Getting "no permissions for [cluster:monitor/health]" on SearchGuard 6

  • Search Guard and Elasticsearch version

SearchGuard 6 - 6.2.2-21

Elasticsearch - 6.2.2

  • Installed and used enterprise modules, if any

none

  • JVM version and operating system version

OpenJDK Runtime Environment (build 1.8.0_161-b14)

OpenJDK 64-Bit Server VM (build 25.161-b14, mixed mode)

Red Hat Enterprise Linux Server release 7.4 (Maipo)

  • Search Guard configuration files

  • Elasticsearch log messages on debug level

  • Other installed Elasticsearch or Kibana plugins, if any

Kibana Searchguard plugin.

Hi,

I have an elasticsearch cluster with two nodes.I use different admin certificates on different nodes of the cluster and only the admin DN of the respective node is mentioned in the elasticseach.yml .

When I initialize the cluster for the first time, it completes successfully. After that if I try initializing it from the other node of the cluster it fails with the below error.

ERR: Cannot retrieve cluster state due to: no permissions for [cluster:monitor/health] and User [name=C=US,O=Avaya,CN=Breeze44-sm100.inblrlab.avaya.com, roles=, requestedTenant=null].
Root cause: ElasticsearchSecurityException[no permissions for [cluster:monitor/health] and User [name=C=US,O=Avaya,CN=Breeze44-sm100.inblrlab.avaya.com, roles=, requestedTenant=null]] (org.elasticsearch.ElasticsearchSecurityException/org.elasticsearch.ElasticsearchSecurityException)

``

This used to work on Searchguard 5 without any issues.

After some trial and error I was able to get around this by adding the admin DN of the other node in the elasticsearch yml file. But I don’t want to do this as there is no way for one node to find the admin DN of the other node.

Is this some new security check added in the Searchguard 6 ? Is there a way to disable this check so that it can work the way it used to on Searchguard 5?

This is unsupported and you should not do that. It was also unsupported for 5.x and i think it was pure luck that it works.
We need to have the elasticsearch.yml to be the same on all nodes (there are exceptions but in general the values of all settings should be equal on all nodes).

Why you want to have different admin certs for different nodes? What is you use case or your requirement here?

···

On Friday, 9 March 2018 07:18:29 UTC+1, ihjaz Mohamed wrote:

  • Search Guard and Elasticsearch version

SearchGuard 6 - 6.2.2-21

Elasticsearch - 6.2.2

  • Installed and used enterprise modules, if any

none

  • JVM version and operating system version

OpenJDK Runtime Environment (build 1.8.0_161-b14)

OpenJDK 64-Bit Server VM (build 25.161-b14, mixed mode)

Red Hat Enterprise Linux Server release 7.4 (Maipo)

  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Kibana Searchguard plugin.

Hi,

I have an elasticsearch cluster with two nodes.I use different admin certificates on different nodes of the cluster and only the admin DN of the respective node is mentioned in the elasticseach.yml .

When I initialize the cluster for the first time, it completes successfully. After that if I try initializing it from the other node of the cluster it fails with the below error.

ERR: Cannot retrieve cluster state due to: no permissions for [cluster:monitor/health] and User [name=C=US,O=Avaya,CN=Breeze44-sm100.inblrlab.avaya.com, roles=, requestedTenant=null].
Root cause: ElasticsearchSecurityException[no permissions for [cluster:monitor/health] and User [name=C=US,O=Avaya,CN=Breeze44-sm100.inblrlab.avaya.com, roles=, requestedTenant=null]] (org.elasticsearch.ElasticsearchSecurityException/org.elasticsearch.ElasticsearchSecurityException)

``

This used to work on Searchguard 5 without any issues.

After some trial and error I was able to get around this by adding the admin DN of the other node in the elasticsearch yml file. But I don’t want to do this as there is no way for one node to find the admin DN of the other node.

Is this some new security check added in the Searchguard 6 ? Is there a way to disable this check so that it can work the way it used to on Searchguard 5?

Hi,

I have two existing cert stores on my product used for different types of communication like one for HTTP and one for SIP.

So I use one of them as the node certificate and the other one as the admin certificate for each node.So the admin DN on each node will be different.

···

On Monday, March 12, 2018 at 9:23:37 PM UTC+5:30, Search Guard wrote:

This is unsupported and you should not do that. It was also unsupported for 5.x and i think it was pure luck that it works.
We need to have the elasticsearch.yml to be the same on all nodes (there are exceptions but in general the values of all settings should be equal on all nodes).

Why you want to have different admin certs for different nodes? What is you use case or your requirement here?

On Friday, 9 March 2018 07:18:29 UTC+1, ihjaz Mohamed wrote:

  • Search Guard and Elasticsearch version

SearchGuard 6 - 6.2.2-21

Elasticsearch - 6.2.2

  • Installed and used enterprise modules, if any

none

  • JVM version and operating system version

OpenJDK Runtime Environment (build 1.8.0_161-b14)

OpenJDK 64-Bit Server VM (build 25.161-b14, mixed mode)

Red Hat Enterprise Linux Server release 7.4 (Maipo)

  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Kibana Searchguard plugin.

Hi,

I have an elasticsearch cluster with two nodes.I use different admin certificates on different nodes of the cluster and only the admin DN of the respective node is mentioned in the elasticseach.yml .

When I initialize the cluster for the first time, it completes successfully. After that if I try initializing it from the other node of the cluster it fails with the below error.

ERR: Cannot retrieve cluster state due to: no permissions for [cluster:monitor/health] and User [name=C=US,O=Avaya,CN=Breeze44-sm100.inblrlab.avaya.com, roles=, requestedTenant=null].
Root cause: ElasticsearchSecurityException[no permissions for [cluster:monitor/health] and User [name=C=US,O=Avaya,CN=Breeze44-sm100.inblrlab.avaya.com, roles=, requestedTenant=null]] (org.elasticsearch.ElasticsearchSecurityException/org.elasticsearch.ElasticsearchSecurityException)

``

This used to work on Searchguard 5 without any issues.

After some trial and error I was able to get around this by adding the admin DN of the other node in the elasticsearch yml file. But I don’t want to do this as there is no way for one node to find the admin DN of the other node.

Is this some new security check added in the Searchguard 6 ? Is there a way to disable this check so that it can work the way it used to on Searchguard 5?

you may not want to do that

···

Am 13.03.2018 um 07:23 schrieb ihjaz Mohamed <ihjazmohamed@gmail.com>:

Hi,

I have two existing cert stores on my product used for different types of communication like one for HTTP and one for SIP.
So I use one of them as the node certificate and the other one as the admin certificate for each node.So the admin DN on each node will be different.

On Monday, March 12, 2018 at 9:23:37 PM UTC+5:30, Search Guard wrote:
This is unsupported and you should not do that. It was also unsupported for 5.x and i think it was pure luck that it works.
We need to have the elasticsearch.yml to be the same on all nodes (there are exceptions but in general the values of all settings should be equal on all nodes).

Why you want to have different admin certs for different nodes? What is you use case or your requirement here?

On Friday, 9 March 2018 07:18:29 UTC+1, ihjaz Mohamed wrote:

* Search Guard and Elasticsearch version
SearchGuard 6 - 6.2.2-21
Elasticsearch - 6.2.2
* Installed and used enterprise modules, if any
none
* JVM version and operating system version
OpenJDK Runtime Environment (build 1.8.0_161-b14)
OpenJDK 64-Bit Server VM (build 25.161-b14, mixed mode)
Red Hat Enterprise Linux Server release 7.4 (Maipo)
* Search Guard configuration files
* Elasticsearch log messages on debug level
* Other installed Elasticsearch or Kibana plugins, if any
Kibana Searchguard plugin.

Hi,

I have an elasticsearch cluster with two nodes.I use different admin certificates on different nodes of the cluster and only the admin DN of the respective node is mentioned in the elasticseach.yml .

When I initialize the cluster for the first time, it completes successfully. After that if I try initializing it from the other node of the cluster it fails with the below error.

ERR: Cannot retrieve cluster state due to: no permissions for [cluster:monitor/health] and User [name=C=US,O=Avaya,CN=Breeze44-sm100.inblrlab.avaya.com, roles=, requestedTenant=null].
Root cause: ElasticsearchSecurityException[no permissions for [cluster:monitor/health] and User [name=C=US,O=Avaya,CN=Breeze44-sm100.inblrlab.avaya.com, roles=, requestedTenant=null]] (org.elasticsearch.ElasticsearchSecurityException/org.elasticsearch.ElasticsearchSecurityException)

This used to work on Searchguard 5 without any issues.

After some trial and error I was able to get around this by adding the admin DN of the other node in the elasticsearch yml file. But I don't want to do this as there is no way for one node to find the admin DN of the other node.

Is this some new security check added in the Searchguard 6 ? Is there a way to disable this check so that it can work the way it used to on Searchguard 5?

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/492c9c15-dd44-480a-9b94-fac00866ad8d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.