- Search Guard and Elasticsearch version
SearchGuard 6 - 6.2.2-21
Elasticsearch - 6.2.2
- Installed and used enterprise modules, if any
- JVM version and operating system version
OpenJDK Runtime Environment (build 1.8.0_161-b14)
OpenJDK 64-Bit Server VM (build 25.161-b14, mixed mode)
Red Hat Enterprise Linux Server release 7.4 (Maipo)
Search Guard configuration files
Elasticsearch log messages on debug level
Other installed Elasticsearch or Kibana plugins, if any
Kibana Searchguard plugin.
I have an elasticsearch cluster with two nodes.I use different admin certificates on different nodes of the cluster and only the admin DN of the respective node is mentioned in the elasticseach.yml .
When I initialize the cluster for the first time, it completes successfully. After that if I try initializing it from the other node of the cluster it fails with the below error.
ERR: Cannot retrieve cluster state due to: no permissions for [cluster:monitor/health] and User [name=C=US,O=Avaya,CN=Breeze44-sm100.inblrlab.avaya.com, roles=, requestedTenant=null].
Root cause: ElasticsearchSecurityException[no permissions for [cluster:monitor/health] and User [name=C=US,O=Avaya,CN=Breeze44-sm100.inblrlab.avaya.com, roles=, requestedTenant=null]] (org.elasticsearch.ElasticsearchSecurityException/org.elasticsearch.ElasticsearchSecurityException)
This used to work on Searchguard 5 without any issues.
After some trial and error I was able to get around this by adding the admin DN of the other node in the elasticsearch yml file. But I don’t want to do this as there is no way for one node to find the admin DN of the other node.
Is this some new security check added in the Searchguard 6 ? Is there a way to disable this check so that it can work the way it used to on Searchguard 5?