Errors from the client node

Here is my version:
elasticsearch2.2.0
search-guard-2-2.2.0.0-alpha2
search-guard-ssl-2.2.0.6

Before the installed sg2, the elasticsearch is green.
I have installed the sg2 in the 3 data nodes. 1 data node is used as the client node.

the client node’s elasticsearch yml is:

searchguard.authcz.admin_dn:

“CN=kirk,OU=client,O=client,l=tEst, C=De”
#SSL
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_filepath: kirk-keystore.jks
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: kirk-keystore.jks
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.enable_openssl_if_available: true
searchguard.ssl.transport.enable_openssl_if_available: true
security.manager.enabled: false

the other two nodes elasticsearch yml is:

#SSL
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_filepath: node-1-keystore.jks
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: node-1-keystore.jks
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.enable_openssl_if_available: true
searchguard.ssl.transport.enable_openssl_if_available: true
security.manager.enabled: false

When i finished the configuration, I run the elasticsearch. There are some errors in the client node:
[internal:discovery/zen/unicast]]; nested: ElasticsearchSecurityException[Internal or shard requests not allowed from a client node];
Caused by: ElasticsearchSecurityException[Internal or shard requests not allowed from a client node]
at com.floragunn.searchguard.transport.SearchGuardTransportService.messageReceivedDecorate(SearchGuardTransportService.java:183)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor.messageReceived(SearchGuardSSLTransportService.java:107)
at org.elasticsearch.transport.netty.MessageChannelHandler.handleRequest(MessageChannelHandler.java:244)
at com.floragunn.searchguard.ssl.transport.SearchGuardMessageChannelHandler.handleRequest(SearchGuardMessageChannelHandler.java:57)
at org.elasticsearch.transport.netty.MessageChannelHandler.messageReceived(MessageChannelHandler.java:114)
at com.floragunn.searchguard.ssl.transport.SearchGuardMessageChannelHandler.messageReceived(SearchGuardMessageChannelHandler.java:45)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462)
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443)
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.elasticsearch.common.netty.OpenChannelsHandler.handleUpstream(OpenChannelsHandler.java:75)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462)
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443)
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at

Here, i have some questions:

  1. In my cluster, i have 3 data nodes which can elect as the master node. I regard one data node as the client node. Is the try right?

  2. Is the entry "searchguard.authcz.admin_dn:“CN=kirk,OU=client,O=client,l=tEst, C=De” " only put in the client node’ elasticsearch.yml? There is no need in the other data nodes?

3.What is the error mean above?

Thanks very much!

Please upgrade to ES 2.3.3 with SG 2.3.3.0-rc1 and SG SSL 2.3.3.11

1. In my cluster, i have 3 data nodes which can elect as the master node. I regard one data node as the client node. Is the try right?

No, a #sgsn can never be a #sgnsnc (you have to use server certificates with the OID for all your nodes!)
See https://github.com/floragunncom/search-guard/wiki/Terminology for terminology

2. Is the entry "searchguard.authcz.admin_dn:"CN=kirk,OU=client,O=client,l=tEst, C=De" " only put in the client node' elasticsearch.yml? There is no need in the other data nodes?

elasticsearch.yml needs to be identical for all nodes

3.What is the error mean above?

That you try to join the cluster with a client certificate (without OID) instead of a server certificate

Meanwhile we have a good documentation for all this, pls. refer to https://github.com/floragunncom/search-guard-ssl-docs
You can also inspect the vagrant demos to see how it works:
- https://github.com/floragunncom/search-guard-ssl/blob/master/Vagrantfile
- https://github.com/floragunncom/search-guard/blob/master/Vagrantfile

···

Am 15.06.2016 um 07:22 schrieb Wei Hong <fzuerhw@gmail.com>:

Here is my version:
elasticsearch2.2.0
search-guard-2-2.2.0.0-alpha2
search-guard-ssl-2.2.0.6

Before the installed sg2, the elasticsearch is green.
I have installed the sg2 in the 3 data nodes. 1 data node is used as the client node.

the client node's elasticsearch yml is:

searchguard.authcz.admin_dn:

"CN=kirk,OU=client,O=client,l=tEst, C=De"
#SSL
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_filepath: kirk-keystore.jks
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: kirk-keystore.jks
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.enable_openssl_if_available: true
searchguard.ssl.transport.enable_openssl_if_available: true
security.manager.enabled: false

the other two nodes elasticsearch yml is:

#SSL
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_filepath: node-1-keystore.jks
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: node-1-keystore.jks
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.enable_openssl_if_available: true
searchguard.ssl.transport.enable_openssl_if_available: true
security.manager.enabled: false

When i finished the configuration, I run the elasticsearch. There are some errors in the client node:
[internal:discovery/zen/unicast]]; nested: ElasticsearchSecurityException[Internal or shard requests not allowed from a client node];
Caused by: ElasticsearchSecurityException[Internal or shard requests not allowed from a client node]
at com.floragunn.searchguard.transport.SearchGuardTransportService.messageReceivedDecorate(SearchGuardTransportService.java:183)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor.messageReceived(SearchGuardSSLTransportService.java:107)
at org.elasticsearch.transport.netty.MessageChannelHandler.handleRequest(MessageChannelHandler.java:244)
at com.floragunn.searchguard.ssl.transport.SearchGuardMessageChannelHandler.handleRequest(SearchGuardMessageChannelHandler.java:57)
at org.elasticsearch.transport.netty.MessageChannelHandler.messageReceived(MessageChannelHandler.java:114)
at com.floragunn.searchguard.ssl.transport.SearchGuardMessageChannelHandler.messageReceived(SearchGuardMessageChannelHandler.java:45)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462)
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443)
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.elasticsearch.common.netty.OpenChannelsHandler.handleUpstream(OpenChannelsHandler.java:75)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462)
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443)
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at

Here, i have some questions:
1. In my cluster, i have 3 data nodes which can elect as the master node. I regard one data node as the client node. Is the try right?

2. Is the entry "searchguard.authcz.admin_dn:"CN=kirk,OU=client,O=client,l=tEst, C=De" " only put in the client node' elasticsearch.yml? There is no need in the other data nodes?

3.What is the error mean above?
Thanks very much!

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/326e237e-690d-4137-9a4a-ed8724223516%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Really appreciate for your great help.

在 2016年6月15日星期三 UTC+8下午1:22:59,Wei Hong写道:

···

Here is my version:
elasticsearch2.2.0
search-guard-2-2.2.0.0-alpha2
search-guard-ssl-2.2.0.6

Before the installed sg2, the elasticsearch is green.
I have installed the sg2 in the 3 data nodes. 1 data node is used as the client node.

the client node’s elasticsearch yml is:

searchguard.authcz.admin_dn:

“CN=kirk,OU=client,O=client,l=tEst, C=De”
#SSL
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_filepath: kirk-keystore.jks
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: kirk-keystore.jks
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.enable_openssl_if_available: true
searchguard.ssl.transport.enable_openssl_if_available: true
security.manager.enabled: false

the other two nodes elasticsearch yml is:

#SSL
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_filepath: node-1-keystore.jks
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: node-1-keystore.jks
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.enable_openssl_if_available: true
searchguard.ssl.transport.enable_openssl_if_available: true
security.manager.enabled: false

When i finished the configuration, I run the elasticsearch. There are some errors in the client node:
[internal:discovery/zen/unicast]]; nested: ElasticsearchSecurityException[Internal or shard requests not allowed from a client node];
Caused by: ElasticsearchSecurityException[Internal or shard requests not allowed from a client node]
at com.floragunn.searchguard.transport.SearchGuardTransportService.messageReceivedDecorate(SearchGuardTransportService.java:183)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor.messageReceived(SearchGuardSSLTransportService.java:107)
at org.elasticsearch.transport.netty.MessageChannelHandler.handleRequest(MessageChannelHandler.java:244)
at com.floragunn.searchguard.ssl.transport.SearchGuardMessageChannelHandler.handleRequest(SearchGuardMessageChannelHandler.java:57)
at org.elasticsearch.transport.netty.MessageChannelHandler.messageReceived(MessageChannelHandler.java:114)
at com.floragunn.searchguard.ssl.transport.SearchGuardMessageChannelHandler.messageReceived(SearchGuardMessageChannelHandler.java:45)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462)
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443)
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.elasticsearch.common.netty.OpenChannelsHandler.handleUpstream(OpenChannelsHandler.java:75)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462)
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443)
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at

Here, i have some questions:

  1. In my cluster, i have 3 data nodes which can elect as the master node. I regard one data node as the client node. Is the try right?
  1. Is the entry "searchguard.authcz.admin_dn:“CN=kirk,OU=client,O=client,l=tEst, C=De” " only put in the client node’ elasticsearch.yml? There is no need in the other data nodes?

3.What is the error mean above?

Thanks very much!