I really don't know where the problem is.

Search Guard
1

Search Guard and Elasticsearch version:6.3.0

  • JVM version and operating system version:1.8_144

Search Guard Admin v6

Will connect to 172.16.194.239:9300 … done

Unable to check whether cluster is sane: No user found for cluster:monitor/nodes/info

Connected as CN=node-ops-elasticsearch-Alarm-node04.example.com,OU=SSL,O=Test,L=Test,C=DE

ERR: CN=node-ops-elasticsearch-Alarm-node04.example.com,OU=SSL,O=Test,L=Test,C=DE is not an admin user

Seems you use a node certificate. This is not permitted, you have to use a client certificate and register it as admin_dn in elasticsearch.yml

My profile is

cluster.name: ops-elasticsearch-Alarm

node.name: ops-elasticsearch-Alarm-node04

node.master: false

node.data: true

path.data: /data/servers/elasticsearch-data

path.logs: /data/servers/elasticsearch-log

bootstrap.memory_lock: true

bootstrap.system_call_filter: false

indices.fielddata.cache.size: 50mb

network.host: 172.16.194.239

http.port: 9200

discovery.zen.minimum_master_nodes: 2

discovery.zen.fd.ping_timeout: 60s

discovery.zen.fd.ping_interval: 30s

discovery.zen.fd.ping_retries: 6

discovery.zen.ping.unicast.hosts: [“ops-elasticsearch-Alarm-master01”,“ops-elasticsearch-Alarm-master02”,“ops-elasticsearch-Alarm-master03”]

cluster.routing.allocation.node_initial_primaries_recoveries: 50

cluster.routing.allocation.node_concurrent_recoveries: 50

cluster.routing.allocation.cluster_concurrent_rebalance: 50

xpack.monitoring.collection.enabled: true

xpack.monitoring.enabled: true

xpack.graph.enabled: true

action.auto_create_index: “*”

searchguard.ssl.transport.keystore_type: JKS

searchguard.ssl.transport.keystore_filepath: node-ops-elasticsearch-Alarm-node04-keystore.jks

searchguard.ssl.transport.keystore_password: KtdzbtbwBKUo70Ze1u3X

searchguard.ssl.transport.truststore_type: JKS

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: KtdzbtbwBKUo70Ze1u3X

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: false

searchguard.ssl.http.keystore_filepath: node-ops-elasticsearch-Alarm-node04-keystore.jks

searchguard.ssl.http.keystore_password: KtdzbtbwBKUo70Ze1u3X

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.http.truststore_password: KtdzbtbwBKUo70Ze1u3X

http.compression: true

http.compression_level: 5

xpack.security.enabled: false

searchguard.authcz.admin_dn:

  • “CN=node-ops-elasticsearch-Alarm-node04,OU=client,O=client,L=test,C=DE”

Request help

The error message and the configuration in the configuration file do not match, I have no clue.

2

“Seems you use a node certificate. This is not permitted, you have to use a client certificate and register it as admin_dn in elasticsearch.yml”

You try to use a certificate that is configured/used as a node certificate when using sgadmin. This is not permitted, you need a separate client certificate.

Most likely the certificate in this JKS file here that is used on the node:

searchguard.ssl.transport.keystore_filepath: node-ops-elasticsearch-Alarm-node04-keystore.jks

``

Contains this certificate here that you use when using sgadmin:

CN=node-ops-elasticsearch-Alarm-node04.example.com,OU=SSL,O=Test,L=Test,C=DE

``

You need a separate certificate that is not used as node cert:

For the types of certificates please see here:

https://docs.search-guard.com/latest/tls-in-production#types-of-certificates

···

On Monday, July 23, 2018 at 4:07:59 AM UTC+2, 付浩 wrote:

Search Guard and Elasticsearch version:6.3.0

  • JVM version and operating system version:1.8_144

Search Guard Admin v6

Will connect to 172.16.194.239:9300 … done

Unable to check whether cluster is sane: No user found for cluster:monitor/nodes/info

Connected as CN=node-ops-elasticsearch-Alarm-node04.example.com,OU=SSL,O=Test,L=Test,C=DE

ERR: CN=node-ops-elasticsearch-Alarm-node04.example.com,OU=SSL,O=Test,L=Test,C=DE is not an admin user

Seems you use a node certificate. This is not permitted, you have to use a client certificate and register it as admin_dn in elasticsearch.yml

My profile is

cluster.name: ops-elasticsearch-Alarm

node.name: ops-elasticsearch-Alarm-node04

node.master: false

node.data: true

path.data: /data/servers/elasticsearch-data

path.logs: /data/servers/elasticsearch-log

bootstrap.memory_lock: true

bootstrap.system_call_filter: false

indices.fielddata.cache.size: 50mb

network.host: 172.16.194.239

http.port: 9200

discovery.zen.minimum_master_nodes: 2

discovery.zen.fd.ping_timeout: 60s

discovery.zen.fd.ping_interval: 30s

discovery.zen.fd.ping_retries: 6

discovery.zen.ping.unicast.hosts: [“ops-elasticsearch-Alarm-master01”,“ops-elasticsearch-Alarm-master02”,“ops-elasticsearch-Alarm-master03”]

cluster.routing.allocation.node_initial_primaries_recoveries: 50

cluster.routing.allocation.node_concurrent_recoveries: 50

cluster.routing.allocation.cluster_concurrent_rebalance: 50

xpack.monitoring.collection.enabled: true

xpack.monitoring.enabled: true

xpack.graph.enabled: true

action.auto_create_index: “*”

searchguard.ssl.transport.keystore_type: JKS

searchguard.ssl.transport.keystore_filepath: node-ops-elasticsearch-Alarm-node04-keystore.jks

searchguard.ssl.transport.keystore_password: KtdzbtbwBKUo70Ze1u3X

searchguard.ssl.transport.truststore_type: JKS

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: KtdzbtbwBKUo70Ze1u3X

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: false

searchguard.ssl.http.keystore_filepath: node-ops-elasticsearch-Alarm-node04-keystore.jks

searchguard.ssl.http.keystore_password: KtdzbtbwBKUo70Ze1u3X

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.http.truststore_password: KtdzbtbwBKUo70Ze1u3X

http.compression: true

http.compression_level: 5

xpack.security.enabled: false

searchguard.authcz.admin_dn:

  • “CN=node-ops-elasticsearch-Alarm-node04,OU=client,O=client,L=test,C=DE”

Request help

The error message and the configuration in the configuration file do not match, I have no clue.