Initializing Search Guard with ACLs

I am trying to map a process to install a new ElasticSearch cluster with SearchGuard already installed and configured with an admin user.

First, I believe I need to make sure to generate the search_guard.key and distribute it to all the nodes

Second, I believe I need to have the searchguard/ac/ac document with the ACLs already loaded somehow into ElasticSearch before SearchGuard is enabled. Is there a way to do this without having to start up ElasticSearch with SearchGuard disabled, loading the document, and restarting with it enabled?

Is there anything else I would need to think about?

Roshan

Hello,

I’m interested to know as well, as I’m trying to deploy search-guard with Chef. At the moment we just start a single node, create the index and start the automatized process.

···

On Wednesday, July 8, 2015 at 7:49:20 PM UTC+2, Roshan Punnoose wrote:

I am trying to map a process to install a new ElasticSearch cluster with SearchGuard already installed and configured with an admin user.

First, I believe I need to make sure to generate the search_guard.key and distribute it to all the nodes

Second, I believe I need to have the searchguard/ac/ac document with the ACLs already loaded somehow into ElasticSearch before SearchGuard is enabled. Is there a way to do this without having to start up ElasticSearch with SearchGuard disabled, loading the document, and restarting with it enabled?

Is there anything else I would need to think about?

Roshan

I am trying to map a process to install a new ElasticSearch cluster with SearchGuard already installed and configured with an admin user.

First, I believe I need to make sure to generate the search_guard.key and distribute it to all the nodes

yes

Second, I believe I need to have the searchguard/ac/ac document with the ACLs already loaded somehow into ElasticSearch before SearchGuard is enabled. Is there a way to do this without having to start up ElasticSearch with SearchGuard disabled, loading the document, and restarting with it enabled?

you can start with sg enabled and then install the ACL from one's node machine using "localhost:<port>".
See also the following config property:
#searchguard.allow_all_from_loopback: false

Is there anything else I would need to think about?

i am sure about that :slight_smile:

···

Am 08.07.2015 um 19:49 schrieb Roshan Punnoose <roshanp@gmail.com>:

Roshan

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e95565e6-9adb-4801-8d15-4d74eb064209%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.