \ -keypass changeit -nhnv -iclIt seems it only applies the default configuration. I did remove the readonly flag in the yml file.
Could you give me a simple example in this case?
在 2018年4月15日星期日 UTC-4下午7:17:14,Jochen Kressin写道:
First, remove the readonly flag from the roles definition (sg_roles.yml) and if you like also for the internal users (sg_internalusers.yml).
If you are using the demo installer, execute sgadmin_demo.sh to apply the changed configuration.
If you have installed Search Guard without the demo installer please refer to the documentation on how to use sgadmin on the command line:
https://docs.search-guard.com/latest/sgadmin
On Sunday, April 15, 2018 at 2:16:40 PM UTC-7, Xiaoyu Wu wrote:
I am currently using elasticsearch 6.2.2 and corresponding search-guard. I have already installed the kibana plugin and got into the GUI.
I am wondering how to change the password for the demo users like admin. The document said set ‘read_only’ to false and apply the sgadmin but I am not sure how to use sgadmin to apply the new changes. What I did before is just to follow the instruction and apply the default configuration.
My purpose is to have my own admin account for the later use case.
I just removed that line, and it solved the login issue.
Thank you so much!
But it seems the “admin” user is still reserved.
Here is a part of code in my sg_internal_users.yml,
#password is: admin
admin:
readonly: false
hash: *******************
roles:
attributes:
#no dots allowed in attribute names
attribute1: value1
attribute2: value2
attribute3: value3
在 2018年4月15日星期日 UTC-4下午8:32:22,Jochen Kressin写道:
This line in kibana.yml looks suspicious:
searchguard.cookie.name: ‘searchguard_authentication’
And corresponds to the error:
Error: Header value cannot contain or convert into non-ascii characters: set-cookie
Please try to use regular double quotes or comment this line out for the moment.
On Sunday, April 15, 2018 at 5:29:07 PM UTC-7, Xiaoyu Wu wrote:
This is the output of Kibana,
log [00:07:55.456] [info][Sentinl][scheduler] scheduled watcher sentinl-watcher:524238a0-345b-11e8-a95a-9954b3f36dde, to run every every 2 minutes
/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hoek/lib/index.js:736
throw new Error(msgs.join(' ') || 'Unknown error');
^
Error: Header value cannot contain or convert into non-ascii characters: set-cookie
at Object.exports.assert (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hoek/lib/index.js:736:11)
at internals.Response._header (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hapi/lib/response.js:141:22)
at request.connection.states.format (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hapi/lib/transmit.js:507:22)
at Items.serial (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/statehood/lib/index.js:436:16)
at done (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/items/lib/index.js:31:25)
at exports.prepareValue (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/statehood/lib/index.js:431:20)
at internals.sign (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/statehood/lib/index.js:461:20)
at process.nextTick (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hoek/lib/index.js:858:22)
at _combinedTickCallback (internal/process/next_tick.js:73:7)
at process._tickDomainCallback (internal/process/next_tick.js:128:9)
在 2018年4月15日星期日 UTC-4下午8:20:39,Xiaoyu Wu写道:
I used to login the kibana page successfully until I customized the login page.
This is the ES config,
======================== Elasticsearch Configuration =========================
NOTE: Elasticsearch comes with reasonable defaults for most settings.
Before you set out to tweak and tune the configuration, make sure you
understand what are you trying to accomplish and the consequences.
The primary way of configuring a node is via this file. This template lists
the most important settings you may want to configure for a production cluster.
Please consult the documentation for further information on configuration options:
https://www.elastic.co/guide/en/elasticsearch/reference/index.html
---------------------------------- Cluster -----------------------------------
Use a descriptive name for your cluster:
#cluster.name: my-application
------------------------------------ Node ------------------------------------
Use a descriptive name for the node:
#node.name: node-1
Add custom attributes to the node:
#node.attr.rack: r1
----------------------------------- Paths ------------------------------------
Path to directory where to store the data (separate multiple locations by comma):
#path.data: /path/to/data
Path to log files:
#path.logs: /path/to/logs
----------------------------------- Memory -----------------------------------
Lock the memory on startup:
#bootstrap.memory_lock: true
Make sure that the heap size is set to about half the memory available
on the system and that the owner of the process is allowed to use this
limit.
Elasticsearch performs poorly when the system is swapping the memory.
---------------------------------- Network -----------------------------------
Set the bind address to a specific IP (IPv4 or IPv6):
#network.host: 192.168.0.1
Set a custom port for HTTP:
#http.port: 9200
For more information, consult the network module documentation.
--------------------------------- Discovery ----------------------------------
Pass an initial list of hosts to perform discovery when new node is started:
The default list of hosts is [“127.0.0.1”, “[::1]”]
#discovery.zen.ping.unicast.hosts: [“host1”, “host2”]
Prevent the “split brain” by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):
#discovery.zen.minimum_master_nodes:
For more information, consult the zen discovery module documentation.
---------------------------------- Gateway -----------------------------------
Block initial recovery after a full cluster restart until N nodes are started:
#gateway.recover_after_nodes: 3
For more information, consult the gateway module documentation.
---------------------------------- Various -----------------------------------
Require explicit names when deleting indices:
#action.destructive_requires_name: true
---------------------------------- Search Guard ------------------------------
searchguard.authcz.admin_dn:
- CN=kirk,OU=client,O=client,L=Test,C=DE
Relative path to the certificates key file (PKCS #8), must be placed under the config/ dir
searchguard.ssl.transport.pemkey_filepath: node-0.key.pem
Key password (omit this setting if the key has no password)
#searchguard.ssl.transport.pemkey_password: “secret”
X509 node certificate chain in PEM format, must be placed under the config/ dir
searchguard.ssl.transport.pemcert_filepath: node-0.crt.pem
Trusted certificates
searchguard.ssl.transport.pemtrustedcas_filepath: chain-ca.pem
searchguard.restapi.roles_enabled: [“sg_all_access”]
This is the Kibana,
Kibana is served by a back end server. This setting specifies the port to use.
#server.port: 5601
Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
The default is ‘localhost’, which usually means remote machines will not be able to connect.
To allow connections from remote users, set this parameter to a non-loopback address.
#server.host: “localhost”
Enables you to specify a path to mount Kibana at if you are running behind a proxy. This only affects
the URLs generated by Kibana, your proxy is expected to remove the basePath value before forwarding requests
to Kibana. This setting cannot end in a slash.
#server.basePath: “”
The maximum payload size in bytes for incoming server requests.
#server.maxPayloadBytes: 1048576
The Kibana server’s name. This is used for display purposes.
#server.name: “your-hostname”
The URL of the Elasticsearch instance to use for all your queries.
#elasticsearch.url: “http://localhost:9200”
When this setting’s value is true Kibana uses the hostname specified in the server.host
setting. When the value of this setting is false, Kibana uses the hostname of the host
that connects to this Kibana instance.
#elasticsearch.preserveHost: true
Kibana uses an index in Elasticsearch to store saved searches, visualizations and
dashboards. Kibana creates a new index if the index doesn’t already exist.
#kibana.index: “.kibana”
The default application to load.
#kibana.defaultAppId: “home”
If your Elasticsearch is protected with basic authentication, these settings provide
the username and password that the Kibana server uses to perform maintenance on the Kibana
index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
is proxied through the Kibana server.
#elasticsearch.username: “kibana”
#elasticsearch.password: “BioEPQ1o51gAyIsQYaWc”
Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
These settings enable SSL for outgoing requests from the Kibana server to the browser.
#server.ssl.enabled: false
#server.ssl.certificate: /path/to/your/server.crt
#server.ssl.key: /path/to/your/server.key
Optional settings that provide the paths to the PEM-format SSL certificate and key files.
These files validate that your Elasticsearch backend uses the same key files.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key
Optional setting that enables you to specify a path to the PEM file for the certificate
authority for your Elasticsearch instance.
#elasticsearch.ssl.certificateAuthorities: [ “/path/to/your/CA.pem” ]
To disregard the validity of SSL certificates, change this setting’s value to ‘none’.
#elasticsearch.ssl.verificationMode: full
Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
the elasticsearch.requestTimeout setting.
#elasticsearch.pingTimeout: 1500
Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
must be a positive integer.
#elasticsearch.requestTimeout: 30000
List of Kibana client-side headers to send to Elasticsearch. To send no client-side
headers, set this value to (an empty list).
#elasticsearch.requestHeadersWhitelist: [ authorization ]
Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten
by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.
#elasticsearch.customHeaders: {}
Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
#elasticsearch.shardTimeout: 0
Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying.
#elasticsearch.startupTimeout: 5000
Specifies the path where Kibana creates the process ID file.
#pid.file: /var/run/kibana.pid
Enables you specify a file where Kibana stores log output.
#logging.dest: stdout
Set the value of this setting to true to suppress all logging output.
#logging.silent: false
Set the value of this setting to true to suppress all logging output other than error messages.
#logging.quiet: false
Set the value of this setting to true to log all events, including system usage information
and all requests.
#logging.verbose: false
Set the interval in milliseconds to sample system and process performance
metrics. Minimum is 100ms. Defaults to 5000.
#ops.interval: 5000
The default locale. This locale can be used in certain circumstances to substitute any missing
translations.
#i18n.defaultLocale: “en”
Config of Sentinl
sentinl:
settings:
email:
active: true
user: ------
password: -------
host: -------
ssl: true
timeout: 10000
elasticsearch.username: “kibanaserver”
elasticsearch.password: “kibanaserver”
elasticsearch.ssl.verificationMode: none
Login Page
searchguard.basicauth.login.showbrandimage: true
searchguard.basicauth.login.brandimage: https://www.symantec.com/content/dam/symantec/images/common/symantec-logo-top.png
searchguard.cookie.name: ‘searchguard_authentication’
#searchguard.basicauth.login.title
#searchguard.basicauth.login.subtitle
This is the sg_roles,
#<sg_role_name>:
cluster:
- ‘’
indices:
‘’:
‘’:
- ‘’
dls: ‘’
fls:
- ‘’
- ‘’
When a user make a request to Elasticsearch then the following roles will be evaluated to see if the user has
permissions for the request. A request is always associated with an action and is executed against and index (or alias)
and a type. If a request is executed against all indices (or all types) then the asterix (‘*’) is needed.
Every role a user has will be examined if it allows the action against an index (or type). At least one role must match
for the request to be successful. If no role match then the request will be denied. Currently a match must happen within
one single role - that means that permissions can not span multiple roles.
For , and simple wildcards and regular expressions are possible.
A asterix (*) will match any character sequence (or an empty sequence)
A question mark (?) will match any single character (but NOT empty character)
Example: ‘myindex’ will match ‘my_first_index’ as well as ‘myindex’ but not ‘myindex1’
Example: ‘?kibana’ will match ‘.kibana’ but not ‘kibana’
To use a full blown regex you have to pre- and apend a ‘/’ to use regex instead of simple wildcards
‘//’
Example: ‘/\S*/’ will match any non whitespace characters
Important:
Index, alias or type names can not contain dots (.) in the or expression.
Reason is that we currently parse the config file into a elasticsearch settings object which cannot cope with dots in keys.
Workaround: Just configure something like ‘?kibana’ instead of ‘.kibana’ or ‘my?index’ instead of ‘my.index’
This limitation will likely removed with Search Guard 6
DLS (Document level security) - NOT FREE FOR COMMERCIAL
http://docs.search-guard.com/v6/document-level-security
FLS (Field level security) - NOT FREE FOR COMMERCIAL
http://docs.search-guard.com/v6/field-level-security
Kibana multitenancy - NOT FREE FOR COMMERCIAL
http://docs.search-guard.com/v6/kibana-multi-tenancy
Allows everything, but no changes to searchguard configuration index
sg_all_access:
readonly: true
cluster:
- UNLIMITED
indices:
‘*’:
‘*’:
- UNLIMITED
tenants:
admin_tenant: RW
Read all, but no write permissions
sg_readall:
readonly: true
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘*’:
‘*’:
- READ
Read all and monitor, but no write permissions
sg_readall_and_monitor:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘*’:
‘*’:
- READ
For users which use kibana, access to indices must be granted separately
sg_kibana_user:
readonly: true
cluster:
- MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘?kibana’:
‘*’:
- MANAGE
- INDEX
- READ
- DELETE
‘*’:
‘*’:
- indices:data/read/field_caps*
For the kibana server
sg_kibana_server:
readonly: true
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- cluster:admin/xpack/monitoring*
- indices:admin/template*
indices:
‘?kibana’:
‘*’:
- INDICES_ALL
‘?reporting*’:
‘*’:
- INDICES_ALL
‘?monitoring*’:
‘*’:
- INDICES_ALL
For logstash and beats
sg_logstash:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- indices:admin/template/get
- indices:admin/template/put
indices:
‘logstash-*’:
‘*’:
- CRUD
- CREATE_INDEX
‘beat’:
‘*’:
- CRUD
- CREATE_INDEX
Allows adding and modifying repositories and creating and restoring snapshots
sg_manage_snapshots:
cluster:
- MANAGE_SNAPSHOTS
indices:
‘*’:
‘*’:
- “indices:data/write/index”
- “indices:admin/create”
Allows each user to access own named index
sg_own_index:
cluster:
- CLUSTER_COMPOSITE_OPS
indices:
‘${user_name}’:
‘*’:
- INDICES_ALL
X-Pack COMPATIBILITY
sg_xp_monitoring:
readonly: true
indices:
‘?monitor*’:
‘*’:
- INDICES_ALL
sg_xp_alerting:
readonly: true
cluster:
- indices:data/read/scroll
- cluster:admin/xpack/watcher*
- cluster:monitor/xpack/watcher*
indices:
‘?watches*’:
‘*’:
- INDICES_ALL
‘?watcher-history-*’:
‘*’:
- INDICES_ALL
‘?triggered_watches’:
‘*’:
- INDICES_ALL
‘*’:
‘*’:
- READ
- indices:admin/aliases/get
sg_xp_machine_learning:
readonly: true
cluster:
- cluster:admin/persistent*
- cluster:internal/xpack/ml*
- indices:data/read/scroll*
- cluster:admin/xpack/ml*
- cluster:monitor/xpack/ml*
indices:
‘*’:
‘*’:
- READ
- indices:admin/get*
‘?ml-*’:
‘*’:
- “*”
LEGACY ROLES, FOR COMPATIBILITY ONLY
WILL BE REMOVED IN SG7, DO NOT USE ANYMORE
sg_readonly_and_monitor:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘*’:
‘*’:
- READ
Make xpack monitoring work
sg_monitor:
cluster:
- cluster:admin/xpack/monitoring/*
- cluster:admin/ingest/pipeline/put
- cluster:admin/ingest/pipeline/get
- indices:admin/template/get
- indices:admin/template/put
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
‘?monitor*’:
‘*’:
- INDICES_ALL
‘?marvel*’:
‘*’:
- INDICES_ALL
‘?kibana*’:
‘*’:
- READ
‘*’:
‘*’:
- indices:data/read/field_caps
Make xpack alerting work
sg_alerting:
cluster:
- indices:data/read/scroll
- cluster:admin/xpack/watcher/watch/put
- cluster:admin/xpack/watcher*
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
‘?kibana*’:
‘*’:
- READ
‘?watches*’:
‘*’:
- INDICES_ALL
‘?watcher-history-*’:
‘*’:
- INDICES_ALL
‘?triggered_watches’:
‘*’:
- INDICES_ALL
‘*’:
‘*’:
- READ
在 2018年4月15日星期日 UTC-4下午8:15:42,Jochen Kressin写道:
So it seems you also have installed X-Pack and there is an error with your watcher configuration:
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=, requestedTenant=null] [IndexType [index=watcher_alarms, type=*]] [Action [[indices:admin/get]]] [RolesChecked [sg_kibana_server, sg_own_index]]
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {sg_own_index=[IndexType [index=watcher_alarms, type=]], sg_kibana_server=[IndexType [index=watcher_alarms, type=]]}
Please post at least:
- kibana.yml
- elasticsearch.yml
- sg_roles.yml
Just remove any sensitive information like paths and passwords.
On Sunday, April 15, 2018 at 5:11:26 PM UTC-7, Xiaoyu Wu wrote:
I checked localhost:9200/_authinfo and the elasticsearch looks good.
This is a part of my kibana config (the rest is the default)
elasticsearch.username: “kibanaserver”
elasticsearch.password: “kibanaserver”
elasticsearch.ssl.verificationMode: none
Login Page
searchguard.basicauth.login.showbrandimage: true
searchguard.basicauth.login.brandimage: https://www.symantec.com/content/dam/symantec/images/common/symantec-logo-top.png
searchguard.cookie.name: ‘searchguard_authentication’
#searchguard.basicauth.login.title
#searchguard.basicauth.login.subtitle
This is the output of elasticsearch log,
[2018-04-15T20:07:25,113][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Search Guard License Info: SearchGuardLicense [uid=00000000-0000-0000-0000-000000000000, type=TRIAL, issueDate=2018-04-15, expiryDate=2018-06-15, issuedTo=The world, issuer=floragunn GmbH, startDate=2018-04-15, majorVersion=6, clusterName=*, allowedNodeCount=2147483647, msgs=, expiresInDays=60, isExpired=false, valid=true, action=, prodUsage=Yes, one cluster with all commercial features and unlimited nodes per cluster., clusterService=org.elasticsearch.cluster.service.ClusterService@2e500df4, getMsgs()=, getExpiresInDays()=60, isExpired()=false, isValid()=true, getAction()=, getProdUsage()=Yes, one cluster with all commercial features and unlimited nodes per cluster.]
[2018-04-15T20:07:25,113][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Search Guard License Type: TRIAL, valid
[2018-04-15T20:07:25,114][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Node ‘LhPFJNW’ initialized
[2018-04-15T20:07:25,364][INFO ][o.e.c.r.a.AllocationService] [LhPFJNW] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[.kibana][0]] …]).
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=, requestedTenant=null] [IndexType [index=watcher_alarms, type=*]] [Action [[indices:admin/get]]] [RolesChecked [sg_kibana_server, sg_own_index]]
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {sg_own_index=[IndexType [index=watcher_alarms, type=]], sg_kibana_server=[IndexType [index=watcher_alarms, type=]]}
在 2018年4月15日星期日 UTC-4下午8:05:10,Jochen Kressin写道:
sgadmin will replace the current configuration in your cluster with the files located in:
/Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/
So if you want to make changes to the configuration, the easiest way of doing so is to change these files, and then run sgadmin again. According to the output sgadmin has succeeded with uploading the configuration. So your sgadmin command seems fine.
There seems to be something wrong with your Kibana configuration and/or the Search Guard configuration.
What is the output of the Elasticsearch log file? Do you see any error there?
What is the Kibana configuration your are using? Please post it here.
Did you try to restart Kibana and reload the login page?
On Sunday, April 15, 2018 at 4:59:02 PM UTC-7, Xiaoyu Wu wrote:
This is the output of sgadmin tool,
searchguard index already exists, so we do not need to create one.
Populate config from /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/
Will update ‘sg/config’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_config.yml
SUCC: Configuration for ‘config’ created or updated
Will update ‘sg/roles’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_roles.yml
SUCC: Configuration for ‘roles’ created or updated
Will update ‘sg/rolesmapping’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_roles_mapping.yml
SUCC: Configuration for ‘rolesmapping’ created or updated
Will update ‘sg/internalusers’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_internal_users.yml
SUCC: Configuration for ‘internalusers’ created or updated
Will update ‘sg/actiongroups’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_action_groups.yml
SUCC: Configuration for ‘actiongroups’ created or updated
Done with success
And when I restarted the Kibana, it threw me the error saying “An error occurred while checking your credentials, make sure you have an Elasticsearch cluster secured by Search Guard running.”
在 2018年4月15日星期日 UTC-4下午7:56:32,Jochen Kressin写道:
What is the output of the sgadmin tool when you run the command you posted? And what do you see in the Elasticsearch logs when you run sgadmin?
On Sunday, April 15, 2018 at 4:34:56 PM UTC-7, Xiaoyu Wu wrote:
I did not use the demo installer.
I checked the documentation but it is kinda difficult for me to understand the entire implementation. What I did so far is just:
./sgadmin.sh \ -cd /path/to/sgconfig/ \ -cacert /path/to/root-ca.pem \ -cert /path/to/kirk.crt.pem \ -key /path/to/kirk.key.pem \ -keypass changeit -nhnv -iclIt seems it only applies the default configuration. I did remove the readonly flag in the yml file.
Could you give me a simple example in this case?
在 2018年4月15日星期日 UTC-4下午7:17:14,Jochen Kressin写道:
First, remove the readonly flag from the roles definition (sg_roles.yml) and if you like also for the internal users (sg_internalusers.yml).
If you are using the demo installer, execute sgadmin_demo.sh to apply the changed configuration.
If you have installed Search Guard without the demo installer please refer to the documentation on how to use sgadmin on the command line:
https://docs.search-guard.com/latest/sgadmin
On Sunday, April 15, 2018 at 2:16:40 PM UTC-7, Xiaoyu Wu wrote:
I am currently using elasticsearch 6.2.2 and corresponding search-guard. I have already installed the kibana plugin and got into the GUI.
I am wondering how to change the password for the demo users like admin. The document said set ‘read_only’ to false and apply the sgadmin but I am not sure how to use sgadmin to apply the new changes. What I did before is just to follow the instruction and apply the default configuration.
My purpose is to have my own admin account for the later use case.
For now, the GUI shows that “admin” is not reserved. But when I actually want to change the password for it, it throws the internal server error 500.
This is the output of Kibana,
error [03:29:44.313] Error: Resource not valid
at /Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/plugins/searchguard/lib/configuration/backend/searchguard_configuration_backend.js:134:24
at next (native)
at step (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/plugins/searchguard/lib/configuration/backend/searchguard_configuration_backend.js:61:191)
at /Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/plugins/searchguard/lib/configuration/backend/searchguard_configuration_backend.js:61:437
at /Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/plugins/searchguard/lib/configuration/backend/searchguard_configuration_backend.js:61:99
at SearchGuardConfigurationBackend.save (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/plugins/searchguard/lib/configuration/backend/searchguard_configuration_backend.js:131:49)
at /Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/plugins/searchguard/lib/configuration/routes/routes.js:141:42
at next (native)
at step (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/plugins/searchguard/lib/configuration/routes/routes.js:272:191)
at /Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/plugins/searchguard/lib/configuration/routes/routes.js:272:437
at /Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/plugins/searchguard/lib/configuration/routes/routes.js:272:99
at async (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/plugins/searchguard/lib/configuration/routes/routes.js:139:7)
at /Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/plugins/searchguard/node_modules/hapi-async-handler/build/index.js:11:20
at Object.internals.handler (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hapi/lib/handler.js:96:36)
at request._protect.run (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hapi/lib/handler.js:30:23)
at internals.Protect.run (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hapi/lib/protect.js:64:5)
at exports.execute (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hapi/lib/handler.js:24:22)
at each (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hapi/lib/request.js:384:16)
at iterate (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/items/lib/index.js:36:13)
at done (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/items/lib/index.js:28:25)
at Hoek.once (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hapi/lib/protect.js:52:16)
at wrapped (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hoek/lib/index.js:875:20)
在 2018年4月15日星期日 UTC-4下午9:02:55,Xiaoyu Wu写道:
I just removed that line, and it solved the login issue.
Thank you so much!
But it seems the “admin” user is still reserved.
Here is a part of code in my sg_internal_users.yml,
#password is: admin
admin:
readonly: false
hash: *******************
roles:
- admin
attributes:
#no dots allowed in attribute names
attribute1: value1
attribute2: value2
attribute3: value3
在 2018年4月15日星期日 UTC-4下午8:32:22,Jochen Kressin写道:
This line in kibana.yml looks suspicious:
searchguard.cookie.name: ‘searchguard_authentication’
And corresponds to the error:
Error: Header value cannot contain or convert into non-ascii characters: set-cookie
Please try to use regular double quotes or comment this line out for the moment.
On Sunday, April 15, 2018 at 5:29:07 PM UTC-7, Xiaoyu Wu wrote:
This is the output of Kibana,
log [00:07:55.456] [info][Sentinl][scheduler] scheduled watcher sentinl-watcher:524238a0-345b-11e8-a95a-9954b3f36dde, to run every every 2 minutes
/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hoek/lib/index.js:736
throw new Error(msgs.join(' ') || 'Unknown error');
^
Error: Header value cannot contain or convert into non-ascii characters: set-cookie
at Object.exports.assert (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hoek/lib/index.js:736:11)
at internals.Response._header (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hapi/lib/response.js:141:22)
at request.connection.states.format (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hapi/lib/transmit.js:507:22)
at Items.serial (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/statehood/lib/index.js:436:16)
at done (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/items/lib/index.js:31:25)
at exports.prepareValue (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/statehood/lib/index.js:431:20)
at internals.sign (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/statehood/lib/index.js:461:20)
at process.nextTick (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hoek/lib/index.js:858:22)
at _combinedTickCallback (internal/process/next_tick.js:73:7)
at process._tickDomainCallback (internal/process/next_tick.js:128:9)
在 2018年4月15日星期日 UTC-4下午8:20:39,Xiaoyu Wu写道:
I used to login the kibana page successfully until I customized the login page.
This is the ES config,
======================== Elasticsearch Configuration =========================
NOTE: Elasticsearch comes with reasonable defaults for most settings.
Before you set out to tweak and tune the configuration, make sure you
understand what are you trying to accomplish and the consequences.
The primary way of configuring a node is via this file. This template lists
the most important settings you may want to configure for a production cluster.
Please consult the documentation for further information on configuration options:
https://www.elastic.co/guide/en/elasticsearch/reference/index.html
---------------------------------- Cluster -----------------------------------
Use a descriptive name for your cluster:
#cluster.name: my-application
------------------------------------ Node ------------------------------------
Use a descriptive name for the node:
#node.name: node-1
Add custom attributes to the node:
#node.attr.rack: r1
----------------------------------- Paths ------------------------------------
Path to directory where to store the data (separate multiple locations by comma):
#path.data: /path/to/data
Path to log files:
#path.logs: /path/to/logs
----------------------------------- Memory -----------------------------------
Lock the memory on startup:
#bootstrap.memory_lock: true
Make sure that the heap size is set to about half the memory available
on the system and that the owner of the process is allowed to use this
limit.
Elasticsearch performs poorly when the system is swapping the memory.
---------------------------------- Network -----------------------------------
Set the bind address to a specific IP (IPv4 or IPv6):
#network.host: 192.168.0.1
Set a custom port for HTTP:
#http.port: 9200
For more information, consult the network module documentation.
--------------------------------- Discovery ----------------------------------
Pass an initial list of hosts to perform discovery when new node is started:
The default list of hosts is [“127.0.0.1”, “[::1]”]
#discovery.zen.ping.unicast.hosts: [“host1”, “host2”]
Prevent the “split brain” by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):
#discovery.zen.minimum_master_nodes:
For more information, consult the zen discovery module documentation.
---------------------------------- Gateway -----------------------------------
Block initial recovery after a full cluster restart until N nodes are started:
#gateway.recover_after_nodes: 3
For more information, consult the gateway module documentation.
---------------------------------- Various -----------------------------------
Require explicit names when deleting indices:
#action.destructive_requires_name: true
---------------------------------- Search Guard ------------------------------
searchguard.authcz.admin_dn:
- CN=kirk,OU=client,O=client,L=Test,C=DE
Relative path to the certificates key file (PKCS #8), must be placed under the config/ dir
searchguard.ssl.transport.pemkey_filepath: node-0.key.pem
Key password (omit this setting if the key has no password)
#searchguard.ssl.transport.pemkey_password: “secret”
X509 node certificate chain in PEM format, must be placed under the config/ dir
searchguard.ssl.transport.pemcert_filepath: node-0.crt.pem
Trusted certificates
searchguard.ssl.transport.pemtrustedcas_filepath: chain-ca.pem
searchguard.restapi.roles_enabled: [“sg_all_access”]
This is the Kibana,
Kibana is served by a back end server. This setting specifies the port to use.
#server.port: 5601
Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
The default is ‘localhost’, which usually means remote machines will not be able to connect.
To allow connections from remote users, set this parameter to a non-loopback address.
#server.host: “localhost”
Enables you to specify a path to mount Kibana at if you are running behind a proxy. This only affects
the URLs generated by Kibana, your proxy is expected to remove the basePath value before forwarding requests
to Kibana. This setting cannot end in a slash.
#server.basePath: “”
The maximum payload size in bytes for incoming server requests.
#server.maxPayloadBytes: 1048576
The Kibana server’s name. This is used for display purposes.
#server.name: “your-hostname”
The URL of the Elasticsearch instance to use for all your queries.
#elasticsearch.url: “http://localhost:9200”
When this setting’s value is true Kibana uses the hostname specified in the server.host
setting. When the value of this setting is false, Kibana uses the hostname of the host
that connects to this Kibana instance.
#elasticsearch.preserveHost: true
Kibana uses an index in Elasticsearch to store saved searches, visualizations and
dashboards. Kibana creates a new index if the index doesn’t already exist.
#kibana.index: “.kibana”
The default application to load.
#kibana.defaultAppId: “home”
If your Elasticsearch is protected with basic authentication, these settings provide
the username and password that the Kibana server uses to perform maintenance on the Kibana
index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
is proxied through the Kibana server.
#elasticsearch.username: “kibana”
#elasticsearch.password: “BioEPQ1o51gAyIsQYaWc”
Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
These settings enable SSL for outgoing requests from the Kibana server to the browser.
#server.ssl.enabled: false
#server.ssl.certificate: /path/to/your/server.crt
#server.ssl.key: /path/to/your/server.key
Optional settings that provide the paths to the PEM-format SSL certificate and key files.
These files validate that your Elasticsearch backend uses the same key files.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key
Optional setting that enables you to specify a path to the PEM file for the certificate
authority for your Elasticsearch instance.
#elasticsearch.ssl.certificateAuthorities: [ “/path/to/your/CA.pem” ]
To disregard the validity of SSL certificates, change this setting’s value to ‘none’.
#elasticsearch.ssl.verificationMode: full
Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
the elasticsearch.requestTimeout setting.
#elasticsearch.pingTimeout: 1500
Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
must be a positive integer.
#elasticsearch.requestTimeout: 30000
List of Kibana client-side headers to send to Elasticsearch. To send no client-side
headers, set this value to (an empty list).
#elasticsearch.requestHeadersWhitelist: [ authorization ]
Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten
by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.
#elasticsearch.customHeaders: {}
Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
#elasticsearch.shardTimeout: 0
Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying.
#elasticsearch.startupTimeout: 5000
Specifies the path where Kibana creates the process ID file.
#pid.file: /var/run/kibana.pid
Enables you specify a file where Kibana stores log output.
#logging.dest: stdout
Set the value of this setting to true to suppress all logging output.
#logging.silent: false
Set the value of this setting to true to suppress all logging output other than error messages.
#logging.quiet: false
Set the value of this setting to true to log all events, including system usage information
and all requests.
#logging.verbose: false
Set the interval in milliseconds to sample system and process performance
metrics. Minimum is 100ms. Defaults to 5000.
#ops.interval: 5000
The default locale. This locale can be used in certain circumstances to substitute any missing
translations.
#i18n.defaultLocale: “en”
Config of Sentinl
sentinl:
settings:
email:
active: true
user: ------
password: -------
host: -------
ssl: true
timeout: 10000
elasticsearch.username: “kibanaserver”
elasticsearch.password: “kibanaserver”
elasticsearch.ssl.verificationMode: none
Login Page
searchguard.basicauth.login.showbrandimage: true
searchguard.basicauth.login.brandimage: https://www.symantec.com/content/dam/symantec/images/common/symantec-logo-top.png
searchguard.cookie.name: ‘searchguard_authentication’
#searchguard.basicauth.login.title
#searchguard.basicauth.login.subtitle
This is the sg_roles,
#<sg_role_name>:
cluster:
- ‘’
indices:
‘’:
‘’:
- ‘’
dls: ‘’
fls:
- ‘’
- ‘’
When a user make a request to Elasticsearch then the following roles will be evaluated to see if the user has
permissions for the request. A request is always associated with an action and is executed against and index (or alias)
and a type. If a request is executed against all indices (or all types) then the asterix (‘*’) is needed.
Every role a user has will be examined if it allows the action against an index (or type). At least one role must match
for the request to be successful. If no role match then the request will be denied. Currently a match must happen within
one single role - that means that permissions can not span multiple roles.
For , and simple wildcards and regular expressions are possible.
A asterix (*) will match any character sequence (or an empty sequence)
A question mark (?) will match any single character (but NOT empty character)
Example: ‘myindex’ will match ‘my_first_index’ as well as ‘myindex’ but not ‘myindex1’
Example: ‘?kibana’ will match ‘.kibana’ but not ‘kibana’
To use a full blown regex you have to pre- and apend a ‘/’ to use regex instead of simple wildcards
‘//’
Example: ‘/\S*/’ will match any non whitespace characters
Important:
Index, alias or type names can not contain dots (.) in the or expression.
Reason is that we currently parse the config file into a elasticsearch settings object which cannot cope with dots in keys.
Workaround: Just configure something like ‘?kibana’ instead of ‘.kibana’ or ‘my?index’ instead of ‘my.index’
This limitation will likely removed with Search Guard 6
DLS (Document level security) - NOT FREE FOR COMMERCIAL
http://docs.search-guard.com/v6/document-level-security
FLS (Field level security) - NOT FREE FOR COMMERCIAL
http://docs.search-guard.com/v6/field-level-security
Kibana multitenancy - NOT FREE FOR COMMERCIAL
http://docs.search-guard.com/v6/kibana-multi-tenancy
Allows everything, but no changes to searchguard configuration index
sg_all_access:
readonly: true
cluster:
- UNLIMITED
indices:
‘*’:
‘*’:
- UNLIMITED
tenants:
admin_tenant: RW
Read all, but no write permissions
sg_readall:
readonly: true
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘*’:
‘*’:
- READ
Read all and monitor, but no write permissions
sg_readall_and_monitor:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘*’:
‘*’:
- READ
For users which use kibana, access to indices must be granted separately
sg_kibana_user:
readonly: true
cluster:
- MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘?kibana’:
‘*’:
- MANAGE
- INDEX
- READ
- DELETE
‘*’:
‘*’:
- indices:data/read/field_caps*
For the kibana server
sg_kibana_server:
readonly: true
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- cluster:admin/xpack/monitoring*
- indices:admin/template*
indices:
‘?kibana’:
‘*’:
- INDICES_ALL
‘?reporting*’:
‘*’:
- INDICES_ALL
‘?monitoring*’:
‘*’:
- INDICES_ALL
For logstash and beats
sg_logstash:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- indices:admin/template/get
- indices:admin/template/put
indices:
‘logstash-*’:
‘*’:
- CRUD
- CREATE_INDEX
‘beat’:
‘*’:
- CRUD
- CREATE_INDEX
Allows adding and modifying repositories and creating and restoring snapshots
sg_manage_snapshots:
cluster:
- MANAGE_SNAPSHOTS
indices:
‘*’:
‘*’:
- “indices:data/write/index”
- “indices:admin/create”
Allows each user to access own named index
sg_own_index:
cluster:
- CLUSTER_COMPOSITE_OPS
indices:
‘${user_name}’:
‘*’:
- INDICES_ALL
X-Pack COMPATIBILITY
sg_xp_monitoring:
readonly: true
indices:
‘?monitor*’:
‘*’:
- INDICES_ALL
sg_xp_alerting:
readonly: true
cluster:
- indices:data/read/scroll
- cluster:admin/xpack/watcher*
- cluster:monitor/xpack/watcher*
indices:
‘?watches*’:
‘*’:
- INDICES_ALL
‘?watcher-history-*’:
‘*’:
- INDICES_ALL
‘?triggered_watches’:
‘*’:
- INDICES_ALL
‘*’:
‘*’:
- READ
- indices:admin/aliases/get
sg_xp_machine_learning:
readonly: true
cluster:
- cluster:admin/persistent*
- cluster:internal/xpack/ml*
- indices:data/read/scroll*
- cluster:admin/xpack/ml*
- cluster:monitor/xpack/ml*
indices:
‘*’:
‘*’:
- READ
- indices:admin/get*
‘?ml-*’:
‘*’:
- “*”
LEGACY ROLES, FOR COMPATIBILITY ONLY
WILL BE REMOVED IN SG7, DO NOT USE ANYMORE
sg_readonly_and_monitor:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘*’:
‘*’:
- READ
Make xpack monitoring work
sg_monitor:
cluster:
- cluster:admin/xpack/monitoring/*
- cluster:admin/ingest/pipeline/put
- cluster:admin/ingest/pipeline/get
- indices:admin/template/get
- indices:admin/template/put
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
‘?monitor*’:
‘*’:
- INDICES_ALL
‘?marvel*’:
‘*’:
- INDICES_ALL
‘?kibana*’:
‘*’:
- READ
‘*’:
‘*’:
- indices:data/read/field_caps
Make xpack alerting work
sg_alerting:
cluster:
- indices:data/read/scroll
- cluster:admin/xpack/watcher/watch/put
- cluster:admin/xpack/watcher*
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
‘?kibana*’:
‘*’:
- READ
‘?watches*’:
‘*’:
- INDICES_ALL
‘?watcher-history-*’:
‘*’:
- INDICES_ALL
‘?triggered_watches’:
‘*’:
- INDICES_ALL
‘*’:
‘*’:
- READ
在 2018年4月15日星期日 UTC-4下午8:15:42,Jochen Kressin写道:
So it seems you also have installed X-Pack and there is an error with your watcher configuration:
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=, requestedTenant=null] [IndexType [index=watcher_alarms, type=*]] [Action [[indices:admin/get]]] [RolesChecked [sg_kibana_server, sg_own_index]]
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {sg_own_index=[IndexType [index=watcher_alarms, type=]], sg_kibana_server=[IndexType [index=watcher_alarms, type=]]}
Please post at least:
- kibana.yml
- elasticsearch.yml
- sg_roles.yml
Just remove any sensitive information like paths and passwords.
On Sunday, April 15, 2018 at 5:11:26 PM UTC-7, Xiaoyu Wu wrote:
I checked localhost:9200/_authinfo and the elasticsearch looks good.
This is a part of my kibana config (the rest is the default)
elasticsearch.username: “kibanaserver”
elasticsearch.password: “kibanaserver”
elasticsearch.ssl.verificationMode: none
Login Page
searchguard.basicauth.login.showbrandimage: true
searchguard.basicauth.login.brandimage: https://www.symantec.com/content/dam/symantec/images/common/symantec-logo-top.png
searchguard.cookie.name: ‘searchguard_authentication’
#searchguard.basicauth.login.title
#searchguard.basicauth.login.subtitle
This is the output of elasticsearch log,
[2018-04-15T20:07:25,113][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Search Guard License Info: SearchGuardLicense [uid=00000000-0000-0000-0000-000000000000, type=TRIAL, issueDate=2018-04-15, expiryDate=2018-06-15, issuedTo=The world, issuer=floragunn GmbH, startDate=2018-04-15, majorVersion=6, clusterName=*, allowedNodeCount=2147483647, msgs=, expiresInDays=60, isExpired=false, valid=true, action=, prodUsage=Yes, one cluster with all commercial features and unlimited nodes per cluster., clusterService=org.elasticsearch.cluster.service.ClusterService@2e500df4, getMsgs()=, getExpiresInDays()=60, isExpired()=false, isValid()=true, getAction()=, getProdUsage()=Yes, one cluster with all commercial features and unlimited nodes per cluster.]
[2018-04-15T20:07:25,113][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Search Guard License Type: TRIAL, valid
[2018-04-15T20:07:25,114][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Node ‘LhPFJNW’ initialized
[2018-04-15T20:07:25,364][INFO ][o.e.c.r.a.AllocationService] [LhPFJNW] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[.kibana][0]] …]).
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=, requestedTenant=null] [IndexType [index=watcher_alarms, type=*]] [Action [[indices:admin/get]]] [RolesChecked [sg_kibana_server, sg_own_index]]
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {sg_own_index=[IndexType [index=watcher_alarms, type=]], sg_kibana_server=[IndexType [index=watcher_alarms, type=]]}
在 2018年4月15日星期日 UTC-4下午8:05:10,Jochen Kressin写道:
sgadmin will replace the current configuration in your cluster with the files located in:
/Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/
So if you want to make changes to the configuration, the easiest way of doing so is to change these files, and then run sgadmin again. According to the output sgadmin has succeeded with uploading the configuration. So your sgadmin command seems fine.
There seems to be something wrong with your Kibana configuration and/or the Search Guard configuration.
What is the output of the Elasticsearch log file? Do you see any error there?
What is the Kibana configuration your are using? Please post it here.
Did you try to restart Kibana and reload the login page?
On Sunday, April 15, 2018 at 4:59:02 PM UTC-7, Xiaoyu Wu wrote:
This is the output of sgadmin tool,
searchguard index already exists, so we do not need to create one.
Populate config from /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/
Will update ‘sg/config’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_config.yml
SUCC: Configuration for ‘config’ created or updated
Will update ‘sg/roles’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_roles.yml
SUCC: Configuration for ‘roles’ created or updated
Will update ‘sg/rolesmapping’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_roles_mapping.yml
SUCC: Configuration for ‘rolesmapping’ created or updated
Will update ‘sg/internalusers’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_internal_users.yml
SUCC: Configuration for ‘internalusers’ created or updated
Will update ‘sg/actiongroups’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_action_groups.yml
SUCC: Configuration for ‘actiongroups’ created or updated
Done with success
And when I restarted the Kibana, it threw me the error saying “An error occurred while checking your credentials, make sure you have an Elasticsearch cluster secured by Search Guard running.”
在 2018年4月15日星期日 UTC-4下午7:56:32,Jochen Kressin写道:
What is the output of the sgadmin tool when you run the command you posted? And what do you see in the Elasticsearch logs when you run sgadmin?
On Sunday, April 15, 2018 at 4:34:56 PM UTC-7, Xiaoyu Wu wrote:
I did not use the demo installer.
I checked the documentation but it is kinda difficult for me to understand the entire implementation. What I did so far is just:
./sgadmin.sh \ -cd /path/to/sgconfig/ \ -cacert /path/to/root-ca.pem \ -cert /path/to/kirk.crt.pem \ -key /path/to/kirk.key.pem \ -keypass changeit -nhnv -iclIt seems it only applies the default configuration. I did remove the readonly flag in the yml file.
Could you give me a simple example in this case?
在 2018年4月15日星期日 UTC-4下午7:17:14,Jochen Kressin写道:
First, remove the readonly flag from the roles definition (sg_roles.yml) and if you like also for the internal users (sg_internalusers.yml).
If you are using the demo installer, execute sgadmin_demo.sh to apply the changed configuration.
If you have installed Search Guard without the demo installer please refer to the documentation on how to use sgadmin on the command line:
https://docs.search-guard.com/latest/sgadmin
On Sunday, April 15, 2018 at 2:16:40 PM UTC-7, Xiaoyu Wu wrote:
I am currently using elasticsearch 6.2.2 and corresponding search-guard. I have already installed the kibana plugin and got into the GUI.
I am wondering how to change the password for the demo users like admin. The document said set ‘read_only’ to false and apply the sgadmin but I am not sure how to use sgadmin to apply the new changes. What I did before is just to follow the instruction and apply the default configuration.
My purpose is to have my own admin account for the later use case.
Maybe you are logged in with the user “admin” and try to change the password for the logged in user? This is not possible since it would break your current session and you can lock yourself out if you mistype the password. That’s why the demo admin user is marked “reserved” in the first place.
What is it that you want to achieve exactly? If I know I can probably help you better.
On Sunday, April 15, 2018 at 8:33:38 PM UTC-7, Xiaoyu Wu wrote:
For now, the GUI shows that “admin” is not reserved. But when I actually want to change the password for it, it throws the internal server error 500.
This is the output of Kibana,
error [03:29:44.313] Error: Resource not valid
at /Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/plugins/searchguard/lib/configuration/backend/searchguard_configuration_backend.js:134:24
at next (native)
at step (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/plugins/searchguard/lib/configuration/backend/searchguard_configuration_backend.js:61:191)
at /Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/plugins/searchguard/lib/configuration/backend/searchguard_configuration_backend.js:61:437
at /Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/plugins/searchguard/lib/configuration/backend/searchguard_configuration_backend.js:61:99
at SearchGuardConfigurationBackend.save (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/plugins/searchguard/lib/configuration/backend/searchguard_configuration_backend.js:131:49)
at /Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/plugins/searchguard/lib/configuration/routes/routes.js:141:42
at next (native)
at step (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/plugins/searchguard/lib/configuration/routes/routes.js:272:191)
at /Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/plugins/searchguard/lib/configuration/routes/routes.js:272:437
at /Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/plugins/searchguard/lib/configuration/routes/routes.js:272:99
at async (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/plugins/searchguard/lib/configuration/routes/routes.js:139:7)
at /Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/plugins/searchguard/node_modules/hapi-async-handler/build/index.js:11:20
at Object.internals.handler (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hapi/lib/handler.js:96:36)
at request._protect.run (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hapi/lib/handler.js:30:23)
at internals.Protect.run (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hapi/lib/protect.js:64:5)
at exports.execute (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hapi/lib/handler.js:24:22)
at each (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hapi/lib/request.js:384:16)
at iterate (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/items/lib/index.js:36:13)
at done (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/items/lib/index.js:28:25)
at Hoek.once (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hapi/lib/protect.js:52:16)
at wrapped (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hoek/lib/index.js:875:20)
在 2018年4月15日星期日 UTC-4下午9:02:55,Xiaoyu Wu写道:
I just removed that line, and it solved the login issue.
Thank you so much!
But it seems the “admin” user is still reserved.
Here is a part of code in my sg_internal_users.yml,
#password is: admin
admin:
readonly: false
hash: *******************
roles:
- admin
attributes:
#no dots allowed in attribute names
attribute1: value1
attribute2: value2
attribute3: value3
在 2018年4月15日星期日 UTC-4下午8:32:22,Jochen Kressin写道:
This line in kibana.yml looks suspicious:
searchguard.cookie.name: ‘searchguard_authentication’
And corresponds to the error:
Error: Header value cannot contain or convert into non-ascii characters: set-cookie
Please try to use regular double quotes or comment this line out for the moment.
On Sunday, April 15, 2018 at 5:29:07 PM UTC-7, Xiaoyu Wu wrote:
This is the output of Kibana,
log [00:07:55.456] [info][Sentinl][scheduler] scheduled watcher sentinl-watcher:524238a0-345b-11e8-a95a-9954b3f36dde, to run every every 2 minutes
/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hoek/lib/index.js:736
throw new Error(msgs.join(' ') || 'Unknown error');
^
Error: Header value cannot contain or convert into non-ascii characters: set-cookie
at Object.exports.assert (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hoek/lib/index.js:736:11)
at internals.Response._header (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hapi/lib/response.js:141:22)
at request.connection.states.format (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hapi/lib/transmit.js:507:22)
at Items.serial (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/statehood/lib/index.js:436:16)
at done (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/items/lib/index.js:31:25)
at exports.prepareValue (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/statehood/lib/index.js:431:20)
at internals.sign (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/statehood/lib/index.js:461:20)
at process.nextTick (/Users/apple/Desktop/kibana-6.2.2-darwin-x86_64/node_modules/hoek/lib/index.js:858:22)
at _combinedTickCallback (internal/process/next_tick.js:73:7)
at process._tickDomainCallback (internal/process/next_tick.js:128:9)
在 2018年4月15日星期日 UTC-4下午8:20:39,Xiaoyu Wu写道:
I used to login the kibana page successfully until I customized the login page.
This is the ES config,
======================== Elasticsearch Configuration =========================
NOTE: Elasticsearch comes with reasonable defaults for most settings.
Before you set out to tweak and tune the configuration, make sure you
understand what are you trying to accomplish and the consequences.
The primary way of configuring a node is via this file. This template lists
the most important settings you may want to configure for a production cluster.
Please consult the documentation for further information on configuration options:
https://www.elastic.co/guide/en/elasticsearch/reference/index.html
---------------------------------- Cluster -----------------------------------
Use a descriptive name for your cluster:
#cluster.name: my-application
------------------------------------ Node ------------------------------------
Use a descriptive name for the node:
#node.name: node-1
Add custom attributes to the node:
#node.attr.rack: r1
----------------------------------- Paths ------------------------------------
Path to directory where to store the data (separate multiple locations by comma):
#path.data: /path/to/data
Path to log files:
#path.logs: /path/to/logs
----------------------------------- Memory -----------------------------------
Lock the memory on startup:
#bootstrap.memory_lock: true
Make sure that the heap size is set to about half the memory available
on the system and that the owner of the process is allowed to use this
limit.
Elasticsearch performs poorly when the system is swapping the memory.
---------------------------------- Network -----------------------------------
Set the bind address to a specific IP (IPv4 or IPv6):
#network.host: 192.168.0.1
Set a custom port for HTTP:
#http.port: 9200
For more information, consult the network module documentation.
--------------------------------- Discovery ----------------------------------
Pass an initial list of hosts to perform discovery when new node is started:
The default list of hosts is [“127.0.0.1”, “[::1]”]
#discovery.zen.ping.unicast.hosts: [“host1”, “host2”]
Prevent the “split brain” by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):
#discovery.zen.minimum_master_nodes:
For more information, consult the zen discovery module documentation.
---------------------------------- Gateway -----------------------------------
Block initial recovery after a full cluster restart until N nodes are started:
#gateway.recover_after_nodes: 3
For more information, consult the gateway module documentation.
---------------------------------- Various -----------------------------------
Require explicit names when deleting indices:
#action.destructive_requires_name: true
---------------------------------- Search Guard ------------------------------
searchguard.authcz.admin_dn:
- CN=kirk,OU=client,O=client,L=Test,C=DE
Relative path to the certificates key file (PKCS #8), must be placed under the config/ dir
searchguard.ssl.transport.pemkey_filepath: node-0.key.pem
Key password (omit this setting if the key has no password)
#searchguard.ssl.transport.pemkey_password: “secret”
X509 node certificate chain in PEM format, must be placed under the config/ dir
searchguard.ssl.transport.pemcert_filepath: node-0.crt.pem
Trusted certificates
searchguard.ssl.transport.pemtrustedcas_filepath: chain-ca.pem
searchguard.restapi.roles_enabled: [“sg_all_access”]
This is the Kibana,
Kibana is served by a back end server. This setting specifies the port to use.
#server.port: 5601
Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
The default is ‘localhost’, which usually means remote machines will not be able to connect.
To allow connections from remote users, set this parameter to a non-loopback address.
#server.host: “localhost”
Enables you to specify a path to mount Kibana at if you are running behind a proxy. This only affects
the URLs generated by Kibana, your proxy is expected to remove the basePath value before forwarding requests
to Kibana. This setting cannot end in a slash.
#server.basePath: “”
The maximum payload size in bytes for incoming server requests.
#server.maxPayloadBytes: 1048576
The Kibana server’s name. This is used for display purposes.
#server.name: “your-hostname”
The URL of the Elasticsearch instance to use for all your queries.
#elasticsearch.url: “http://localhost:9200”
When this setting’s value is true Kibana uses the hostname specified in the server.host
setting. When the value of this setting is false, Kibana uses the hostname of the host
that connects to this Kibana instance.
#elasticsearch.preserveHost: true
Kibana uses an index in Elasticsearch to store saved searches, visualizations and
dashboards. Kibana creates a new index if the index doesn’t already exist.
#kibana.index: “.kibana”
The default application to load.
#kibana.defaultAppId: “home”
If your Elasticsearch is protected with basic authentication, these settings provide
the username and password that the Kibana server uses to perform maintenance on the Kibana
index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
is proxied through the Kibana server.
#elasticsearch.username: “kibana”
#elasticsearch.password: “BioEPQ1o51gAyIsQYaWc”
Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
These settings enable SSL for outgoing requests from the Kibana server to the browser.
#server.ssl.enabled: false
#server.ssl.certificate: /path/to/your/server.crt
#server.ssl.key: /path/to/your/server.key
Optional settings that provide the paths to the PEM-format SSL certificate and key files.
These files validate that your Elasticsearch backend uses the same key files.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key
Optional setting that enables you to specify a path to the PEM file for the certificate
authority for your Elasticsearch instance.
#elasticsearch.ssl.certificateAuthorities: [ “/path/to/your/CA.pem” ]
To disregard the validity of SSL certificates, change this setting’s value to ‘none’.
#elasticsearch.ssl.verificationMode: full
Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
the elasticsearch.requestTimeout setting.
#elasticsearch.pingTimeout: 1500
Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
must be a positive integer.
#elasticsearch.requestTimeout: 30000
List of Kibana client-side headers to send to Elasticsearch. To send no client-side
headers, set this value to (an empty list).
#elasticsearch.requestHeadersWhitelist: [ authorization ]
Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten
by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.
#elasticsearch.customHeaders: {}
Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
#elasticsearch.shardTimeout: 0
Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying.
#elasticsearch.startupTimeout: 5000
Specifies the path where Kibana creates the process ID file.
#pid.file: /var/run/kibana.pid
Enables you specify a file where Kibana stores log output.
#logging.dest: stdout
Set the value of this setting to true to suppress all logging output.
#logging.silent: false
Set the value of this setting to true to suppress all logging output other than error messages.
#logging.quiet: false
Set the value of this setting to true to log all events, including system usage information
and all requests.
#logging.verbose: false
Set the interval in milliseconds to sample system and process performance
metrics. Minimum is 100ms. Defaults to 5000.
#ops.interval: 5000
The default locale. This locale can be used in certain circumstances to substitute any missing
translations.
#i18n.defaultLocale: “en”
Config of Sentinl
sentinl:
settings:
email:
active: true
user: ------
password: -------
host: -------
ssl: true
timeout: 10000
elasticsearch.username: “kibanaserver”
elasticsearch.password: “kibanaserver”
elasticsearch.ssl.verificationMode: none
Login Page
searchguard.basicauth.login.showbrandimage: true
searchguard.basicauth.login.brandimage: https://www.symantec.com/content/dam/symantec/images/common/symantec-logo-top.png
searchguard.cookie.name: ‘searchguard_authentication’
#searchguard.basicauth.login.title
#searchguard.basicauth.login.subtitle
This is the sg_roles,
#<sg_role_name>:
cluster:
- ‘’
indices:
‘’:
‘’:
- ‘’
dls: ‘’
fls:
- ‘’
- ‘’
When a user make a request to Elasticsearch then the following roles will be evaluated to see if the user has
permissions for the request. A request is always associated with an action and is executed against and index (or alias)
and a type. If a request is executed against all indices (or all types) then the asterix (‘*’) is needed.
Every role a user has will be examined if it allows the action against an index (or type). At least one role must match
for the request to be successful. If no role match then the request will be denied. Currently a match must happen within
one single role - that means that permissions can not span multiple roles.
For , and simple wildcards and regular expressions are possible.
A asterix (*) will match any character sequence (or an empty sequence)
A question mark (?) will match any single character (but NOT empty character)
Example: ‘myindex’ will match ‘my_first_index’ as well as ‘myindex’ but not ‘myindex1’
Example: ‘?kibana’ will match ‘.kibana’ but not ‘kibana’
To use a full blown regex you have to pre- and apend a ‘/’ to use regex instead of simple wildcards
‘//’
Example: ‘/\S*/’ will match any non whitespace characters
Important:
Index, alias or type names can not contain dots (.) in the or expression.
Reason is that we currently parse the config file into a elasticsearch settings object which cannot cope with dots in keys.
Workaround: Just configure something like ‘?kibana’ instead of ‘.kibana’ or ‘my?index’ instead of ‘my.index’
This limitation will likely removed with Search Guard 6
DLS (Document level security) - NOT FREE FOR COMMERCIAL
http://docs.search-guard.com/v6/document-level-security
FLS (Field level security) - NOT FREE FOR COMMERCIAL
http://docs.search-guard.com/v6/field-level-security
Kibana multitenancy - NOT FREE FOR COMMERCIAL
http://docs.search-guard.com/v6/kibana-multi-tenancy
Allows everything, but no changes to searchguard configuration index
sg_all_access:
readonly: true
cluster:
- UNLIMITED
indices:
‘*’:
‘*’:
- UNLIMITED
tenants:
admin_tenant: RW
Read all, but no write permissions
sg_readall:
readonly: true
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘*’:
‘*’:
- READ
Read all and monitor, but no write permissions
sg_readall_and_monitor:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘*’:
‘*’:
- READ
For users which use kibana, access to indices must be granted separately
sg_kibana_user:
readonly: true
cluster:
- MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘?kibana’:
‘*’:
- MANAGE
- INDEX
- READ
- DELETE
‘*’:
‘*’:
- indices:data/read/field_caps*
For the kibana server
sg_kibana_server:
readonly: true
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- cluster:admin/xpack/monitoring*
- indices:admin/template*
indices:
‘?kibana’:
‘*’:
- INDICES_ALL
‘?reporting*’:
‘*’:
- INDICES_ALL
‘?monitoring*’:
‘*’:
- INDICES_ALL
For logstash and beats
sg_logstash:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- indices:admin/template/get
- indices:admin/template/put
indices:
‘logstash-*’:
‘*’:
- CRUD
- CREATE_INDEX
‘beat’:
‘*’:
- CRUD
- CREATE_INDEX
Allows adding and modifying repositories and creating and restoring snapshots
sg_manage_snapshots:
cluster:
- MANAGE_SNAPSHOTS
indices:
‘*’:
‘*’:
- “indices:data/write/index”
- “indices:admin/create”
Allows each user to access own named index
sg_own_index:
cluster:
- CLUSTER_COMPOSITE_OPS
indices:
‘${user_name}’:
‘*’:
- INDICES_ALL
X-Pack COMPATIBILITY
sg_xp_monitoring:
readonly: true
indices:
‘?monitor*’:
‘*’:
- INDICES_ALL
sg_xp_alerting:
readonly: true
cluster:
- indices:data/read/scroll
- cluster:admin/xpack/watcher*
- cluster:monitor/xpack/watcher*
indices:
‘?watches*’:
‘*’:
- INDICES_ALL
‘?watcher-history-*’:
‘*’:
- INDICES_ALL
‘?triggered_watches’:
‘*’:
- INDICES_ALL
‘*’:
‘*’:
- READ
- indices:admin/aliases/get
sg_xp_machine_learning:
readonly: true
cluster:
- cluster:admin/persistent*
- cluster:internal/xpack/ml*
- indices:data/read/scroll*
- cluster:admin/xpack/ml*
- cluster:monitor/xpack/ml*
indices:
‘*’:
‘*’:
- READ
- indices:admin/get*
‘?ml-*’:
‘*’:
- “*”
LEGACY ROLES, FOR COMPATIBILITY ONLY
WILL BE REMOVED IN SG7, DO NOT USE ANYMORE
sg_readonly_and_monitor:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘*’:
‘*’:
- READ
Make xpack monitoring work
sg_monitor:
cluster:
- cluster:admin/xpack/monitoring/*
- cluster:admin/ingest/pipeline/put
- cluster:admin/ingest/pipeline/get
- indices:admin/template/get
- indices:admin/template/put
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
‘?monitor*’:
‘*’:
- INDICES_ALL
‘?marvel*’:
‘*’:
- INDICES_ALL
‘?kibana*’:
‘*’:
- READ
‘*’:
‘*’:
- indices:data/read/field_caps
Make xpack alerting work
sg_alerting:
cluster:
- indices:data/read/scroll
- cluster:admin/xpack/watcher/watch/put
- cluster:admin/xpack/watcher*
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
‘?kibana*’:
‘*’:
- READ
‘?watches*’:
‘*’:
- INDICES_ALL
‘?watcher-history-*’:
‘*’:
- INDICES_ALL
‘?triggered_watches’:
‘*’:
- INDICES_ALL
‘*’:
‘*’:
- READ
在 2018年4月15日星期日 UTC-4下午8:15:42,Jochen Kressin写道:
So it seems you also have installed X-Pack and there is an error with your watcher configuration:
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=, requestedTenant=null] [IndexType [index=watcher_alarms, type=*]] [Action [[indices:admin/get]]] [RolesChecked [sg_kibana_server, sg_own_index]]
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {sg_own_index=[IndexType [index=watcher_alarms, type=]], sg_kibana_server=[IndexType [index=watcher_alarms, type=]]}
Please post at least:
- kibana.yml
- elasticsearch.yml
- sg_roles.yml
Just remove any sensitive information like paths and passwords.
On Sunday, April 15, 2018 at 5:11:26 PM UTC-7, Xiaoyu Wu wrote:
I checked localhost:9200/_authinfo and the elasticsearch looks good.
This is a part of my kibana config (the rest is the default)
elasticsearch.username: “kibanaserver”
elasticsearch.password: “kibanaserver”
elasticsearch.ssl.verificationMode: none
Login Page
searchguard.basicauth.login.showbrandimage: true
searchguard.basicauth.login.brandimage: https://www.symantec.com/content/dam/symantec/images/common/symantec-logo-top.png
searchguard.cookie.name: ‘searchguard_authentication’
#searchguard.basicauth.login.title
#searchguard.basicauth.login.subtitle
This is the output of elasticsearch log,
[2018-04-15T20:07:25,113][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Search Guard License Info: SearchGuardLicense [uid=00000000-0000-0000-0000-000000000000, type=TRIAL, issueDate=2018-04-15, expiryDate=2018-06-15, issuedTo=The world, issuer=floragunn GmbH, startDate=2018-04-15, majorVersion=6, clusterName=*, allowedNodeCount=2147483647, msgs=, expiresInDays=60, isExpired=false, valid=true, action=, prodUsage=Yes, one cluster with all commercial features and unlimited nodes per cluster., clusterService=org.elasticsearch.cluster.service.ClusterService@2e500df4, getMsgs()=, getExpiresInDays()=60, isExpired()=false, isValid()=true, getAction()=, getProdUsage()=Yes, one cluster with all commercial features and unlimited nodes per cluster.]
[2018-04-15T20:07:25,113][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Search Guard License Type: TRIAL, valid
[2018-04-15T20:07:25,114][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Node ‘LhPFJNW’ initialized
[2018-04-15T20:07:25,364][INFO ][o.e.c.r.a.AllocationService] [LhPFJNW] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[.kibana][0]] …]).
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=, requestedTenant=null] [IndexType [index=watcher_alarms, type=*]] [Action [[indices:admin/get]]] [RolesChecked [sg_kibana_server, sg_own_index]]
[2018-04-15T20:07:31,351][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {sg_own_index=[IndexType [index=watcher_alarms, type=]], sg_kibana_server=[IndexType [index=watcher_alarms, type=]]}
在 2018年4月15日星期日 UTC-4下午8:05:10,Jochen Kressin写道:
sgadmin will replace the current configuration in your cluster with the files located in:
/Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/
So if you want to make changes to the configuration, the easiest way of doing so is to change these files, and then run sgadmin again. According to the output sgadmin has succeeded with uploading the configuration. So your sgadmin command seems fine.
There seems to be something wrong with your Kibana configuration and/or the Search Guard configuration.
What is the output of the Elasticsearch log file? Do you see any error there?
What is the Kibana configuration your are using? Please post it here.
Did you try to restart Kibana and reload the login page?
On Sunday, April 15, 2018 at 4:59:02 PM UTC-7, Xiaoyu Wu wrote:
This is the output of sgadmin tool,
searchguard index already exists, so we do not need to create one.
Populate config from /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/
Will update ‘sg/config’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_config.yml
SUCC: Configuration for ‘config’ created or updated
Will update ‘sg/roles’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_roles.yml
SUCC: Configuration for ‘roles’ created or updated
Will update ‘sg/rolesmapping’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_roles_mapping.yml
SUCC: Configuration for ‘rolesmapping’ created or updated
Will update ‘sg/internalusers’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_internal_users.yml
SUCC: Configuration for ‘internalusers’ created or updated
Will update ‘sg/actiongroups’ with /Users/apple/Desktop/elasticsearch-6.2.2/plugins/search-guard-6/sgconfig/sg_action_groups.yml
SUCC: Configuration for ‘actiongroups’ created or updated
Done with success
And when I restarted the Kibana, it threw me the error saying “An error occurred while checking your credentials, make sure you have an Elasticsearch cluster secured by Search Guard running.”
在 2018年4月15日星期日 UTC-4下午7:56:32,Jochen Kressin写道:
What is the output of the sgadmin tool when you run the command you posted? And what do you see in the Elasticsearch logs when you run sgadmin?
On Sunday, April 15, 2018 at 4:34:56 PM UTC-7, Xiaoyu Wu wrote:
I did not use the demo installer.
I checked the documentation but it is kinda difficult for me to understand the entire implementation. What I did so far is just:
./sgadmin.sh \ -cd /path/to/sgconfig/ \ -cacert /path/to/root-ca.pem \ -cert /path/to/kirk.crt.pem \ -key /path/to/kirk.key.pem \ -keypass changeit -nhnv -iclIt seems it only applies the default configuration. I did remove the readonly flag in the yml file.
Could you give me a simple example in this case?
在 2018年4月15日星期日 UTC-4下午7:17:14,Jochen Kressin写道:
First, remove the readonly flag from the roles definition (sg_roles.yml) and if you like also for the internal users (sg_internalusers.yml).
If you are using the demo installer, execute sgadmin_demo.sh to apply the changed configuration.
If you have installed Search Guard without the demo installer please refer to the documentation on how to use sgadmin on the command line:
https://docs.search-guard.com/latest/sgadmin
On Sunday, April 15, 2018 at 2:16:40 PM UTC-7, Xiaoyu Wu wrote:
I am currently using elasticsearch 6.2.2 and corresponding search-guard. I have already installed the kibana plugin and got into the GUI.
I am wondering how to change the password for the demo users like admin. The document said set ‘read_only’ to false and apply the sgadmin but I am not sure how to use sgadmin to apply the new changes. What I did before is just to follow the instruction and apply the default configuration.
My purpose is to have my own admin account for the later use case.