DLS in RC1

On Mon, Jun 13, 2016 at 10:56 AM, djtecha djtecha@gmail.com wrote:

So I’m trying to play with the DLS stuff and I downloaded the jar and try to set up a anonymous user like so:

sg_public:

cluster:

• ‘*’

indices:

‘*’:

‘*’:

• READ

• indices:admin/mappings/fields/get*

‘?kibana’:

‘*’:

• indices:admin/exists*

• indices:admin/mapping/put*

• indices:admin/mappings/fields/get*

• indices:admin/refresh*

• indices:admin/validate/query*

• indices:data/read/get*

• indices:data/read/mget*

• indices:data/read/search*

• indices:data/write/delete*

• indices:data/write/index*

• indices:data/write/update*

dls: ‘{“term” : {“_type” : “courier”}}’

This should all any user to to view documents of type courier. But when I try to navigate in kibana I get the following in the ES logs:

RemoteTransportException[[corp-es-4.test.com][10.0.11.194:9300][indices:data/write/index]]; nested: RemoteTransportException[[corp-es-4.test.com][10.0.11.194:9300][indices:data/write/index[p]]]; nested: DocumentAlreadyExistsException[[config][4.5.0]: document already exists];

Caused by: RemoteTransportException[[corp-es-4.test.com][10.0.11.194:9300][indices:data/write/index[p]]]; nested: DocumentAlreadyExistsException[[config][4.5.0]: document already exists];

Caused by: [.kibana][[.kibana][0]] DocumentAlreadyExistsException[[config][4.5.0]: document already exists]

at org.elasticsearch.index.engine.InternalEngine.innerCreateNoLock(InternalEngine.java:421)

at org.elasticsearch.index.engine.InternalEngine.innerCreate(InternalEngine.java:378)

at org.elasticsearch.index.engine.InternalEngine.create(InternalEngine.java:349)

at org.elasticsearch.index.shard.IndexShard.create(IndexShard.java:545)

at org.elasticsearch.index.engine.Engine$Create.execute(Engine.java:810)

at org.elasticsearch.action.index.TransportIndexAction.executeIndexRequestOnPrimary(TransportIndexAction.java:237)

at org.elasticsearch.action.index.TransportIndexAction.shardOperationOnPrimary(TransportIndexAction.java:158)

at org.elasticsearch.action.index.TransportIndexAction.shardOperationOnPrimary(TransportIndexAction.java:66)

at org.elasticsearch.action.support.replication.TransportReplicationAction$PrimaryPhase.doRun(TransportReplicationAction.java:639)

at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)

at org.elasticsearch.action.support.replication.TransportReplicationAction$PrimaryOperationTransportHandler.messageReceived(TransportReplicationAction.java:279)

at org.elasticsearch.action.support.replication.TransportReplicationAction$PrimaryOperationTransportHandler.messageReceived(TransportReplicationAction.java:271)

at com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService.messageReceivedDecorate(SearchGuardSSLTransportService.java:161)

at com.floragunn.searchguard.transport.SearchGuardTransportService.messageReceivedDecorate(SearchGuardTransportService.java:232)

at com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor.messageReceived(SearchGuardSSLTransportService.java:100)

at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:75)

at org.elasticsearch.transport.TransportService$4.doRun(TransportService.java:376)

at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

at java.lang.Thread.run(Thread.java:745)

If I comment out the dls stuff it works fine, but obviously the user isn’t restricted. Should I just wait for a later release or am I doing something wrong here?

–

You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/275f97f3-3ede-4a13-b638-2eb0c94af105%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

On Mon, Jun 13, 2016 at 11:15 AM, Daniel Kasen djtecha@gmail.com wrote:

Hmm nvm, I suppose it just took a little bit to work. Although that error still shows up, but the DLS is working correctly.

On Mon, Jun 13, 2016 at 10:56 AM, djtecha djtecha@gmail.com wrote:

So I’m trying to play with the DLS stuff and I downloaded the jar and try to set up a anonymous user like so:

sg_public:

cluster:

• ‘*’

indices:

‘*’:

‘*’:

• READ

• indices:admin/mappings/fields/get*

‘?kibana’:

‘*’:

• indices:admin/exists*

• indices:admin/mapping/put*

• indices:admin/mappings/fields/get*

• indices:admin/refresh*

• indices:admin/validate/query*

• indices:data/read/get*

• indices:data/read/mget*

• indices:data/read/search*

• indices:data/write/delete*

• indices:data/write/index*

• indices:data/write/update*

dls: ‘{“term” : {“_type” : “courier”}}’

This should all any user to to view documents of type courier. But when I try to navigate in kibana I get the following in the ES logs:

RemoteTransportException[[corp-es-4.test.com][10.0.11.194:9300][indices:data/write/index]]; nested: RemoteTransportException[[corp-es-4.test.com][10.0.11.194:9300][indices:data/write/index[p]]]; nested: DocumentAlreadyExistsException[[config][4.5.0]: document already exists];

Caused by: RemoteTransportException[[corp-es-4.test.com][10.0.11.194:9300][indices:data/write/index[p]]]; nested: DocumentAlreadyExistsException[[config][4.5.0]: document already exists];

Caused by: [.kibana][[.kibana][0]] DocumentAlreadyExistsException[[config][4.5.0]: document already exists]

at org.elasticsearch.index.engine.InternalEngine.innerCreateNoLock(InternalEngine.java:421)

at org.elasticsearch.index.engine.InternalEngine.innerCreate(InternalEngine.java:378)

at org.elasticsearch.index.engine.InternalEngine.create(InternalEngine.java:349)

at org.elasticsearch.index.shard.IndexShard.create(IndexShard.java:545)

at org.elasticsearch.index.engine.Engine$Create.execute(Engine.java:810)

at org.elasticsearch.action.index.TransportIndexAction.executeIndexRequestOnPrimary(TransportIndexAction.java:237)

at org.elasticsearch.action.index.TransportIndexAction.shardOperationOnPrimary(TransportIndexAction.java:158)

at org.elasticsearch.action.index.TransportIndexAction.shardOperationOnPrimary(TransportIndexAction.java:66)

at org.elasticsearch.action.support.replication.TransportReplicationAction$PrimaryPhase.doRun(TransportReplicationAction.java:639)

at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)

at org.elasticsearch.action.support.replication.TransportReplicationAction$PrimaryOperationTransportHandler.messageReceived(TransportReplicationAction.java:279)

at org.elasticsearch.action.support.replication.TransportReplicationAction$PrimaryOperationTransportHandler.messageReceived(TransportReplicationAction.java:271)

at com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService.messageReceivedDecorate(SearchGuardSSLTransportService.java:161)

at com.floragunn.searchguard.transport.SearchGuardTransportService.messageReceivedDecorate(SearchGuardTransportService.java:232)

at com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor.messageReceived(SearchGuardSSLTransportService.java:100)

at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:75)

at org.elasticsearch.transport.TransportService$4.doRun(TransportService.java:376)

at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

at java.lang.Thread.run(Thread.java:745)

If I comment out the dls stuff it works fine, but obviously the user isn’t restricted. Should I just wait for a later release or am I doing something wrong here?

–

You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/275f97f3-3ede-4a13-b638-2eb0c94af105%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Am 13.06.2016 um 22:30 schrieb Daniel Kasen <djtecha@gmail.com>:

Well now i'm not sure, appears to do some weird caching. And if it's a fresh load it gives you the status page with the error: [document_already_exists_exception] [config][4.5.0]: document already exists, with: {"shard":"0","index":".kibana"}

On Mon, Jun 13, 2016 at 11:15 AM, Daniel Kasen <djtecha@gmail.com> wrote:
Hmm nvm, I suppose it just took a little bit to work. Although that error still shows up, but the DLS is working correctly.

On Mon, Jun 13, 2016 at 10:56 AM, djtecha <djtecha@gmail.com> wrote:
So I'm trying to play with the DLS stuff and I downloaded the jar and try to set up a anonymous user like so:

sg_public:
  cluster:
    - '*'
  indices:
    '*':
     '*':
        - READ
        - indices:admin/mappings/fields/get*
    '?kibana':
      '*':
        - indices:admin/exists*
        - indices:admin/mapping/put*
        - indices:admin/mappings/fields/get*
        - indices:admin/refresh*
        - indices:admin/validate/query*
        - indices:data/read/get*
        - indices:data/read/mget*
        - indices:data/read/search*
        - indices:data/write/delete*
        - indices:data/write/index*
        - indices:data/write/update*
  dls: '{"term" : {"_type" : "courier"}}'

This should all any user to to view documents of type courier. But when I try to navigate in kibana I get the following in the ES logs:

RemoteTransportException[[corp-es-4.test.com][10.0.11.194:9300][indices:data/write/index]]; nested: RemoteTransportException[[corp-es-4.test.com][10.0.11.194:9300][indices:data/write/index[p]]]; nested: DocumentAlreadyExistsException[[config][4.5.0]: document already exists];
Caused by: RemoteTransportException[[corp-es-4.test.com][10.0.11.194:9300][indices:data/write/index[p]]]; nested: DocumentAlreadyExistsException[[config][4.5.0]: document already exists];
Caused by: [.kibana][[.kibana][0]] DocumentAlreadyExistsException[[config][4.5.0]: document already exists]
  at org.elasticsearch.index.engine.InternalEngine.innerCreateNoLock(InternalEngine.java:421)
  at org.elasticsearch.index.engine.InternalEngine.innerCreate(InternalEngine.java:378)
  at org.elasticsearch.index.engine.InternalEngine.create(InternalEngine.java:349)
  at org.elasticsearch.index.shard.IndexShard.create(IndexShard.java:545)
  at org.elasticsearch.index.engine.Engine$Create.execute(Engine.java:810)
  at org.elasticsearch.action.index.TransportIndexAction.executeIndexRequestOnPrimary(TransportIndexAction.java:237)
  at org.elasticsearch.action.index.TransportIndexAction.shardOperationOnPrimary(TransportIndexAction.java:158)
  at org.elasticsearch.action.index.TransportIndexAction.shardOperationOnPrimary(TransportIndexAction.java:66)
  at org.elasticsearch.action.support.replication.TransportReplicationAction$PrimaryPhase.doRun(TransportReplicationAction.java:639)
  at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)
  at org.elasticsearch.action.support.replication.TransportReplicationAction$PrimaryOperationTransportHandler.messageReceived(TransportReplicationAction.java:279)
  at org.elasticsearch.action.support.replication.TransportReplicationAction$PrimaryOperationTransportHandler.messageReceived(TransportReplicationAction.java:271)
  at com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService.messageReceivedDecorate(SearchGuardSSLTransportService.java:161)
  at com.floragunn.searchguard.transport.SearchGuardTransportService.messageReceivedDecorate(SearchGuardTransportService.java:232)
  at com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor.messageReceived(SearchGuardSSLTransportService.java:100)
  at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:75)
  at org.elasticsearch.transport.TransportService$4.doRun(TransportService.java:376)
  at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)
  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
  at java.lang.Thread.run(Thread.java:745)

If I comment out the dls stuff it works fine, but obviously the user isn't restricted. Should I just wait for a later release or am I doing something wrong here?

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/275f97f3-3ede-4a13-b638-2eb0c94af105%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAArf3736UFf0JypzmOUWMrQip2jS3FUmghVCXa5wm2PurmH37Q%40mail.gmail.com\.
For more options, visit https://groups.google.com/d/optout\.