- Search Guard and Elasticsearch version
Elastic Search, Kibana : 6.4.2
Search Guard: equivalent version for Elastic and Kibana
- JVM version and operating system version
Java version 10.0.2 with MacOS
···
======
my personal goal is creating new account for practice, but I coludn’t login to kibana with created account.
given default accounts (e.g admin, readall and logstash) work well with my setting.
I tried uncountables times for log-in but it says “acccount or password is wrong”
please I need your help
the following steps are what I did for my personal setup.
-
Installed search-guard to elastic-search and kibana
-
extracted demo certificates to elastic-search config folder.
-
added extra lines to elasticsearch.yml as follows
# ------------------ X-pack (Jin's Code) ------------------------
xpack.security.enabled: false
xpack.monitoring.enabled: false
xpack.graph.enabled: false
xpack.watcher.enabled: false
# -------------- Search Guard (Jin's Code) ---------------
searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:
- CN=kirk,OU=client,O=client,L=test,C=de
- added extra lines to kibana.yml(for Kibana) as follows
#===================Search Guard (Jin's Code)===================
xpack.security.enabled: false
searchguard.auth.type: "basicauth"
elasticsearch.url: "https://localhost:9200"
elasticsearch.ssl.verificationMode: none
elasticsearch.username: "admin"
elasticsearch.password: "admin"
- created an account in sg_internal_users.yml (…/plugins/search-guard-6/sgconfig/) as follows
jin:
hash: $2y$12$T0EYKXLrUNhAFzjacQmIj.SOQw6Jl5kH2yvVwtbZFmynrKBDpF/vO
roles:
- readall
- added extra line to sg_roles_mapping.yml as follows
sg_readall:
readonly: true
backendroles:
- readall
- jin #new account
- restarted elastic-search and kibana
The Search Guard configuration is stored in an Elasticsearch index, so all nodes in the cluster have the same security settings (roles, users, permissions etc.) In order to apply configuration changes it is not sufficient to just change the files. You have to apply the changes by using sgadmin. Please refer to the “Applying configuration changes” chapter in the docs:
https://docs.search-guard.com/latest/sgadmin
If you use the demo installer, you will find a sgadmin_demo.sh script in the tools folder which contains a pre-configured sgadmin call.
···
On Tuesday, November 27, 2018 at 10:36:44 AM UTC+1, Jin Park wrote:
- Search Guard and Elasticsearch version
Elastic Search, Kibana : 6.4.2
Search Guard: equivalent version for Elastic and Kibana
- JVM version and operating system version
Java version 10.0.2 with MacOS
======
my personal goal is creating new account for practice, but I coludn’t login to kibana with created account.
given default accounts (e.g admin, readall and logstash) work well with my setting.
I tried uncountables times for log-in but it says “acccount or password is wrong”
please I need your help
the following steps are what I did for my personal setup.
- Installed search-guard to elastic-search and kibana
- extracted demo certificates to elastic-search config folder.
- added extra lines to elasticsearch.yml as follows
------------------ X-pack (Jin’s Code) ------------------------
xpack.security.enabled: false
xpack.monitoring.enabled: false
xpack.graph.enabled: false
xpack.watcher.enabled: false
-------------- Search Guard (Jin’s Code) ---------------
searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:
- CN=kirk,OU=client,O=client,L=test,C=de
- added extra lines to kibana.yml(for Kibana) as follows
#===================Search Guard (Jin’s Code)===================
xpack.security.enabled: false
searchguard.auth.type: “basicauth”
elasticsearch.url: “https://localhost:9200”
elasticsearch.ssl.verificationMode: none
elasticsearch.username: “admin”
elasticsearch.password: “admin”
- created an account in sg_internal_users.yml (…/plugins/search-guard-6/sgconfig/) as follows
jin:
hash: $2y$12$T0EYKXLrUNhAFzjacQmIj.SOQw6Jl5kH2yvVwtbZFmynrKBDpF/vO
roles:
- readall
- added extra line to sg_roles_mapping.yml as follows
sg_readall:
readonly: true
backendroles:
- readall
- jin #new account
- restarted elastic-search and kibana
Thank you for your useful reply Mr.Kressin. I just got closer to the solution what I’m looking for.
But it seems like I got another problem. I couldn’t find anything about sgadmin_demo.sh so I executed sgadmin.sh instead
need another help
My Command :
···
bash sgadmin.sh -p 9200 -cd ../sgconfig/ -icl -nhnv --diagnose -cacert ../../../config/root-ca.pem -cert ../../../config/kirk.pem -key ../../../config/kirk-key.pem
I got this :
WARNING: JAVA_HOME not set, will use /usr/bin/java
Search Guard Admin v6
WARNING: Seems you want connect to the Elasticsearch HTTP port.
sgadmin connects on the transport port which is normally 9300.
Will connect to localhost:9200 ... done
Unable to check whether cluster is sane: None of the configured nodes are available: [{#transport#-1}{07V7_n7uQoGY6v8Zkt99EQ}{localhost}{[127.0.0.1:9200](http://127.0.0.1:9200)}]
ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information
Trace:
You need to execute sgadmin on the transport port (default: 9300), not on the HTTP port (default: 9200)
···
On Wednesday, November 28, 2018 at 4:58:23 AM UTC+1, Jin Park wrote:
Thank you for your useful reply Mr.Kressin. I just got closer to the solution what I’m looking for.
But it seems like I got another problem. I couldn’t find anything about sgadmin_demo.sh so I executed sgadmin.sh instead
need another help
My Command :
bash sgadmin.sh -p 9200 -cd …/sgconfig/ -icl -nhnv --diagnose -cacert …/…/…/config/root-ca.pem -cert …/…/…/config/kirk.pem -key …/…/…/config/kirk-key.pem
I got this :
WARNING: JAVA_HOME not set, will use /usr/bin/java
Search Guard Admin v6
WARNING: Seems you want connect to the Elasticsearch HTTP port.
sgadmin connects on the transport port which is normally 9300.
Will connect to localhost:9200 … done
Unable to check whether cluster is sane: None of the configured nodes are available: [{#transport#-1}{07V7_n7uQoGY6v8Zkt99EQ}{localhost}{127.0.0.1:9200}]
ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information
Trace:
wonderful, now it’s working Thank you