Elasticsearch will not start with Searchguard plugin

We are using Elasticsearch version 1.5.2 and are working to implement Searchguard. We are only trying to get the plugin working but when we enable it elasticsearch will not start. This is the error that we are getting:

Failed to configure logging…

org.elasticsearch.ElasticsearchException: Failed to load logging configuration

at org.elasticsearch.common.logging.log4j.LogConfigurator.resolveConfig(LogConfigurator.java:139)

at org.elasticsearch.common.logging.log4j.LogConfigurator.configure(LogConfigurator.java:89)

at org.elasticsearch.bootstrap.Bootstrap.setupLogging(Bootstrap.java:100)

at org.elasticsearch.bootstrap.Bootstrap.main(Bootstrap.java:184)

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:32)

Caused by: java.nio.file.NoSuchFileException: /usr/share/elasticsearch/config

at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86)

at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)

at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)

at sun.nio.fs.UnixFileAttributeViews$Basic.readAttributes(UnixFileAttributeViews.java:55)

at sun.nio.fs.UnixFileSystemProvider.readAttributes(UnixFileSystemProvider.java:144)

at sun.nio.fs.LinuxFileSystemProvider.readAttributes(LinuxFileSystemProvider.java:97)

at java.nio.file.Files.readAttributes(Files.java:1686)

at java.nio.file.FileTreeWalker.walk(FileTreeWalker.java:109)

at java.nio.file.FileTreeWalker.walk(FileTreeWalker.java:69)

at java.nio.file.Files.walkFileTree(Files.java:2602)

at org.elasticsearch.common.logging.log4j.LogConfigurator.resolveConfig(LogConfigurator.java:123)

... 4 more

log4j:WARN No appenders could be found for logger (node).

log4j:WARN Please initialize the log4j system properly.

log4j:WARN See Apache log4j 1.2 - Frequently Asked Technical Questions for more info.

{1.5.2}: Initialization Failed …

  • ElasticsearchIllegalStateException[Failed to created node environment]

    AccessDeniedException[/usr/share/elasticsearch/data/elasticsearch/nodes/1]

org.elasticsearch.ElasticsearchIllegalStateException: Failed to created node environment

at org.elasticsearch.node.internal.InternalNode.<init>(InternalNode.java:162)

at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:159)

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:70)

at org.elasticsearch.bootstrap.Bootstrap.main(Bootstrap.java:213)

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:32)

Caused by: java.nio.file.AccessDeniedException: /usr/share/elasticsearch/data/elasticsearch/nodes/1

at sun.nio.fs.UnixException.translateToIOException(UnixException.java:84)

at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)

at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)

at sun.nio.fs.UnixFileSystemProvider.createDirectory(UnixFileSystemProvider.java:383)

at java.nio.file.Files.createDirectory(Files.java:630)

at java.nio.file.Files.createAndCheckIsDirectory(Files.java:734)

at java.nio.file.Files.createDirectories(Files.java:720)

at org.elasticsearch.env.NodeEnvironment.<init>(NodeEnvironment.java:105)

at org.elasticsearch.node.internal.InternalNode.<init>(InternalNode.java:160)

... 4 more

The configuration we are using is as follows:

Enable or disable the complete Searchguard plugin functionality

#searchguard.enabled: false

searchguard.check_for_root: false

Path where to write/read the searchguard master key file

searchguard.key_path: /etc/searchguard

When using DLS or FLS and a get or mget is performed then rewrite it as search request

searchguard.rewrite_get_as_search: true

···

#############################################################################################

Authentication backend

#############################################################################################

Validates the username and credentials

searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackend

#############################################################################################

Authorization backend (authorizer)

#############################################################################################

searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.SettingsBasedAuthorizator

#############################################################################################

HTTP authentication method

#############################################################################################

Define HTTP authentication method. In future we will here have more like NTLM, SPNEGO/Kerberos and Digest.

searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator

Settings based authentication (define users and password directly here in the settings. Note: this is per node)

searchguard.authentication.settingsdb.user.admin: passwordadmin

searchguard.authentication.settingsdb.user.user1: passworduser1

Settings based authorization (define users and their roles directly here in the settings. Note: this is per node)

searchguard.authentication.authorization.settingsdb.roles.admin: [“admin”]

Configure the actionrequestfilter to allow or forbid action

searchguard.actionrequestfilter.names: [“readonly”]

searchguard.actionrequestfilter.readonly.allowed_actions: [“indices:data/read/*”, “monitor”]

searchguard.actionrequestfilter.readonly.forbidden_actions: [“cluster:admin*”, “indices:admin*”, “indices:data/write*”]

The only acl that we have input is:

curl -XPUT 'http://localhost:9200/searchguard/ac/ac' -d '{
    "acl": [
    {
        "__Comment__": "By default no filters are executed and no filters a by-passed. In such a case an exception is thrown and access will be denied.",
        "filters_bypass": [],
        "filters_execute": []
     },
     {
           "__Comment__": "For role *admin* all filters are bypassed (so none will be executed). This means unrestricted access.",
           "roles": [
               "admin"
           ],
           "filters_bypass": ["*"],
           "filters_execute": []
     }
     ]
}'

Any help would be appreciated.

Yeah, I am running across the same issue and am interested in a fix.

···

On Monday, July 6, 2015 at 2:41:33 PM UTC-6, Artemis Black wrote:

We are using Elasticsearch version 1.5.2 and are working to implement Searchguard. We are only trying to get the plugin working but when we enable it elasticsearch will not start. This is the error that we are getting:

Failed to configure logging…

org.elasticsearch.ElasticsearchException: Failed to load logging configuration

at org.elasticsearch.common.logging.log4j.LogConfigurator.resolveConfig(LogConfigurator.java:139)

at org.elasticsearch.common.logging.log4j.LogConfigurator.configure(LogConfigurator.java:89)

at org.elasticsearch.bootstrap.Bootstrap.setupLogging(Bootstrap.java:100)

at org.elasticsearch.bootstrap.Bootstrap.main(Bootstrap.java:184)

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:32)

Caused by: java.nio.file.NoSuchFileException: /usr/share/elasticsearch/config

at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86)

at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)

at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)

at sun.nio.fs.UnixFileAttributeViews$Basic.readAttributes(UnixFileAttributeViews.java:55)

at sun.nio.fs.UnixFileSystemProvider.readAttributes(UnixFileSystemProvider.java:144)

at sun.nio.fs.LinuxFileSystemProvider.readAttributes(LinuxFileSystemProvider.java:97)

at java.nio.file.Files.readAttributes(Files.java:1686)

at java.nio.file.FileTreeWalker.walk(FileTreeWalker.java:109)

at java.nio.file.FileTreeWalker.walk(FileTreeWalker.java:69)

at java.nio.file.Files.walkFileTree(Files.java:2602)

at org.elasticsearch.common.logging.log4j.LogConfigurator.resolveConfig(LogConfigurator.java:123)

… 4 more

log4j:WARN No appenders could be found for logger (node).

log4j:WARN Please initialize the log4j system properly.

log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.

{1.5.2}: Initialization Failed …

  • ElasticsearchIllegalStateException[Failed to created node environment]

AccessDeniedException[/usr/share/elasticsearch/data/elasticsearch/nodes/1]

org.elasticsearch.ElasticsearchIllegalStateException: Failed to created node environment

at org.elasticsearch.node.internal.InternalNode.(InternalNode.java:162)

at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:159)

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:70)

at org.elasticsearch.bootstrap.Bootstrap.main(Bootstrap.java:213)

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:32)

Caused by: java.nio.file.AccessDeniedException: /usr/share/elasticsearch/data/elasticsearch/nodes/1

at sun.nio.fs.UnixException.translateToIOException(UnixException.java:84)

at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)

at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)

at sun.nio.fs.UnixFileSystemProvider.createDirectory(UnixFileSystemProvider.java:383)

at java.nio.file.Files.createDirectory(Files.java:630)

at java.nio.file.Files.createAndCheckIsDirectory(Files.java:734)

at java.nio.file.Files.createDirectories(Files.java:720)

at org.elasticsearch.env.NodeEnvironment.(NodeEnvironment.java:105)

at org.elasticsearch.node.internal.InternalNode.(InternalNode.java:160)

… 4 more

The configuration we are using is as follows:

Enable or disable the complete Searchguard plugin functionality

#searchguard.enabled: false

searchguard.check_for_root: false

Path where to write/read the searchguard master key file

searchguard.key_path: /etc/searchguard

When using DLS or FLS and a get or mget is performed then rewrite it as search request

searchguard.rewrite_get_as_search: true

#############################################################################################

Authentication backend

#############################################################################################

Validates the username and credentials

searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackend

#############################################################################################

Authorization backend (authorizer)

#############################################################################################

searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.SettingsBasedAuthorizator

#############################################################################################

HTTP authentication method

#############################################################################################

Define HTTP authentication method. In future we will here have more like NTLM, SPNEGO/Kerberos and Digest.

searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator

Settings based authentication (define users and password directly here in the settings. Note: this is per node)

searchguard.authentication.settingsdb.user.admin: passwordadmin

searchguard.authentication.settingsdb.user.user1: passworduser1

Settings based authorization (define users and their roles directly here in the settings. Note: this is per node)

searchguard.authentication.authorization.settingsdb.roles.admin: [“admin”]

Configure the actionrequestfilter to allow or forbid action

searchguard.actionrequestfilter.names: [“readonly”]

searchguard.actionrequestfilter.readonly.allowed_actions: [“indices:data/read/*”, “monitor”]

searchguard.actionrequestfilter.readonly.forbidden_actions: [“cluster:admin*”, “indices:admin*”, “indices:data/write*”]

The only acl that we have input is:

curl -XPUT '[http://localhost:9200/searchguard/ac/ac](http://localhost:9200/searchguard/ac/ac)' -d '{
    "acl": [
    {
        "__Comment__": "By default no filters are executed and no filters a by-passed. In such a case an exception is thrown and access will be denied.",
        "filters_bypass": [],
        "filters_execute": []
     },
     {
           "__Comment__": "For role *admin* all filters are bypassed (so none will be executed). This means unrestricted access.",
           "roles": [
               "admin"
           ],
           "filters_bypass": ["*"],
           "filters_execute": []
     }
     ]
}'

Any help would be appreciated.

does your node really start if you disable search-guard (setting searchguard.enabled: false)?
Seems like there is the logging.yml missing in /usr/share/elasticsearch/config or the directory/file is not readable (wrong fs permissions)
Same for /usr/share/elasticsearch/data/elasticsearch/nodes/1, seem elasticsearch cannot create this directory due to AccessDeniedException (Java Platform SE 7 )

···

Am 06.07.2015 um 22:41 schrieb Artemis Black <...@gmail.com>:

We are using Elasticsearch version 1.5.2 and are working to implement Searchguard. We are only trying to get the plugin working but when we enable it elasticsearch will not start. This is the error that we are getting:

Failed to configure logging...
org.elasticsearch.ElasticsearchException: Failed to load logging configuration
  at org.elasticsearch.common.logging.log4j.LogConfigurator.resolveConfig(LogConfigurator.java:139)
  at org.elasticsearch.common.logging.log4j.LogConfigurator.configure(LogConfigurator.java:89)
  at org.elasticsearch.bootstrap.Bootstrap.setupLogging(Bootstrap.java:100)
  at org.elasticsearch.bootstrap.Bootstrap.main(Bootstrap.java:184)
  at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:32)
Caused by: java.nio.file.NoSuchFileException: /usr/share/elasticsearch/config
  at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86)
  at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
  at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
  at sun.nio.fs.UnixFileAttributeViews$Basic.readAttributes(UnixFileAttributeViews.java:55)
  at sun.nio.fs.UnixFileSystemProvider.readAttributes(UnixFileSystemProvider.java:144)
  at sun.nio.fs.LinuxFileSystemProvider.readAttributes(LinuxFileSystemProvider.java:97)
  at java.nio.file.Files.readAttributes(Files.java:1686)
  at java.nio.file.FileTreeWalker.walk(FileTreeWalker.java:109)
  at java.nio.file.FileTreeWalker.walk(FileTreeWalker.java:69)
  at java.nio.file.Files.walkFileTree(Files.java:2602)
  at org.elasticsearch.common.logging.log4j.LogConfigurator.resolveConfig(LogConfigurator.java:123)
  ... 4 more
log4j:WARN No appenders could be found for logger (node).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See Apache log4j 1.2 - Frequently Asked Technical Questions for more info.
{1.5.2}: Initialization Failed ...
- ElasticsearchIllegalStateException[Failed to created node environment]
  AccessDeniedException[/usr/share/elasticsearch/data/elasticsearch/nodes/1]
org.elasticsearch.ElasticsearchIllegalStateException: Failed to created node environment
  at org.elasticsearch.node.internal.InternalNode.<init>(InternalNode.java:162)
  at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:159)
  at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:70)
  at org.elasticsearch.bootstrap.Bootstrap.main(Bootstrap.java:213)
  at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:32)
Caused by: java.nio.file.AccessDeniedException: /usr/share/elasticsearch/data/elasticsearch/nodes/1
  at sun.nio.fs.UnixException.translateToIOException(UnixException.java:84)
  at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
  at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
  at sun.nio.fs.UnixFileSystemProvider.createDirectory(UnixFileSystemProvider.java:383)
  at java.nio.file.Files.createDirectory(Files.java:630)
  at java.nio.file.Files.createAndCheckIsDirectory(Files.java:734)
  at java.nio.file.Files.createDirectories(Files.java:720)
  at org.elasticsearch.env.NodeEnvironment.<init>(NodeEnvironment.java:105)
  at org.elasticsearch.node.internal.InternalNode.<init>(InternalNode.java:160)
  ... 4 more

The configuration we are using is as follows:

# Enable or disable the complete Searchguard plugin functionality
#searchguard.enabled: false

searchguard.check_for_root: false

# Path where to write/read the searchguard master key file
searchguard.key_path: /etc/searchguard

# When using DLS or FLS and a get or mget is performed then rewrite it as search request
searchguard.rewrite_get_as_search: true

#############################################################################################
# Authentication backend #
# #
#############################################################################################
# Validates the username and credentials

searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackend
#############################################################################################
# Authorization backend (authorizer) #
# #
#############################################################################################
searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.SettingsBasedAuthorizator

#############################################################################################
# HTTP authentication method #
# #
#############################################################################################
# Define HTTP authentication method. In future we will here have more like NTLM, SPNEGO/Kerberos and Digest.
searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator

# Settings based authentication (define users and password directly here in the settings. Note: this is per node)
searchguard.authentication.settingsdb.user.admin: passwordadmin
searchguard.authentication.settingsdb.user.user1: passworduser1

# Settings based authorization (define users and their roles directly here in the settings. Note: this is per node)
searchguard.authentication.authorization.settingsdb.roles.admin: ["admin"]

# Configure the actionrequestfilter to allow or forbid action
searchguard.actionrequestfilter.names: ["readonly"]
searchguard.actionrequestfilter.readonly.allowed_actions: ["indices:data/read/*", "*monitor*"]
searchguard.actionrequestfilter.readonly.forbidden_actions: ["cluster:admin*", "indices:admin*", "indices:data/write*"]

The only acl that we have input is:
curl -XPUT 'http://localhost:9200/searchguard/ac/ac&#39; -d '{
    "acl": [
    {
        "__Comment__": "By default no filters are executed and no filters a by-passed. In such a case an exception is thrown and access will be denied.",
        "filters_bypass": ,
        "filters_execute":
     },
     {
           "__Comment__": "For role *admin* all filters are bypassed (so none will be executed). This means unrestricted access.",
           "roles": [
               "admin"
           ],
           "filters_bypass": ["*"],
           "filters_execute":
     }
     ]
}'

Any help would be appreciated.

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/1d1dd3a1-94cf-4e6e-adc6-9c96fc5cfc97%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.