How to completely disable SSL in elasticsearch?

How to completely disable SSL in elasticsearch? It is possible?

I just want to install and try for training purposes.

I don’t need SSL.

Why does the configuration not work? I can not find a working example.

How to overwrite the properties and what properties need to overwrite to disable the SSL?

I set the following properties in the /usr/share/elasticsearch/config/elasticsearch.yml.

searchguard.ssl.http.enabled: false

searchguard.ssl.transport.enabled: false

``

But they do not work!

Why is nothing written about this in the official documentation?

Thanks for the help.

Stacktrace:

[2019-02-15T17:44:14,194][INFO ][o.e.n.Node ] [U97bnWL] JVM arguments [-Xms1g, -Xmx1g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -Des.networkaddress.cache.ttl=60, -Des.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.io.tmpdir=/tmp/elasticsearch-3921917390321531832, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=logs/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Djava.locale.providers=COMPAT, -XX:UseAVX=2, -Des.cgroups.hierarchy.override=/, -Des.path.home=/usr/share/elasticsearch, -Des.path.conf=/usr/share/elasticsearch/config, -Des.distribution.flavor=default, -Des.distribution.type=tar]

[2019-02-15T17:44:19,529][INFO ][c.f.s.SearchGuardPlugin ] [U97bnWL] ES Config path is /usr/share/elasticsearch/config

[2019-02-15T17:44:19,663][ERROR][c.f.s.SearchGuardPlugin ] [U97bnWL] SSL not activated for http and/or transport.

SSL not activated for http and/or transport.

SSL not activated for http and/or transport.

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] JVM supports TLSv1.3

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Config directory is /usr/share/elasticsearch/config/, from there the key- and truststore files are resolved relatively

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS Transport Client Provider : null

[2019-02-15T17:44:19,688][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS Transport Server Provider : null

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS HTTP Provider : null

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Enabled TLS protocols for transport layer :

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Enabled TLS protocols for HTTP layer :

[2019-02-15T17:44:20,696][INFO ][c.f.s.SearchGuardPlugin ] [U97bnWL] Clustername: docker-cluster

[2019-02-15T17:44:20,710][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [U97bnWL] uncaught exception in thread [main]

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:163) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.6.0.jar:6.6.0]

    at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.6.0.jar:6.6.0]

    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:116) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:93) ~[elasticsearch-6.6.0.jar:6.6.0]

Caused by: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:608) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]

    ... 6 more

Caused by: java.lang.reflect.InvocationTargetException

    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

    at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

    at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]

    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:599) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]

    ... 6 more

Caused by: java.lang.IllegalStateException: searchguard.ssl.transport.enabled must be set to ‘true’

    at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:281) ~[?:?]

    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

    at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

    at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]

    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:599) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]

    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]

    ... 6 more

``

It is not possible to completely disable SSL with Search Guard

See https://search-guard.com/search-guard-ssl-tls/ and https://search-guard.com/search-guard-puts-security-first/

···

Am 15.02.2019 um 19:05 schrieb JWeb Dev <webdevoleg@gmail.com>:

How to completely disable SSL in elasticsearch? It is possible?

I just want to install and try for training purposes.
I don't need SSL.

Why does the configuration not work? I can not find a working example.
How to overwrite the properties and what properties need to overwrite to disable the SSL?

I set the following properties in the /usr/share/elasticsearch/config/elasticsearch.yml.

searchguard.ssl.http.enabled: false
searchguard.ssl.transport.enabled: false

But they do not work!

Why is nothing written about this in the official documentation?

Thanks for the help.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/926db2cf-4571-48ce-848c-5c8194f8510e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

The fact that TLS is mandatory on the transport layer is mentioned multiple times in the documentation, e.g.:

Where should we place it in the docs to make it more obvious?

searchguard.ssl.transport.enabled

``

This is not an official configuration key and it is also not mentioned in the docs. Can I ask where you found this option so we can improve the docs here as well? Did you get it from the source code?

···

On Friday, February 15, 2019 at 7:05:14 PM UTC+1, JWeb Dev wrote:

How to completely disable SSL in elasticsearch? It is possible?

I just want to install and try for training purposes.

I don’t need SSL.

Why does the configuration not work? I can not find a working example.

How to overwrite the properties and what properties need to overwrite to disable the SSL?

I set the following properties in the /usr/share/elasticsearch/config/elasticsearch.yml.

searchguard.ssl.http.enabled: false

searchguard.ssl.transport.enabled: false

``

But they do not work!

Why is nothing written about this in the official documentation?

Thanks for the help.

Stacktrace:

[2019-02-15T17:44:14,194][INFO ][o.e.n.Node ] [U97bnWL] JVM arguments [-Xms1g, -Xmx1g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -Des.networkaddress.cache.ttl=60, -Des.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.io.tmpdir=/tmp/elasticsearch-3921917390321531832, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=logs/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Djava.locale.providers=COMPAT, -XX:UseAVX=2, -Des.cgroups.hierarchy.override=/, -Des.path.home=/usr/share/elasticsearch, -Des.path.conf=/usr/share/elasticsearch/config, -Des.distribution.flavor=default, -Des.distribution.type=tar]

[2019-02-15T17:44:19,529][INFO ][c.f.s.SearchGuardPlugin ] [U97bnWL] ES Config path is /usr/share/elasticsearch/config

[2019-02-15T17:44:19,663][ERROR][c.f.s.SearchGuardPlugin ] [U97bnWL] SSL not activated for http and/or transport.

SSL not activated for http and/or transport.

SSL not activated for http and/or transport.

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] JVM supports TLSv1.3

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Config directory is /usr/share/elasticsearch/config/, from there the key- and truststore files are resolved relatively

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS Transport Client Provider : null

[2019-02-15T17:44:19,688][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS Transport Server Provider : null

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS HTTP Provider : null

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Enabled TLS protocols for transport layer :

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Enabled TLS protocols for HTTP layer :

[2019-02-15T17:44:20,696][INFO ][c.f.s.SearchGuardPlugin ] [U97bnWL] Clustername: docker-cluster

[2019-02-15T17:44:20,710][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [U97bnWL] uncaught exception in thread [main]

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:163) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.6.0.jar:6.6.0]
    at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:116) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:93) ~[elasticsearch-6.6.0.jar:6.6.0]

Caused by: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:608) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]
    ... 6 more

Caused by: java.lang.reflect.InvocationTargetException

    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:599) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]
    ... 6 more

Caused by: java.lang.IllegalStateException: searchguard.ssl.transport.enabled must be set to ‘true’

    at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:281) ~[?:?]
    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:599) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]
    ... 6 more

``

I understood you. I saw these links.

Too difficult to just set up and work. There is no normal manual and some demo account. I spent the day, even generating temporary keys and certificates - it did not work.

Did not further investigate. Installed nginx proxy with basc auth.

I think that I am not the only one who would love to use your product. But the complexity of the installation for educational purposes - repels.

Good luck.

···

понедельник, 18 февраля 2019 г., 11:15:35 UTC+1 пользователь Jochen Kressin написал:

The fact that TLS is mandatory on the transport layer is mentioned multiple times in the documentation, e.g.:

https://docs.search-guard.com/latest/search-guard-installation

https://docs.search-guard.com/latest/generating-tls-certificates#generating-tls-certificates

https://docs.search-guard.com/latest/configuring-tls#configuring-tls

Where should we place it in the docs to make it more obvious?

searchguard.ssl.transport.enabled

``

This is not an official configuration key and it is also not mentioned in the docs. Can I ask where you found this option so we can improve the docs here as well? Did you get it from the source code?

On Friday, February 15, 2019 at 7:05:14 PM UTC+1, JWeb Dev wrote:

How to completely disable SSL in elasticsearch? It is possible?

I just want to install and try for training purposes.

I don’t need SSL.

Why does the configuration not work? I can not find a working example.

How to overwrite the properties and what properties need to overwrite to disable the SSL?

I set the following properties in the /usr/share/elasticsearch/config/elasticsearch.yml.

searchguard.ssl.http.enabled: false

searchguard.ssl.transport.enabled: false

``

But they do not work!

Why is nothing written about this in the official documentation?

Thanks for the help.

Stacktrace:

[2019-02-15T17:44:14,194][INFO ][o.e.n.Node ] [U97bnWL] JVM arguments [-Xms1g, -Xmx1g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -Des.networkaddress.cache.ttl=60, -Des.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.io.tmpdir=/tmp/elasticsearch-3921917390321531832, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=logs/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Djava.locale.providers=COMPAT, -XX:UseAVX=2, -Des.cgroups.hierarchy.override=/, -Des.path.home=/usr/share/elasticsearch, -Des.path.conf=/usr/share/elasticsearch/config, -Des.distribution.flavor=default, -Des.distribution.type=tar]

[2019-02-15T17:44:19,529][INFO ][c.f.s.SearchGuardPlugin ] [U97bnWL] ES Config path is /usr/share/elasticsearch/config

[2019-02-15T17:44:19,663][ERROR][c.f.s.SearchGuardPlugin ] [U97bnWL] SSL not activated for http and/or transport.

SSL not activated for http and/or transport.

SSL not activated for http and/or transport.

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] JVM supports TLSv1.3

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Config directory is /usr/share/elasticsearch/config/, from there the key- and truststore files are resolved relatively

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS Transport Client Provider : null

[2019-02-15T17:44:19,688][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS Transport Server Provider : null

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS HTTP Provider : null

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Enabled TLS protocols for transport layer :

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Enabled TLS protocols for HTTP layer :

[2019-02-15T17:44:20,696][INFO ][c.f.s.SearchGuardPlugin ] [U97bnWL] Clustername: docker-cluster

[2019-02-15T17:44:20,710][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [U97bnWL] uncaught exception in thread [main]

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:163) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.6.0.jar:6.6.0]
    at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:116) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:93) ~[elasticsearch-6.6.0.jar:6.6.0]

Caused by: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:608) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]
    ... 6 more

Caused by: java.lang.reflect.InvocationTargetException

    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:599) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]
    ... 6 more

Caused by: java.lang.IllegalStateException: searchguard.ssl.transport.enabled must be set to ‘true’

    at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:281) ~[?:?]
    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:599) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]
    ... 6 more

``

Can I ask you if you tried to use the demo installer? We’ve created it exactly for that purpose - install Search Guard, execute the demo installer, and we set everything for you, including certificates, demo user and roles and also the sgadmin command for making configuration changes.

This is of course not safe for production, but using the demo installer would give you exactly that: A secured cluster with basic authentication enabled.

···

On Monday, February 18, 2019 at 2:27:54 PM UTC+1, JWeb Dev wrote:

I understood you. I saw these links.

Too difficult to just set up and work. There is no normal manual and some demo account. I spent the day, even generating temporary keys and certificates - it did not work.

Did not further investigate. Installed nginx proxy with basc auth.

I think that I am not the only one who would love to use your product. But the complexity of the installation for educational purposes - repels.

Good luck.

понедельник, 18 февраля 2019 г., 11:15:35 UTC+1 пользователь Jochen Kressin написал:

The fact that TLS is mandatory on the transport layer is mentioned multiple times in the documentation, e.g.:

https://docs.search-guard.com/latest/search-guard-installation

https://docs.search-guard.com/latest/generating-tls-certificates#generating-tls-certificates

https://docs.search-guard.com/latest/configuring-tls#configuring-tls

Where should we place it in the docs to make it more obvious?

searchguard.ssl.transport.enabled

``

This is not an official configuration key and it is also not mentioned in the docs. Can I ask where you found this option so we can improve the docs here as well? Did you get it from the source code?

On Friday, February 15, 2019 at 7:05:14 PM UTC+1, JWeb Dev wrote:

How to completely disable SSL in elasticsearch? It is possible?

I just want to install and try for training purposes.

I don’t need SSL.

Why does the configuration not work? I can not find a working example.

How to overwrite the properties and what properties need to overwrite to disable the SSL?

I set the following properties in the /usr/share/elasticsearch/config/elasticsearch.yml.

searchguard.ssl.http.enabled: false

searchguard.ssl.transport.enabled: false

``

But they do not work!

Why is nothing written about this in the official documentation?

Thanks for the help.

Stacktrace:

[2019-02-15T17:44:14,194][INFO ][o.e.n.Node ] [U97bnWL] JVM arguments [-Xms1g, -Xmx1g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -Des.networkaddress.cache.ttl=60, -Des.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.io.tmpdir=/tmp/elasticsearch-3921917390321531832, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=logs/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Djava.locale.providers=COMPAT, -XX:UseAVX=2, -Des.cgroups.hierarchy.override=/, -Des.path.home=/usr/share/elasticsearch, -Des.path.conf=/usr/share/elasticsearch/config, -Des.distribution.flavor=default, -Des.distribution.type=tar]

[2019-02-15T17:44:19,529][INFO ][c.f.s.SearchGuardPlugin ] [U97bnWL] ES Config path is /usr/share/elasticsearch/config

[2019-02-15T17:44:19,663][ERROR][c.f.s.SearchGuardPlugin ] [U97bnWL] SSL not activated for http and/or transport.

SSL not activated for http and/or transport.

SSL not activated for http and/or transport.

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] JVM supports TLSv1.3

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Config directory is /usr/share/elasticsearch/config/, from there the key- and truststore files are resolved relatively

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS Transport Client Provider : null

[2019-02-15T17:44:19,688][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS Transport Server Provider : null

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS HTTP Provider : null

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Enabled TLS protocols for transport layer :

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Enabled TLS protocols for HTTP layer :

[2019-02-15T17:44:20,696][INFO ][c.f.s.SearchGuardPlugin ] [U97bnWL] Clustername: docker-cluster

[2019-02-15T17:44:20,710][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [U97bnWL] uncaught exception in thread [main]

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:163) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.6.0.jar:6.6.0]
    at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:116) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:93) ~[elasticsearch-6.6.0.jar:6.6.0]

Caused by: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:608) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]
    ... 6 more

Caused by: java.lang.reflect.InvocationTargetException

    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:599) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]
    ... 6 more

Caused by: java.lang.IllegalStateException: searchguard.ssl.transport.enabled must be set to ‘true’

    at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:281) ~[?:?]
    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:599) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]
    ... 6 more

``

Yes, I did all these things. Everything looked successful, but then I simply didn’t have access to the elasticsearch host. Even the information or state(health) could not read. Therefore, my pods on the kubernetes simply did not rise. And I did not have the patience to continue to look for reasons.

Please tell me where in the official documentation, step by step it says what should be done? I found it all in some repository and the documentation there was not the best.

···

понедельник, 18 февраля 2019 г., 17:48:49 UTC+1 пользователь Jochen Kressin написал:

Can I ask you if you tried to use the demo installer? We’ve created it exactly for that purpose - install Search Guard, execute the demo installer, and we set everything for you, including certificates, demo user and roles and also the sgadmin command for making configuration changes.

This is of course not safe for production, but using the demo installer would give you exactly that: A secured cluster with basic authentication enabled.

On Monday, February 18, 2019 at 2:27:54 PM UTC+1, JWeb Dev wrote:

I understood you. I saw these links.

Too difficult to just set up and work. There is no normal manual and some demo account. I spent the day, even generating temporary keys and certificates - it did not work.

Did not further investigate. Installed nginx proxy with basc auth.

I think that I am not the only one who would love to use your product. But the complexity of the installation for educational purposes - repels.

Good luck.

понедельник, 18 февраля 2019 г., 11:15:35 UTC+1 пользователь Jochen Kressin написал:

The fact that TLS is mandatory on the transport layer is mentioned multiple times in the documentation, e.g.:

https://docs.search-guard.com/latest/search-guard-installation

https://docs.search-guard.com/latest/generating-tls-certificates#generating-tls-certificates

https://docs.search-guard.com/latest/configuring-tls#configuring-tls

Where should we place it in the docs to make it more obvious?

searchguard.ssl.transport.enabled

``

This is not an official configuration key and it is also not mentioned in the docs. Can I ask where you found this option so we can improve the docs here as well? Did you get it from the source code?

On Friday, February 15, 2019 at 7:05:14 PM UTC+1, JWeb Dev wrote:

How to completely disable SSL in elasticsearch? It is possible?

I just want to install and try for training purposes.

I don’t need SSL.

Why does the configuration not work? I can not find a working example.

How to overwrite the properties and what properties need to overwrite to disable the SSL?

I set the following properties in the /usr/share/elasticsearch/config/elasticsearch.yml.

searchguard.ssl.http.enabled: false

searchguard.ssl.transport.enabled: false

``

But they do not work!

Why is nothing written about this in the official documentation?

Thanks for the help.

Stacktrace:

[2019-02-15T17:44:14,194][INFO ][o.e.n.Node ] [U97bnWL] JVM arguments [-Xms1g, -Xmx1g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -Des.networkaddress.cache.ttl=60, -Des.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.io.tmpdir=/tmp/elasticsearch-3921917390321531832, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=logs/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Djava.locale.providers=COMPAT, -XX:UseAVX=2, -Des.cgroups.hierarchy.override=/, -Des.path.home=/usr/share/elasticsearch, -Des.path.conf=/usr/share/elasticsearch/config, -Des.distribution.flavor=default, -Des.distribution.type=tar]

[2019-02-15T17:44:19,529][INFO ][c.f.s.SearchGuardPlugin ] [U97bnWL] ES Config path is /usr/share/elasticsearch/config

[2019-02-15T17:44:19,663][ERROR][c.f.s.SearchGuardPlugin ] [U97bnWL] SSL not activated for http and/or transport.

SSL not activated for http and/or transport.

SSL not activated for http and/or transport.

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] JVM supports TLSv1.3

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Config directory is /usr/share/elasticsearch/config/, from there the key- and truststore files are resolved relatively

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS Transport Client Provider : null

[2019-02-15T17:44:19,688][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS Transport Server Provider : null

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS HTTP Provider : null

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Enabled TLS protocols for transport layer :

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Enabled TLS protocols for HTTP layer :

[2019-02-15T17:44:20,696][INFO ][c.f.s.SearchGuardPlugin ] [U97bnWL] Clustername: docker-cluster

[2019-02-15T17:44:20,710][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [U97bnWL] uncaught exception in thread [main]

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:163) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.6.0.jar:6.6.0]
    at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:116) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:93) ~[elasticsearch-6.6.0.jar:6.6.0]

Caused by: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:608) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]
    ... 6 more

Caused by: java.lang.reflect.InvocationTargetException

    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:599) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]
    ... 6 more

Caused by: java.lang.IllegalStateException: searchguard.ssl.transport.enabled must be set to ‘true’

    at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:281) ~[?:?]
    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:599) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]
    ... 6 more

``

You can find the official docs here:

If you are using Kubernetes, we are also providing Helm charts to help you set up a SG secured ES cluster and Kibana:

If a cluster is secured by Search Guard, every request to ES has to be authenticated. This also affects the health check. If you want to implement a health check that bypasses auth/auth, you can use this endpoint:

This is also helpful when you are running the health check on a system that is not able to speak HTTPS for the health checks, e.g. AWS LBs.

···

On Monday, February 18, 2019 at 7:23:27 PM UTC+1, JWeb Dev wrote:

Yes, I did all these things. Everything looked successful, but then I simply didn’t have access to the elasticsearch host. Even the information or state(health) could not read. Therefore, my pods on the kubernetes simply did not rise. And I did not have the patience to continue to look for reasons.

Please tell me where in the official documentation, step by step it says what should be done? I found it all in some repository and the documentation there was not the best.

понедельник, 18 февраля 2019 г., 17:48:49 UTC+1 пользователь Jochen Kressin написал:

Can I ask you if you tried to use the demo installer? We’ve created it exactly for that purpose - install Search Guard, execute the demo installer, and we set everything for you, including certificates, demo user and roles and also the sgadmin command for making configuration changes.

This is of course not safe for production, but using the demo installer would give you exactly that: A secured cluster with basic authentication enabled.

On Monday, February 18, 2019 at 2:27:54 PM UTC+1, JWeb Dev wrote:

I understood you. I saw these links.

Too difficult to just set up and work. There is no normal manual and some demo account. I spent the day, even generating temporary keys and certificates - it did not work.

Did not further investigate. Installed nginx proxy with basc auth.

I think that I am not the only one who would love to use your product. But the complexity of the installation for educational purposes - repels.

Good luck.

понедельник, 18 февраля 2019 г., 11:15:35 UTC+1 пользователь Jochen Kressin написал:

The fact that TLS is mandatory on the transport layer is mentioned multiple times in the documentation, e.g.:

https://docs.search-guard.com/latest/search-guard-installation

https://docs.search-guard.com/latest/generating-tls-certificates#generating-tls-certificates

https://docs.search-guard.com/latest/configuring-tls#configuring-tls

Where should we place it in the docs to make it more obvious?

searchguard.ssl.transport.enabled

``

This is not an official configuration key and it is also not mentioned in the docs. Can I ask where you found this option so we can improve the docs here as well? Did you get it from the source code?

On Friday, February 15, 2019 at 7:05:14 PM UTC+1, JWeb Dev wrote:

How to completely disable SSL in elasticsearch? It is possible?

I just want to install and try for training purposes.

I don’t need SSL.

Why does the configuration not work? I can not find a working example.

How to overwrite the properties and what properties need to overwrite to disable the SSL?

I set the following properties in the /usr/share/elasticsearch/config/elasticsearch.yml.

searchguard.ssl.http.enabled: false

searchguard.ssl.transport.enabled: false

``

But they do not work!

Why is nothing written about this in the official documentation?

Thanks for the help.

Stacktrace:

[2019-02-15T17:44:14,194][INFO ][o.e.n.Node ] [U97bnWL] JVM arguments [-Xms1g, -Xmx1g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -Des.networkaddress.cache.ttl=60, -Des.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.io.tmpdir=/tmp/elasticsearch-3921917390321531832, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=logs/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Djava.locale.providers=COMPAT, -XX:UseAVX=2, -Des.cgroups.hierarchy.override=/, -Des.path.home=/usr/share/elasticsearch, -Des.path.conf=/usr/share/elasticsearch/config, -Des.distribution.flavor=default, -Des.distribution.type=tar]

[2019-02-15T17:44:19,529][INFO ][c.f.s.SearchGuardPlugin ] [U97bnWL] ES Config path is /usr/share/elasticsearch/config

[2019-02-15T17:44:19,663][ERROR][c.f.s.SearchGuardPlugin ] [U97bnWL] SSL not activated for http and/or transport.

SSL not activated for http and/or transport.

SSL not activated for http and/or transport.

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] JVM supports TLSv1.3

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Config directory is /usr/share/elasticsearch/config/, from there the key- and truststore files are resolved relatively

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS Transport Client Provider : null

[2019-02-15T17:44:19,688][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS Transport Server Provider : null

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS HTTP Provider : null

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Enabled TLS protocols for transport layer :

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Enabled TLS protocols for HTTP layer :

[2019-02-15T17:44:20,696][INFO ][c.f.s.SearchGuardPlugin ] [U97bnWL] Clustername: docker-cluster

[2019-02-15T17:44:20,710][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [U97bnWL] uncaught exception in thread [main]

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:163) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.6.0.jar:6.6.0]
    at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:116) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:93) ~[elasticsearch-6.6.0.jar:6.6.0]

Caused by: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:608) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]
    ... 6 more

Caused by: java.lang.reflect.InvocationTargetException

    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:599) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]
    ... 6 more

Caused by: java.lang.IllegalStateException: searchguard.ssl.transport.enabled must be set to ‘true’

    at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:281) ~[?:?]
    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:599) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]
    ... 6 more

``

I wanted to install Search Guard as a plugin. And here Search Guard as a wrapper for kibana and elasticsearch. I think it should be the other way around. It is strange to pack the main product as a plug-in dependency.

I don’t know, I didn’t get an add-on under Elasticserach, because the helath API was not authorized. Why not make the status and health check public. Why not see the standard elasticsearch url. I understand that you have your own arguments. But from the user’s point of view, installation is very difficult. And believe me, after a day of playing over the plugin, there is no desire to return to it.

Official documentation. As for me, a person who just wants to install and to work - it is not at all. I still do not understand how the serach guard drags into the overall architecture. Any visual scheme? How could I know that the url has changed to check the status? I have a lot of questions from the user’s point of view. But as I wrote above, just a lost day trying to figure it out. Write more visual documentation of what’s going on behind the scenes.

···

понедельник, 18 февраля 2019 г., 19:37:10 UTC+1 пользователь Jochen Kressin написал:

You can find the official docs here:

https://docs.search-guard.com/latest/index

If you are using Kubernetes, we are also providing Helm charts to help you set up a SG secured ES cluster and Kibana:

https://docs.search-guard.com/latest/search-guard-kubernetes-helm

If a cluster is secured by Search Guard, every request to ES has to be authenticated. This also affects the health check. If you want to implement a health check that bypasses auth/auth, you can use this endpoint:

https://docs.search-guard.com/latest/search-guard-installation#search-guard-health-check

This is also helpful when you are running the health check on a system that is not able to speak HTTPS for the health checks, e.g. AWS LBs.

On Monday, February 18, 2019 at 7:23:27 PM UTC+1, JWeb Dev wrote:

Yes, I did all these things. Everything looked successful, but then I simply didn’t have access to the elasticsearch host. Even the information or state(health) could not read. Therefore, my pods on the kubernetes simply did not rise. And I did not have the patience to continue to look for reasons.

Please tell me where in the official documentation, step by step it says what should be done? I found it all in some repository and the documentation there was not the best.

понедельник, 18 февраля 2019 г., 17:48:49 UTC+1 пользователь Jochen Kressin написал:

Can I ask you if you tried to use the demo installer? We’ve created it exactly for that purpose - install Search Guard, execute the demo installer, and we set everything for you, including certificates, demo user and roles and also the sgadmin command for making configuration changes.

This is of course not safe for production, but using the demo installer would give you exactly that: A secured cluster with basic authentication enabled.

On Monday, February 18, 2019 at 2:27:54 PM UTC+1, JWeb Dev wrote:

I understood you. I saw these links.

Too difficult to just set up and work. There is no normal manual and some demo account. I spent the day, even generating temporary keys and certificates - it did not work.

Did not further investigate. Installed nginx proxy with basc auth.

I think that I am not the only one who would love to use your product. But the complexity of the installation for educational purposes - repels.

Good luck.

понедельник, 18 февраля 2019 г., 11:15:35 UTC+1 пользователь Jochen Kressin написал:

The fact that TLS is mandatory on the transport layer is mentioned multiple times in the documentation, e.g.:

https://docs.search-guard.com/latest/search-guard-installation

https://docs.search-guard.com/latest/generating-tls-certificates#generating-tls-certificates

https://docs.search-guard.com/latest/configuring-tls#configuring-tls

Where should we place it in the docs to make it more obvious?

searchguard.ssl.transport.enabled

``

This is not an official configuration key and it is also not mentioned in the docs. Can I ask where you found this option so we can improve the docs here as well? Did you get it from the source code?

On Friday, February 15, 2019 at 7:05:14 PM UTC+1, JWeb Dev wrote:

How to completely disable SSL in elasticsearch? It is possible?

I just want to install and try for training purposes.

I don’t need SSL.

Why does the configuration not work? I can not find a working example.

How to overwrite the properties and what properties need to overwrite to disable the SSL?

I set the following properties in the /usr/share/elasticsearch/config/elasticsearch.yml.

searchguard.ssl.http.enabled: false

searchguard.ssl.transport.enabled: false

``

But they do not work!

Why is nothing written about this in the official documentation?

Thanks for the help.

Stacktrace:

[2019-02-15T17:44:14,194][INFO ][o.e.n.Node ] [U97bnWL] JVM arguments [-Xms1g, -Xmx1g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -Des.networkaddress.cache.ttl=60, -Des.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.io.tmpdir=/tmp/elasticsearch-3921917390321531832, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=logs/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Djava.locale.providers=COMPAT, -XX:UseAVX=2, -Des.cgroups.hierarchy.override=/, -Des.path.home=/usr/share/elasticsearch, -Des.path.conf=/usr/share/elasticsearch/config, -Des.distribution.flavor=default, -Des.distribution.type=tar]

[2019-02-15T17:44:19,529][INFO ][c.f.s.SearchGuardPlugin ] [U97bnWL] ES Config path is /usr/share/elasticsearch/config

[2019-02-15T17:44:19,663][ERROR][c.f.s.SearchGuardPlugin ] [U97bnWL] SSL not activated for http and/or transport.

SSL not activated for http and/or transport.

SSL not activated for http and/or transport.

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] JVM supports TLSv1.3

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Config directory is /usr/share/elasticsearch/config/, from there the key- and truststore files are resolved relatively

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS Transport Client Provider : null

[2019-02-15T17:44:19,688][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS Transport Server Provider : null

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS HTTP Provider : null

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Enabled TLS protocols for transport layer :

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Enabled TLS protocols for HTTP layer :

[2019-02-15T17:44:20,696][INFO ][c.f.s.SearchGuardPlugin ] [U97bnWL] Clustername: docker-cluster

[2019-02-15T17:44:20,710][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [U97bnWL] uncaught exception in thread [main]

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:163) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.6.0.jar:6.6.0]
    at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:116) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:93) ~[elasticsearch-6.6.0.jar:6.6.0]

Caused by: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:608) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]
    ... 6 more

Caused by: java.lang.reflect.InvocationTargetException

    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:599) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]
    ... 6 more

Caused by: java.lang.IllegalStateException: searchguard.ssl.transport.enabled must be set to ‘true’

    at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:281) ~[?:?]
    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:599) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]
    ... 6 more

``

Ok, I can understand that, and we can surely improve the docs by adding more visual guidelines. However, Search Guard is not a wrapper for Kibana or Elasticsearch, it is a regular plugin just like any other ES/KI plugin. We use the official Elasticsearch plugin API to hook in the security features, so I don’t fully understand what you mean by “pack the main product as a plug-in dependency”.

Also, we do have a couple of slide decks which explain the architecture and the request flow with Search Guard:

The decks are linked as additional resources at the end of the corresponding documentation pages.

As for the installation process, yes, if you want to install Search Guard for production usage you need to understand how TLS and RBAC works. We are distributing security software, and in my opinion there is no such thing as one-click security software. For production ready security there is no way around diving a bit deeper into the product. Making the status page publicly available for example would leak information and we would not even get Search Guard certified.

For a PoC, on the other hand, there is the demo installer. This is just one single script you need to execute, and you end up with a fully functional cluster with demo users and roles and all features enabled. I do understand your frustration, but for us, security always comes first, and ease of use second.

To improve on the user experience, may I ask you which other ES security product you find easier to work with, and why? It would be very helpful so we can improve the product and the documentation.

Thanks for your input!

···

On Tuesday, February 19, 2019 at 8:53:41 AM UTC+1, JWeb Dev wrote:

I wanted to install Search Guard as a plugin. And here Search Guard as a wrapper for kibana and elasticsearch. I think it should be the other way around. It is strange to pack the main product as a plug-in dependency.

I don’t know, I didn’t get an add-on under Elasticserach, because the helath API was not authorized. Why not make the status and health check public. Why not see the standard elasticsearch url. I understand that you have your own arguments. But from the user’s point of view, installation is very difficult. And believe me, after a day of playing over the plugin, there is no desire to return to it.

Official documentation. As for me, a person who just wants to install and to work - it is not at all. I still do not understand how the serach guard drags into the overall architecture. Any visual scheme? How could I know that the url has changed to check the status? I have a lot of questions from the user’s point of view. But as I wrote above, just a lost day trying to figure it out. Write more visual documentation of what’s going on behind the scenes.

понедельник, 18 февраля 2019 г., 19:37:10 UTC+1 пользователь Jochen Kressin написал:

You can find the official docs here:

https://docs.search-guard.com/latest/index

If you are using Kubernetes, we are also providing Helm charts to help you set up a SG secured ES cluster and Kibana:

https://docs.search-guard.com/latest/search-guard-kubernetes-helm

If a cluster is secured by Search Guard, every request to ES has to be authenticated. This also affects the health check. If you want to implement a health check that bypasses auth/auth, you can use this endpoint:

https://docs.search-guard.com/latest/search-guard-installation#search-guard-health-check

This is also helpful when you are running the health check on a system that is not able to speak HTTPS for the health checks, e.g. AWS LBs.

On Monday, February 18, 2019 at 7:23:27 PM UTC+1, JWeb Dev wrote:

Yes, I did all these things. Everything looked successful, but then I simply didn’t have access to the elasticsearch host. Even the information or state(health) could not read. Therefore, my pods on the kubernetes simply did not rise. And I did not have the patience to continue to look for reasons.

Please tell me where in the official documentation, step by step it says what should be done? I found it all in some repository and the documentation there was not the best.

понедельник, 18 февраля 2019 г., 17:48:49 UTC+1 пользователь Jochen Kressin написал:

Can I ask you if you tried to use the demo installer? We’ve created it exactly for that purpose - install Search Guard, execute the demo installer, and we set everything for you, including certificates, demo user and roles and also the sgadmin command for making configuration changes.

This is of course not safe for production, but using the demo installer would give you exactly that: A secured cluster with basic authentication enabled.

On Monday, February 18, 2019 at 2:27:54 PM UTC+1, JWeb Dev wrote:

I understood you. I saw these links.

Too difficult to just set up and work. There is no normal manual and some demo account. I spent the day, even generating temporary keys and certificates - it did not work.

Did not further investigate. Installed nginx proxy with basc auth.

I think that I am not the only one who would love to use your product. But the complexity of the installation for educational purposes - repels.

Good luck.

понедельник, 18 февраля 2019 г., 11:15:35 UTC+1 пользователь Jochen Kressin написал:

The fact that TLS is mandatory on the transport layer is mentioned multiple times in the documentation, e.g.:

https://docs.search-guard.com/latest/search-guard-installation

https://docs.search-guard.com/latest/generating-tls-certificates#generating-tls-certificates

https://docs.search-guard.com/latest/configuring-tls#configuring-tls

Where should we place it in the docs to make it more obvious?

searchguard.ssl.transport.enabled

``

This is not an official configuration key and it is also not mentioned in the docs. Can I ask where you found this option so we can improve the docs here as well? Did you get it from the source code?

On Friday, February 15, 2019 at 7:05:14 PM UTC+1, JWeb Dev wrote:

How to completely disable SSL in elasticsearch? It is possible?

I just want to install and try for training purposes.

I don’t need SSL.

Why does the configuration not work? I can not find a working example.

How to overwrite the properties and what properties need to overwrite to disable the SSL?

I set the following properties in the /usr/share/elasticsearch/config/elasticsearch.yml.

searchguard.ssl.http.enabled: false

searchguard.ssl.transport.enabled: false

``

But they do not work!

Why is nothing written about this in the official documentation?

Thanks for the help.

Stacktrace:

[2019-02-15T17:44:14,194][INFO ][o.e.n.Node ] [U97bnWL] JVM arguments [-Xms1g, -Xmx1g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -Des.networkaddress.cache.ttl=60, -Des.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.io.tmpdir=/tmp/elasticsearch-3921917390321531832, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=logs/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Djava.locale.providers=COMPAT, -XX:UseAVX=2, -Des.cgroups.hierarchy.override=/, -Des.path.home=/usr/share/elasticsearch, -Des.path.conf=/usr/share/elasticsearch/config, -Des.distribution.flavor=default, -Des.distribution.type=tar]

[2019-02-15T17:44:19,529][INFO ][c.f.s.SearchGuardPlugin ] [U97bnWL] ES Config path is /usr/share/elasticsearch/config

[2019-02-15T17:44:19,663][ERROR][c.f.s.SearchGuardPlugin ] [U97bnWL] SSL not activated for http and/or transport.

SSL not activated for http and/or transport.

SSL not activated for http and/or transport.

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] JVM supports TLSv1.3

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Config directory is /usr/share/elasticsearch/config/, from there the key- and truststore files are resolved relatively

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS Transport Client Provider : null

[2019-02-15T17:44:19,688][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS Transport Server Provider : null

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS HTTP Provider : null

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Enabled TLS protocols for transport layer :

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Enabled TLS protocols for HTTP layer :

[2019-02-15T17:44:20,696][INFO ][c.f.s.SearchGuardPlugin ] [U97bnWL] Clustername: docker-cluster

[2019-02-15T17:44:20,710][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [U97bnWL] uncaught exception in thread [main]

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:163) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.6.0.jar:6.6.0]
    at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:116) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:93) ~[elasticsearch-6.6.0.jar:6.6.0]

Caused by: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:608) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]
    ... 6 more

Caused by: java.lang.reflect.InvocationTargetException

    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:599) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]
    ... 6 more

Caused by: java.lang.IllegalStateException: searchguard.ssl.transport.enabled must be set to ‘true’

    at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:281) ~[?:?]
    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:599) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]
    ... 6 more

``

I understand that perfectly. I called it a wrapper in conjunction with Helm chart.

I did not find them unfortunately. Yes, and as I said, I did not want to deal with all this.

At the expense of a productive instance, you are right. I agree with you and I will not argue.

As you can see from my case. The demo installer is not well documented. Not everything is collected in one place. No visual image. It is not clear which url (with credentials) to call to check the health status. Give examples of curl commands. In general, the best test will be to install your product to a complete stranger and see what difficulties it will face.

I am not an sysadministrator, I am a developer. I do not have a big deal with Elasticsearch products.

···

вторник, 19 февраля 2019 г., 18:59:59 UTC+1 пользователь Jochen Kressin написал:

Ok, I can understand that, and we can surely improve the docs by adding more visual guidelines. However, Search Guard is not a wrapper for Kibana or Elasticsearch, it is a regular plugin just like any other ES/KI plugin. We use the official Elasticsearch plugin API to hook in the security features, so I don’t fully understand what you mean by “pack the main product as a plug-in dependency”.

Also, we do have a couple of slide decks which explain the architecture and the request flow with Search Guard:

https://docs.search-guard.com/latest/search-guard-presentations

The decks are linked as additional resources at the end of the corresponding documentation pages.

As for the installation process, yes, if you want to install Search Guard for production usage you need to understand how TLS and RBAC works. We are distributing security software, and in my opinion there is no such thing as one-click security software. For production ready security there is no way around diving a bit deeper into the product. Making the status page publicly available for example would leak information and we would not even get Search Guard certified.

For a PoC, on the other hand, there is the demo installer. This is just one single script you need to execute, and you end up with a fully functional cluster with demo users and roles and all features enabled. I do understand your frustration, but for us, security always comes first, and ease of use second.

To improve on the user experience, may I ask you which other ES security product you find easier to work with, and why? It would be very helpful so we can improve the product and the documentation.

Thanks for your input!

On Tuesday, February 19, 2019 at 8:53:41 AM UTC+1, JWeb Dev wrote:

I wanted to install Search Guard as a plugin. And here Search Guard as a wrapper for kibana and elasticsearch. I think it should be the other way around. It is strange to pack the main product as a plug-in dependency.

I don’t know, I didn’t get an add-on under Elasticserach, because the helath API was not authorized. Why not make the status and health check public. Why not see the standard elasticsearch url. I understand that you have your own arguments. But from the user’s point of view, installation is very difficult. And believe me, after a day of playing over the plugin, there is no desire to return to it.

Official documentation. As for me, a person who just wants to install and to work - it is not at all. I still do not understand how the serach guard drags into the overall architecture. Any visual scheme? How could I know that the url has changed to check the status? I have a lot of questions from the user’s point of view. But as I wrote above, just a lost day trying to figure it out. Write more visual documentation of what’s going on behind the scenes.

понедельник, 18 февраля 2019 г., 19:37:10 UTC+1 пользователь Jochen Kressin написал:

You can find the official docs here:

https://docs.search-guard.com/latest/index

If you are using Kubernetes, we are also providing Helm charts to help you set up a SG secured ES cluster and Kibana:

https://docs.search-guard.com/latest/search-guard-kubernetes-helm

If a cluster is secured by Search Guard, every request to ES has to be authenticated. This also affects the health check. If you want to implement a health check that bypasses auth/auth, you can use this endpoint:

https://docs.search-guard.com/latest/search-guard-installation#search-guard-health-check

This is also helpful when you are running the health check on a system that is not able to speak HTTPS for the health checks, e.g. AWS LBs.

On Monday, February 18, 2019 at 7:23:27 PM UTC+1, JWeb Dev wrote:

Yes, I did all these things. Everything looked successful, but then I simply didn’t have access to the elasticsearch host. Even the information or state(health) could not read. Therefore, my pods on the kubernetes simply did not rise. And I did not have the patience to continue to look for reasons.

Please tell me where in the official documentation, step by step it says what should be done? I found it all in some repository and the documentation there was not the best.

понедельник, 18 февраля 2019 г., 17:48:49 UTC+1 пользователь Jochen Kressin написал:

Can I ask you if you tried to use the demo installer? We’ve created it exactly for that purpose - install Search Guard, execute the demo installer, and we set everything for you, including certificates, demo user and roles and also the sgadmin command for making configuration changes.

This is of course not safe for production, but using the demo installer would give you exactly that: A secured cluster with basic authentication enabled.

On Monday, February 18, 2019 at 2:27:54 PM UTC+1, JWeb Dev wrote:

I understood you. I saw these links.

Too difficult to just set up and work. There is no normal manual and some demo account. I spent the day, even generating temporary keys and certificates - it did not work.

Did not further investigate. Installed nginx proxy with basc auth.

I think that I am not the only one who would love to use your product. But the complexity of the installation for educational purposes - repels.

Good luck.

понедельник, 18 февраля 2019 г., 11:15:35 UTC+1 пользователь Jochen Kressin написал:

The fact that TLS is mandatory on the transport layer is mentioned multiple times in the documentation, e.g.:

https://docs.search-guard.com/latest/search-guard-installation

https://docs.search-guard.com/latest/generating-tls-certificates#generating-tls-certificates

https://docs.search-guard.com/latest/configuring-tls#configuring-tls

Where should we place it in the docs to make it more obvious?

searchguard.ssl.transport.enabled

``

This is not an official configuration key and it is also not mentioned in the docs. Can I ask where you found this option so we can improve the docs here as well? Did you get it from the source code?

On Friday, February 15, 2019 at 7:05:14 PM UTC+1, JWeb Dev wrote:

How to completely disable SSL in elasticsearch? It is possible?

I just want to install and try for training purposes.

I don’t need SSL.

Why does the configuration not work? I can not find a working example.

How to overwrite the properties and what properties need to overwrite to disable the SSL?

I set the following properties in the /usr/share/elasticsearch/config/elasticsearch.yml.

searchguard.ssl.http.enabled: false

searchguard.ssl.transport.enabled: false

``

But they do not work!

Why is nothing written about this in the official documentation?

Thanks for the help.

Stacktrace:

[2019-02-15T17:44:14,194][INFO ][o.e.n.Node ] [U97bnWL] JVM arguments [-Xms1g, -Xmx1g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -Des.networkaddress.cache.ttl=60, -Des.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.io.tmpdir=/tmp/elasticsearch-3921917390321531832, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=logs/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Djava.locale.providers=COMPAT, -XX:UseAVX=2, -Des.cgroups.hierarchy.override=/, -Des.path.home=/usr/share/elasticsearch, -Des.path.conf=/usr/share/elasticsearch/config, -Des.distribution.flavor=default, -Des.distribution.type=tar]

[2019-02-15T17:44:19,529][INFO ][c.f.s.SearchGuardPlugin ] [U97bnWL] ES Config path is /usr/share/elasticsearch/config

[2019-02-15T17:44:19,663][ERROR][c.f.s.SearchGuardPlugin ] [U97bnWL] SSL not activated for http and/or transport.

SSL not activated for http and/or transport.

SSL not activated for http and/or transport.

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] JVM supports TLSv1.3

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Config directory is /usr/share/elasticsearch/config/, from there the key- and truststore files are resolved relatively

[2019-02-15T17:44:19,687][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS Transport Client Provider : null

[2019-02-15T17:44:19,688][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS Transport Server Provider : null

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] TLS HTTP Provider : null

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Enabled TLS protocols for transport layer :

[2019-02-15T17:44:19,689][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [U97bnWL] Enabled TLS protocols for HTTP layer :

[2019-02-15T17:44:20,696][INFO ][c.f.s.SearchGuardPlugin ] [U97bnWL] Clustername: docker-cluster

[2019-02-15T17:44:20,710][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [U97bnWL] uncaught exception in thread [main]

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:163) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.6.0.jar:6.6.0]
    at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:116) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:93) ~[elasticsearch-6.6.0.jar:6.6.0]

Caused by: java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:608) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]
    ... 6 more

Caused by: java.lang.reflect.InvocationTargetException

    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:599) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]
    ... 6 more

Caused by: java.lang.IllegalStateException: searchguard.ssl.transport.enabled must be set to ‘true’

    at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:281) ~[?:?]
    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
    at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:599) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:550) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:465) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:157) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:337) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.0.jar:6.6.0]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.0.jar:6.6.0]
    ... 6 more

``