If you think it is a bug report or you have a technical issue, please answer the following questions. For general questions, you can delete these questions.
Elasticsearch version: 7.17.3
Server OS version: Windows 2019
Kibana version (if relevant): 7.17.3
Browser version (if relevant):
Browser OS version (if relevant):
Describe the issue: [Failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]]
You will see the following warning message when installating Search Guard. Confirm it by pressing ‘y’:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: plugin requires additional permissions @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.lang.RuntimePermission accessClassInPackage.sun.misc
* java.lang.RuntimePermission getClassLoader
* java.lang.RuntimePermission loadLibrary.*
* java.lang.reflect.ReflectPermission suppressAccessChecks
* java.security.SecurityPermission getProperty.ssl.KeyManagerFactory.algorithm
...
```I do not get the POP UP , To Click on YES for these additional permissions in Windows. How should i go about giving additional permissions
3.
**Expected behavior:**
**Provide configuration:**
elasticsearch/config/elasticsearch.yml
elasticsearch/plugins/search-guard-7/sgconfig/sg_config.yml
kibana/config/kibana.yml (if relevant)
**Provide logs:**
Elasticsearch
Kibana (if relevant)
**Screenshots (if relevant):**
**Errors in browser console (if relevant):**
**Additional data:**
@AKCG12 I didn’t, you did in your example.
The Warning message will appear with or without -b (–batch) option. The only difference is that with the -b option you won’t be asked to type Y during installation.
What is your current issue? Is your cluster running after the SG installation?
I have installed the SG Plugin, but my Elastic nodes are not coming up. it throws up an error message :
failed to load plugin class(com.floragunn.searchguard.searchguard plugin)
So, i am thinking is this error related to the java permissions. so trying to give permissions while re-installing the plugin
Please find the files : elasticsearch.yml and the config.yml(from the Search Guard folder)
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true
#
# ---------------------------------- Security ----------------------------------
#
# *** WARNING ***
#
# Elasticsearch security features are not enabled by default.
# These features are free, but require configuration changes to enable them.
# This means that users don’t have to provide credentials and can get full access
# to the cluster. Network connections are also not encrypted.
#
# To protect your data, we strongly encourage you to enable the Elasticsearch security features.
# Refer to the following documentation for instructions.
#
# https://www.elastic.co/guide/en/elasticsearch/reference/7.16/configuring-stack-security.html
cluster.name: HAL-Cluster
node.name: node-1
node.master: true
node.data: true
network.host: 10.xx.xx.xx
#network.host: localhost
http.port: 9200
#discovery.type: single-node
##cluster.initial_master_nodes: ["10.xx.xx.xx", "10.xx.xx.xx", "10.xx.xx.xx"]
discovery.seed_hosts: ["10.xx ", "10.xx", "10.xx"]
cluster.initial_master_nodes: ["node-1", "node-2", "node-3"]
xpack.security.enabled: false
searchguard.ssl.transport.pemcert_filepath: D:\elasticsearch-7.17.3-windows-x86_64\elasticsearch-7.17.3\config\node1.cer
searchguard.ssl.transport.pemkey_filepath: D:\elasticsearch-7.17.3-windows-x86_64\elasticsearch-7.17.3\config\node1.key
searchguard.ssl.transport.pemtrustedcas_filepath: D:\elasticsearch-7.17.3-windows-x86_64\elasticsearch-7.17.3\config\HAL-CA
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.nodes_dn:
- CN=LXX,OU=ID,O=HA,DC=baa,DC=com
- CN=LXX,OU=ID,O=HA,DC=baa,DC=com
- CN=LXX,OU=ID,O=HA,DC=baa,DC=com
searchguard.authcz.admin_dn:
- CN=LXX,OU=ID,O=HA,L=baa, C=com
#xpack.security.transport.ssl.enabled: true
xpack.license.self_generated.type: basic
searchguard.disabled: false
# You need to configure at least one authentication domain in the authc of this file.
# An authentication domain is responsible for extracting the user credentials from
# the request and for validating them against an authentication backend like Active Directory for example.
#
# If more than one authentication domain is configured the first one which succeeds wins.
# If all authentication domains fail then the request is unauthenticated.
# In this case an exception is thrown and/or the HTTP status is set to 401.
#
# After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect
# the roles from a given backend for the authenticated user.
#
# Both, authc and auth can be enabled/disabled separately for REST and TRANSPORT layer. Default is true for both.
# http_enabled: true
# transport_enabled: true
#
# For HTTP it is possible to allow anonymous authentication. If that is the case then the HTTP authenticators try to
# find user credentials in the HTTP request. If credentials are found then the user gets regularly authenticated.
# If none can be found the user will be authenticated as an "anonymous" user. This user has always the username "sg_anonymous"
# and one role named "sg_anonymous_backendrole".
# If you enable anonymous authentication all HTTP authenticators will not challenge.
#
#
# Note: If you define more than one HTTP authenticators make sure to put non-challenging authenticators like "proxy" or "clientcert"
# first and the challenging one last.
# Because it's not possible to challenge a client with two different authentication methods (for example
# Kerberos and Basic) only one can have the challenge flag set to true. You can cope with this situation
# by using pre-authentication, e.g. sending a HTTP Basic authentication header in the request.
#
# Default value of the challenge flag is true.
#
#
# HTTP
# basic (challenging)
# proxy (not challenging, needs xff)
# kerberos (challenging) NOT FREE FOR COMMERCIAL
# clientcert (not challenging, needs https)
# jwt (not challenging) NOT FREE FOR COMMERCIAL
# host (not challenging) #DEPRECATED, will be removed in a future version.
# host based authentication is configurable in sg_roles_mapping
# Authc
# internal
# noop
# ldap NOT FREE FOR COMMERCIAL USE
# Authz
# ldap NOT FREE FOR COMMERCIAL USE
# noop
# For more details pls refer to https://docs.search-guard.com/latest/authentication-authorization
_sg_meta:
type: "config"
config_version: 2
sg_config:
dynamic:
# Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
#do_not_fail_on_forbidden: false
#kibana:
# Kibana multitenancy - NOT FREE FOR COMMERCIAL USE
# In addition to the config options below you need to set do_not_fail_on_forbidden to true (see above).
# Kibana needs to be configured for multi tenancy as well.
# See https://docs.search-guard.com/latest/kibana-multi-tenancy for details
#multitenancy_enabled: true
#server_username: kibanaserver
#index: '.kibana'
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
#internalProxies: '.*' # trust all internal proxies, regex pattern
#remoteIpHeader: 'x-forwarded-for'
###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
###### and here https://tools.ietf.org/html/rfc7239
###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
auth_token_provider: # NOT FREE FOR COMMERCIAL USE
# To enable using Search Guard auth tokens, you also need to enable the sg_issued_jwt_auth_domain below.
enabled: false
# JWTs produced by Search Guard are signed by default with a symmetric HMAC512 hash. For production systems,
# you must replace the value specified here by your own key. You can generate a new key for example with:
# openssl rand -base64 512 | tr '/+' '_-'
# If you want ot use another signature algorithm, you can specify a complete JWK using the attriubute jwt_signing_key.
# Refer to the documentation for details.
jwt_signing_key_hs512: "eTDZjSqRD9Abhod9iqeGX_7o93a-eElTeXWAF6FmzQshmRIrPD-C9ET3pFjJ_IBrzmWIZDk8ig-X_PIyGmKsxNMsrU-0BNWF5gJq5xOp4rYTl8z66Tw9wr8tHLxLxgJqkLSuUCRBZvlZlQ7jNdhBBxgM-hdSSzsN1T33qdIwhrUeJ-KXI5yKUXHjoWFYb9tETbYQ4NvONowkCsXK_flp-E3F_OcKe_z5iVUszAV8QfCod1zhbya540kDejXCL6N_XMmhWJqum7UJ3hgf6DEtroPSnVpHt4iR5w9ArKK-IBgluPght03gNcoNqwz7p77TFbdOmUKF_PWy1bcdbaUoSg"
# JWTs produced by Search Guard are unencrypted by default. Set a key here to activate encryption using AES Key Wrap.
# If you want ot use another signature algorithm, you can specify a complete JWK using the attriubute jwt_encryption_key.
# Refer to the documentation for details.
#jwt_encryption_key_a256kw: "..."
# Specify the maximum time period an auth token may be valid. Omit max_validity to have keys with unlimited lifetime.
# Note that when creating auth tokens, users can specify an even shorter time period.
max_validity: "1y"
# This specifies the maximum number of valid tokens a user can have at the same time.
max_tokens_per_user: 100
authc:
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 6
http_authenticator:
type: kerberos # NOT FREE FOR COMMERCIAL USE
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
proxy_auth_domain:
description: "Authenticate via proxy"
http_enabled: false
transport_enabled: false
order: 3
http_authenticator:
type: proxy
challenge: false
config:
user_header: "x-proxy-user"
roles_header: "x-proxy-roles"
authentication_backend:
type: noop
jwt_auth_domain:
description: "Authenticate via Json Web Token"
http_enabled: false
transport_enabled: false
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"
jwt_header: "Authorization"
jwt_url_parameter: null
roles_key: null
subject_key: null
authentication_backend:
type: noop
sg_issued_jwt_auth_domain:
description: "Authenticate via Json Web Tokens issued by Search Guard"
http_enabled: false
# This auth domain is only available for HTTP
order: 1
http_authenticator:
type: sg_auth_token
challenge: false
# This auth domain automatically pulls configuration from the auth_token_provider config above
authentication_backend:
type: sg_auth_token
clientcert_auth_domain:
description: "Authenticate via SSL client certificates"
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop
ldap:
description: "Authenticate via LDAP or Active Directory"
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: 'ou=people,dc=example,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: 'ou=groups,dc=example,dc=com'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(member={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
userbase: 'ou=people,dc=example,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(uid={0})'
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/'
roles_from_another_ldap:
description: "Authorize via another Active Directory"
http_enabled: false
transport_enabled: false
authorization_backend:
type: ldap # NOT FREE FOR COMMERCIAL USE
#config goes here ...
# auth_failure_listeners:
# ip_rate_limiting:
# type: ip
# allowed_tries: 10
# time_window_seconds: 3600
# block_expiry_seconds: 600
# max_blocked_clients: 100000
# max_tracked_clients: 100000
# internal_authentication_backend_limiting:
# type: username
# authentication_backend: intern
# allowed_tries: 10
# time_window_seconds: 3600
# block_expiry_seconds: 600
# max_blocked_clients: 100000
# max_tracked_clients: 100000
it has an extension, i have added and tried it still gives me the same error. I have a 3 node cluster.
Can i try the SG Config in only one Node and see if the node will come up…?
Is the PEM.KEY Password is needed in the yml configuration or will it run without the pem key.
i will get you the logs
@amalk12 If the cert/key were generated with a password then you must include it in elasticsearch.yml .
Also, you don’t have to put the full path to the cert. The cert file is enough as the SG plugin expects all of the certs to be in the config folder.
I am able to start my ELK Nodes, but now it says " Search guard not Initialized "
can you please help me with this and i do have kibana , so if i install Kibana plugin will that be fine and what should i configure in kibana yml to have search guard started
