Configuration for 'internalusers' failed because of MapperParsingException

Hello,

I tried to register a new client (who connects to ES with a jks).

The CNAME included in the jks is CN=portail-flotte,OU=Technical team,O=Norauto,L=Lille,C=FR

I succeeded in registering this CNAME on our Qualification Cluster but didn’t suceedded in on the PRODUCTION cluster

The error encountered when running sg_admin is : "FAIL: Configuration for ‘internalusers’ failed because of MapperParsingException[failed to parse [CN=portail-flotte,OU=Technical team,O=Norauto,L=Lille,C=FR]]; nested: IllegalArgumentException[unknown property [hash]];"

Here is the execution trace:

Will connect to pp3sbodbrco01:9300 … done

Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …

Clustername: elasticsearch_cluster_rco_prod

Clusterstate: GREEN

Number of nodes: 3

Number of data nodes: 3

searchguard index already exists, so we do not need to create one.

Populate config from /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/

Will update ‘config’ with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_config.yml

SUCC: Configuration for ‘config’ created or updated

Will update ‘roles’ with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles.yml

SUCC: Configuration for ‘roles’ created or updated

Will update ‘rolesmapping’ with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles_mapping.yml

SUCC: Configuration for ‘rolesmapping’ created or updated

Will update ‘internalusers’ with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_internal_users.yml

FAIL: Configuration for ‘internalusers’ failed because of MapperParsingException[failed to parse [CN=portail-flotte,OU=Technical team,O=Norauto,L=Lille,C=FR]]; nested: IllegalArgumentException[unknown property [hash]];

Will update ‘actiongroups’ with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_action_groups.yml

SUCC: Configuration for ‘actiongroups’ created or updated

Done with failures

The sg_internalusers.yml file contains :

CN=portail-flotte,OU=Technical team,O=Norauto,L=Lille,C=FR:

hash: “_transport_only”

When protecting with “”, errors disapears but when connecting, user CNAME is unknown.

After looking at the searchguard index mapping, I found that there were several definitions for this CNAME.

I think this could be the root cause of the mapperparsing exception:

 "internalusers": {
    "properties": {
      "CN="portail-flotte",OU="Technical team",O=Norauto,L=Lille,C=FR": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      },
      "CN="portail-flotte",OU=Technical team,O=Norauto,L=Lille,C=FR": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      },
      "CN=admin,OU=Technical team,O=Norauto,L=Lille,C=FR": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      },
      "CN=portail-flotte,OU=Client App,O=Norauto,L=Lille,C=FR": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      },
      "CN=portail-flotte,OU=Technical team,O=Norauto,L=Lille,C=FR": {
        "type": "string"
      },
      "CN=portailflotte,OU=Technical team,O=Norauto,L=Lille,C=FR": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      },
      "CN=rcoapp,OU=CLient App,O=Norauto,L=Lille,C=FR": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      },
      "CN=rcoetl,OU=Client ETL,O=Norauto,L=Lille,C=FR": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      },
      "CN=rcoreadonly,OU=Client RO,O=Norauto,L=Lille,C=FR": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      },
      "CN=rcosupport,OU=Client Support,O=Norauto,L=Lille,C=FR": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      },
      "admin": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      },
      "hash": {
        "type": "string"
      },
      "portail-flotte": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      },
      "rcoapp": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      },
      "rcoetl": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      },
      "rcoreadonly": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      },
      "rcosupport": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      }
    }
  },

In quality cluster the CNAME is defined as :

CN=portail-flotte,OU=Client App,O=Norauto,L=Lille,C=FR:

hash: “_transport_only”

AND IT WORKS;

Does anyone already encountered the same issue as mine ?

Is there anybody who could help me to diagnose this issue, please ?

PS: the production cluster contains already several users in effective use.

Thanks a lot for your help

Guess you are on ES 2.x?

Seem the '-' sign in "portail-flotte,OU=Technical team,O=Norauto,L=Lille,C=FR" is handled in a strange way here.

Try

portailflottetechteam:
  username: "CN=portail-flotte,OU=Technical team,O=Norauto,L=Lille,C=FR"
  hash: "_transport_only"

If you get still problems with the mapping i recommend to export your current configuration with "sgadmin -r". Make sure they look good.
Change internal users as adviced above. Than delete the searchguard index with "sgadmin -dci" and repopulate it as usual.
This rebuilds the searchguard index and should solve mapping problems.

PS: This fixed in 5.x

···

Am 20.07.2017 um 12:43 schrieb Nicolas Condette <ncondette@norauto.com>:

Hello,

I tried to register a new client (who connects to ES with a jks).
The CNAME included in the jks is CN=portail-flotte,OU=Technical team,O=Norauto,L=Lille,C=FR

I succeeded in registering this CNAME on our Qualification Cluster but didn't suceedded in on the PRODUCTION cluster

The error encountered when running sg_admin is : "FAIL: Configuration for 'internalusers' failed because of MapperParsingException[failed to parse [CN=portail-flotte,OU=Technical team,O=Norauto,L=Lille,C=FR]]; nested: IllegalArgumentException[unknown property [hash]];"

Here is the execution trace:
Will connect to pp3sbodbrco01:9300 ... done
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: elasticsearch_cluster_rco_prod
Clusterstate: GREEN
Number of nodes: 3
Number of data nodes: 3
searchguard index already exists, so we do not need to create one.
Populate config from /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/
Will update 'config' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_config.yml
   SUCC: Configuration for 'config' created or updated
Will update 'roles' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles.yml
   SUCC: Configuration for 'roles' created or updated
Will update 'rolesmapping' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
Will update 'internalusers' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_internal_users.yml
   FAIL: Configuration for 'internalusers' failed because of MapperParsingException[failed to parse [CN=portail-flotte,OU=Technical team,O=Norauto,L=Lille,C=FR]]; nested: IllegalArgumentException[unknown property [hash]];
Will update 'actiongroups' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_action_groups.yml
   SUCC: Configuration for 'actiongroups' created or updated
Done with failures

The sg_internalusers.yml file contains :
CN=portail-flotte,OU=Technical team,O=Norauto,L=Lille,C=FR:
  hash: "_transport_only"

When protecting with "", errors disapears but when connecting, user CNAME is unknown.

After looking at the searchguard index mapping, I found that there were several definitions for this CNAME.
I think this could be the root cause of the mapperparsing exception:

     "internalusers": {
        "properties": {
          "CN="portail-flotte",OU="Technical team",O=Norauto,L=Lille,C=FR": {
            "properties": {
              "hash": {
                "type": "string"
              }
            }
          }
,

          "CN="portail-flotte",OU=Technical team,O=Norauto,L=Lille,C=FR": {
            "properties": {
              "hash": {
                "type": "string"
              }
            }
          }
,

          "CN=admin,OU=Technical team,O=Norauto,L=Lille,C=FR": {
            "properties": {
              "hash": {
                "type": "string"
              }
            }
          }
,

          "CN=portail-flotte,OU=Client App,O=Norauto,L=Lille,C=FR": {
            "properties": {
              "hash": {
                "type": "string"
              }
            }
          }
,

          "CN=portail-flotte,OU=Technical team,O=Norauto,L=Lille,C=FR": {
            "type": "string"
          }
,

          "CN=portailflotte,OU=Technical team,O=Norauto,L=Lille,C=FR": {
            "properties": {
              "hash": {
                "type": "string"
              }
            }
          }
,

          "CN=rcoapp,OU=CLient App,O=Norauto,L=Lille,C=FR": {
            "properties": {
              "hash": {
                "type": "string"
              }
            }
          }
,

          "CN=rcoetl,OU=Client ETL,O=Norauto,L=Lille,C=FR": {
            "properties": {
              "hash": {
                "type": "string"
              }
            }
          }
,

          "CN=rcoreadonly,OU=Client RO,O=Norauto,L=Lille,C=FR": {
            "properties": {
              "hash": {
                "type": "string"
              }
            }
          }
,

          "CN=rcosupport,OU=Client Support,O=Norauto,L=Lille,C=FR": {
            "properties": {
              "hash": {
                "type": "string"
              }
            }
          }
,

          "admin": {
            "properties": {
              "hash": {
                "type": "string"
              }
            }
          }
,

          "hash": {
            "type": "string"
          }
,

          "portail-flotte": {
            "properties": {
              "hash": {
                "type": "string"
              }
            }
          }
,

          "rcoapp": {
            "properties": {
              "hash": {
                "type": "string"
              }
            }
          }
,

          "rcoetl": {
            "properties": {
              "hash": {
                "type": "string"
              }
            }
          }
,

          "rcoreadonly": {
            "properties": {
              "hash": {
                "type": "string"
              }
            }
          }
,

          "rcosupport": {
            "properties": {
              "hash": {
                "type": "string"
              }
            }
          }
        }
      },

In quality cluster the CNAME is defined as :
CN=portail-flotte,OU=Client App,O=Norauto,L=Lille,C=FR:
  hash: "_transport_only"

AND IT WORKS;

Does anyone already encountered the same issue as mine ?
Is there anybody who could help me to diagnose this issue, please ?

PS: the production cluster contains already several users in effective use.

Thanks a lot for your help

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e0b50886-28f2-4e33-aa4c-0028b5afdabc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Yes I did, but it didn’t work too.

I finally decided to run a sg_admin to store good configuration in another searchguard index named searchguard2, then rebounce elasticsearch node by node with this index name in elasticsearch.yml and it did it !!!

I was able to do that because all nodes contained a primary or replica of each indexes.

Thanks indeed for your help.

···

2017-07-21 16:20 GMT+02:00 SG info@search-guard.com:

Guess you are on ES 2.x?

Seem the ‘-’ sign in “portail-flotte,OU=Technical team,O=Norauto,L=Lille,C=FR” is handled in a strange way here.

Try

portailflottetechteam:

username: “CN=portail-flotte,OU=Technical team,O=Norauto,L=Lille,C=FR”

hash: “_transport_only”

If you get still problems with the mapping i recommend to export your current configuration with “sgadmin -r”. Make sure they look good.

Change internal users as adviced above. Than delete the searchguard index with “sgadmin -dci” and repopulate it as usual.

This rebuilds the searchguard index and should solve mapping problems.

PS: This fixed in 5.x

Am 20.07.2017 um 12:43 schrieb Nicolas Condette ncondette@norauto.com:

Hello,

I tried to register a new client (who connects to ES with a jks).

The CNAME included in the jks is CN=portail-flotte,OU=Technical team,O=Norauto,L=Lille,C=FR

I succeeded in registering this CNAME on our Qualification Cluster but didn’t suceedded in on the PRODUCTION cluster

The error encountered when running sg_admin is : “FAIL: Configuration for ‘internalusers’ failed because of MapperParsingException[failed to parse [CN=portail-flotte,OU=Technical team,O=Norauto,L=Lille,C=FR]]; nested: IllegalArgumentException[unknown property [hash]];”

Here is the execution trace:

Will connect to pp3sbodbrco01:9300 … done

Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …

Clustername: elasticsearch_cluster_rco_prod

Clusterstate: GREEN

Number of nodes: 3

Number of data nodes: 3

searchguard index already exists, so we do not need to create one.

Populate config from /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/

Will update ‘config’ with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_config.yml

SUCC: Configuration for ‘config’ created or updated

Will update ‘roles’ with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles.yml

SUCC: Configuration for ‘roles’ created or updated

Will update ‘rolesmapping’ with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles_mapping.yml

SUCC: Configuration for ‘rolesmapping’ created or updated

Will update ‘internalusers’ with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_internal_users.yml

FAIL: Configuration for ‘internalusers’ failed because of MapperParsingException[failed to parse [CN=portail-flotte,OU=Technical team,O=Norauto,L=Lille,C=FR]]; nested: IllegalArgumentException[unknown property [hash]];

Will update ‘actiongroups’ with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_action_groups.yml

SUCC: Configuration for ‘actiongroups’ created or updated

Done with failures

The sg_internalusers.yml file contains :

CN=portail-flotte,OU=Technical team,O=Norauto,L=Lille,C=FR:

hash: “_transport_only”

When protecting with “”, errors disapears but when connecting, user CNAME is unknown.

After looking at the searchguard index mapping, I found that there were several definitions for this CNAME.

I think this could be the root cause of the mapperparsing exception:

 "internalusers": {
    "properties": {
      "CN="portail-flotte",OU="Technical team",O=Norauto,L=Lille,C=FR": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      }

,

      "CN="portail-flotte",OU=Technical team,O=Norauto,L=Lille,C=FR": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      }

,

      "CN=admin,OU=Technical team,O=Norauto,L=Lille,C=FR": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      }

,

      "CN=portail-flotte,OU=Client App,O=Norauto,L=Lille,C=FR": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      }

,

      "CN=portail-flotte,OU=Technical team,O=Norauto,L=Lille,C=FR": {
        "type": "string"
      }

,

      "CN=portailflotte,OU=Technical team,O=Norauto,L=Lille,C=FR": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      }

,

      "CN=rcoapp,OU=CLient App,O=Norauto,L=Lille,C=FR": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      }

,

      "CN=rcoetl,OU=Client ETL,O=Norauto,L=Lille,C=FR": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      }

,

      "CN=rcoreadonly,OU=Client RO,O=Norauto,L=Lille,C=FR": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      }

,

      "CN=rcosupport,OU=Client Support,O=Norauto,L=Lille,C=FR": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      }

,

      "admin": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      }

,

      "hash": {
        "type": "string"
      }

,

      "portail-flotte": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      }

,

      "rcoapp": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      }

,

      "rcoetl": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      }

,

      "rcoreadonly": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      }

,

      "rcosupport": {
        "properties": {
          "hash": {
            "type": "string"
          }
        }
      }
    }
  },

In quality cluster the CNAME is defined as :

CN=portail-flotte,OU=Client App,O=Norauto,L=Lille,C=FR:

hash: “_transport_only”

AND IT WORKS;

Does anyone already encountered the same issue as mine ?

Is there anybody who could help me to diagnose this issue, please ?

PS: the production cluster contains already several users in effective use.

Thanks a lot for your help

You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e0b50886-28f2-4e33-aa4c-0028b5afdabc%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/f6H8_41nmWQ/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/EC755E0B-A8EE-4BFE-AD64-225C2D449EDF%40search-guard.com.

For more options, visit https://groups.google.com/d/optout.

Cordialement,

Nicolas CONDETTE

Norauto International

CRT, rue du Fort BP 225 - 59812 LESQUIN CEDEX

Tel: +33 (0)320607422 - Fax: +33 (0)320607555

E-Mail : ncondette@norauto.com