No, and that’s on purpose. If you could initialize it with, say, a regular “root user” or something like that, then we would need to ship Search Guard with default passwords. Default passwords are, in our opinion, a no-go when it comes to security. Hence, you need to initialize the index with a client certificate that has admin privileges configured in elasticsearch.yml.
For SG6, you will be able to use the REST management API with a regular user that has sufficient privileges, but also in this case, the index needs to be initialized at least once with a client certificate.
We always put security first, over convenience, because we think your data deserves it That’s kind of our philosophy for Search Guard.
On Thursday, September 28, 2017 at 5:53:41 PM UTC+2, ihjaz Mohamed wrote:
I do have one more question. Is it possible to initialize SearchGuard without a client certificate?
On Thursday, September 28, 2017 at 8:31:08 PM UTC+5:30, ihjaz Mohamed wrote:
Thanks a lot Jochen.
I configured curator.yml with admin:admin and everything is good now.
On Thursday, September 28, 2017 at 7:40:14 PM UTC+5:30, Jochen Kressin wrote:
No, you don’t need a client certificate, you can use curl like:
curl -Ss --insecure -u admin:admin -XGET ‘https://localhost:9200/_cat/indices’
But of course the user here needs to have sufficient privieges to perform cluster-level operations. You can have a look at the CLUSTER_COMPOSITE_OPS_RO and CLUSTER_COMPOSITE_OPS action groups for reference.
For curator it depends on whether you wan to use HTTPS or not. In the former case, be aware that the Python SSL implementation is, well, sometimes tricky
At least you need to specify username and password as HTTP Basic Auth credentials. Maybe this (somewhat old) thread will help:
On Thursday, September 28, 2017 at 12:01:23 PM UTC+2, ihjaz Mohamed wrote:
Thanks again for the quick reply.
So with the configurations that you have mentioned below, can I check the indices over curl with just a username and password? Or do I need to provide client certificate as well?
I’m also using curator for roll over and deletion of old indices. What do I need to do to get the curator to connect to elasticsearch ?
On Thursday, September 28, 2017 at 2:50:48 PM UTC+5:30, Jochen Kressin wrote:
The Kibana Plugin authenticates against Search Guard, it’s not a standalone plugin. So at a bare minimum you will need:
- One authenticator enabled
- One source of user/password/role information
- That would be HTTP Basic Auth + Internal user database
- The Kibana server user: This is a requirement from Kibana itself. The server user is a Kibana service user and is used under the hood for management purposes
- Both users should go in internal_users.yml
- Two roles, one for Kibana server user, one for the real user
- You can use the template roles that we ship
- Two role mappings which map the Kibana server user and the real user to their respective roles
Please have a look at the SG Kibana documentation for more details on the Kibana server user role etc.
On Thursday, September 28, 2017 at 11:02:39 AM UTC+2, ihjaz Mohamed wrote:
Thanks for the quick reply.
Actually I also need user authentication for Kibana access. I believe I will be needing SearchGuard for that right?
If I need to use SearchGuard, what all can I disable?
On Thursday, September 28, 2017 at 2:10:15 PM UTC+5:30, Jochen Kressin wrote:
The purpose of Search Guard is authentication and authorization. So if you don’t have any auth/auth configured, naturally you won’t have access to your data.
In your case, if you just need TLS, this means you need to install the Search Guard SSL plugin (only), without the auth/auth part. Please see this post on this group:
On Thursday, September 28, 2017 at 10:05:58 AM UTC+2, ihjaz Mohamed wrote:
I’ve got the Searchguard initialized successfully. But when I try to check the index over http, I get “Unauthorized” back.
[root@vf-zr125 elasticsearch]# curl -XGET ‘10.129.179.39:9200/_cat/indices?v&pretty’
I would like to disable all the authorization and authentication on SearchGuard. I only need TLS on transport layer between the nodes.
What do I need to do to disable everything else?