How to delete or modify settings for searchguard index

Search Guard
1

If you think it is a bug report or you have a technical issue, please answer the following questions. For general questions, you can delete these questions.

Elasticsearch version: 6.8.2
SG version 6-6.8.2-25-5

Describe the issue:
After disk fulfillment all indices went to
“blocks” : {
“read_only_allow_delete” : “true”
},
as well as searchguard index.
I have extended disk space but also I need to remove this block with
‘{ “index.blocks.read_only_allow_delete”: null }’

I tried to make a curl with admin certificate but got

curl -k   --cert certificate.pem   --key mydomain.key    -XPUT "http://localhost:9200/_all/_settings"   -H 'Content-Type: application/json'   -d '{ "index.blocks.read_only_allow_delete": null }'
Unauthorized

Also I tried to use sgadmin.sh to remove searchguard index but

 ${SG_PLUGIN_DIR}/tools/sgadmin.sh -ts ${ES_STORE_DIR}/truststore.jks -tspass changeit   -ks ${ES_STORE_DIR}/broker.jks -kspass changeit   -dci -nhnv
Search Guard Admin v6
Will connect to localhost:9300 ... done
Unable to check whether cluster is sane: None of the configured nodes are available: [{#transport#-1}{JayJ2ve0RkitYofJmXQXVw}{localhost}{127.0.0.1:9300}]
ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information
Trace:
NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{JayJ2ve0RkitYofJmXQXVw}{localhost}{127.0.0.1:9300}]]
        at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:352)
        at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:248)
        at org.elasticsearch.client.transport.TransportProxyClient.execute(TransportProxyClient.java:60)
        at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:388)
        at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:403)
        at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:391)
        at com.floragunn.searchguard.tools.SearchGuardAdmin.execute(SearchGuardAdmin.java:460)
        at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)

Provide configuration:
elasticsearch/config/elasticsearch.yml

path:
  logs: "/var/vcap/sys/log/elasticsearch"
  data: "/var/vcap/store/elasticsearch"
  repo: "/var/vcap/store/elasticsearch"

bootstrap.memory_lock: true
cluster.name: es_cluster
network.host: 0.0.0.0

xpack.security.enabled: false
searchguard.enterprise_modules_enabled: false
searchguard.enable_snapshot_restore_privilege: true

searchguard:
  authcz:
    admin_dn:
    - CN=broker,OU=client,O=client,L=test, C=DE
  ssl:
    transport:
      keystore_filepath: nodename-keystore.jks
      keystore_password: changeit
      truststore_filepath: truststore.jks
      truststore_password: changeit
      enforce_hostname_verification: false

elasticsearch/plugins/search-guard/sgconfig/sg_config.yml

searchguard:
  dynamic:
    # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
    # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
    # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
    #filtered_alias_mode: warn
    #kibana:
      # Kibana multitenancy - NOT FREE FOR COMMERCIAL USE
      # see https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md
      # To make this work you need to install https://github.com/floragunncom/search-guard-module-kibana-multitenancy/wiki
      #multitenancy_enabled: true
      #server_username: kibanaserver
      #index: '.kibana'
      #do_not_fail_on_forbidden: false
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
        #internalProxies: '.*' # trust all internal proxies, regex pattern
        remoteIpHeader:  'x-forwarded-for'
        proxiesHeader:   'x-forwarded-by'
        #trustedProxies: '.*' # trust all external proxies, regex pattern
        ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
        ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
        ###### and here https://tools.ietf.org/html/rfc7239
        ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
    authc:
      basic_internal_auth_domain: 
        http_enabled: true
        transport_enabled: true
        order: 4
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern
2

Hi. The curl option -k, --insecure makes every TLS connection secure by ignoring the verification phase. You shouldn’t use it if you provide the certificates. And you need to provide the root CA certificate to make it work. Also, execute the curl command in the verbose mode to display the connection details.

For example

curl -v \
  --cert /path/to/certificate.pem  \
  --key /path/to/mydomain.key \
  --cacert /path/to/root-ca.pem  \
  -XPUT "http://localhost:9200/_all/_settings" \
  -H 'Content-Type: application/json' \
  -d '{ "index.blocks.read_only_allow_delete": null }'

P.S. Make sure the certificates can be reached via the specified path.

3

I have extracted certs from broker.jks keystore that I used for cofniguration SG

${SG_PLUGIN_DIR}/tools/sgadmin.sh \
  -ts ${ES_STORE_DIR}/truststore.jks -tspass changeit \
  -ks ${ES_STORE_DIR}/broker.jks -kspass changeit \
  -cd ${SG_CONFIG_DIR}/sgconfig -icl -nhnv

curl -v   --cert certificate.pem    --key mydomain.key   --cacert root.crt    -XPUT "http://localhost:9200/_all/_settings"   -H 'Content-Type: application/json'   -d '{ "index.blocks.read_only_allow_delete": null }'
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9200 (#0)
> PUT /_all/_settings HTTP/1.1
> Host: localhost:9200
> User-Agent: curl/7.47.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 47
> 
* upload completely sent off: 47 out of 47 bytes
< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Basic realm="Search Guard"
< content-type: text/plain; charset=UTF-8
< content-length: 12
< 
* Connection #0 to host localhost left intact
4

Do you see any error in the Elasticsearch log?

5

no. I made tail -f for es_cluster.log and made curl. any new line…

6

I see we both did a typo in the curl command. It should be HTTPS: -XPUT "https://localhost:9200/_all/_settings". I tried the command locally on my machine and got {"acknowledged":true}.

7 
curl -v \
>   --cert certificate.pem  \
>   --key mydomain.key \
>   --cacert root-ca.crt  \
>   -XPUT "https://localhost:9200/_all/_settings" \
>   -H 'Content-Type: application/json' \
>   -d '{ "index.blocks.read_only_allow_delete": null }'
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9200 (#0)
* found 1 certificates in root-ca.crt
* found 516 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* gnutls_handshake() failed: An unexpected TLS packet was received.
* Closing connection 0
curl: (35) gnutls_handshake() failed: An unexpected TLS packet was received.

how many certs you has in * found 1 certificates in root-ca.crt
8

Please look at the Elasticsearch logs now and paste it here if there is any error.

9

still nothing…

10

It sounds like the root-ca.crt is wrong.

11

I looked at your elasticsearch.yml again and saw no searchguard.ssl.http configuration? Did you cut the config by accident when you paste it or you really don’t have searchguard.ssl.http?

12

I don’t have searchguard.ssl.http at all
Is
searchguard:
authcz:
admin_dn:
- CN=broker,OU=client,O=client,L=test, C=DE
make to sense without Configuring TLS | Elasticsearch Security | Search Guard configuration ?

13

Now it looks like that
xpack.security.enabled: false
searchguard.enterprise_modules_enabled: true #- ----- set this to test REST API access
searchguard.enable_snapshot_restore_privilege: true
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: broker.jks
searchguard.restapi.roles_enabled: [“sg_all_access,admin”]
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.clientauth_mode: OPTIONAL
searchguard:
authcz:
admin_dn:
- CN=broker,OU=client,O=client,L=test, C=DE

14

Ok, did you try the curl command with this new configuration? What was the result? Check the Elasticsearch log for errors if the result is not {"acknowledged":true}.

15

This works!!! Thank you very much

1 Like
16

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.