Issue when using the certificate's ADDRESSEMAIL field in a transport client.

Hello,

We are using Searchguard-SSL 2.4.1.19 for the transport client, Searchguard-SSL 2.4.1.16 and Searchguard-2 2.4.1.7 for elasticsearch 2.4.1.

Below is the configuration which is related to our issue:

···

sg_internal_users.yml:

‘EMAILADDRESS=our-dept@swift?com, CN=our-app, OU=Our Dept, O=OurCompany, L=A City, C=BE’:

hash: “transport_only


sg_roles_mapping.yml:

read_write:

users:

  • ‘EMAILADDRESS=our-dept@swift.com, CN=our-app, OU=Our Dept, O=OurCompany, L=A City, C=BE’


sg_config.yml:

transport_auth_domain:

enabled: true

order: 1

http_authenticator:

authentication_backend:

type: internal


And this is the error we obtain:

org.elasticsearch.transport.RemoteTransportException: [Martha Johansson][172.18.0.3:9300][cluster:monitor/nodes/liveness]
Caused by: org.elasticsearch.ElasticsearchSecurityException: java.util.concurrent.ExecutionException: java.lang.Exception: no such user 1.2.840.113549.1.9.1=#161e6f617369732d61646d696e2d73797367726f75704073776966742e636f6d,CN=our-app, OU=Our Dept, O=OurCompany, L=A City, C=BE

at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:303) ~[na:na]
at com.floragunn.searchguard.transport.SearchGuardTransportService.messageReceivedDecorate(SearchGuardTransportService.java:254) ~[na:na]
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor.messageReceived(SearchGuardSSLTransportService.java:138) ~[search-guard-ssl-2.4.1.19.jar:2.4.1.19]
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:77) ~[elasticsearch-2.4.1.jar:2.4.1]
at org.elasticsearch.transport.netty.MessageChannelHandler.handleRequest(MessageChannelHandler.java:227) ~[elasticsearch-2.4.1.jar:2.4.1]
at com.floragunn.searchguard.ssl.transport.SearchGuardMessageChannelHandler.handleRequest(SearchGuardMessageChannelHandler.java:62) ~[search-guard-ssl-2.4.1.19.jar:2.4.1.19]
at org.elasticsearch.transport.netty.MessageChannelHandler.messageReceived(MessageChannelHandler.java:116) ~[elasticsearch-2.4.1.jar:2.4.1]
at com.floragunn.searchguard.ssl.transport.SearchGuardMessageChannelHandler.messageReceived(SearchGuardMessageChannelHandler.java:50) ~[search-guard-ssl-2.4.1.19.jar:2.4.1.19]
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) ~[netty-3.10.6.Final.jar:na]
at org.elasticsearch.common.netty.OpenChannelsHandler.handleUpstream(OpenChannelsHandler.java:75) ~[elasticsearch-2.4.1.jar:2.4.1]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) ~[netty-3.10.6.Final.jar:na]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ~[na:1.8.0_45]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) ~[na:1.8.0_45]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_45]
Caused by: org.elasticsearch.common.io.stream.NotSerializableExceptionWrapper: execution_exception: java.lang.Exception: no such user 1.2.840.113549.1.9.1=#161e6f617369732d61646d696e2d73797367726f75704073776966742e636f6d,CN=our-app, OU=Our Dept, O=OurCompany, L=A City, C=BE
at com.google.common.util.concurrent.AbstractFuture$Sync.getValue(AbstractFuture.java:299) ~[na:na]
at com.google.common.util.concurrent.AbstractFuture$Sync.get(AbstractFuture.java:286) ~[na:na]
at com.google.common.util.concurrent.AbstractFuture.get(AbstractFuture.java:116) ~[guava-19.0.jar:na]
at com.google.common.util.concurrent.Uninterruptibles.getUninterruptibly(Uninterruptibles.java:137) ~[guava-19.0.jar:na]
at com.google.common.cache.LocalCache$Segment.getAndRecordStats(LocalCache.java:2348) ~[guava-19.0.jar:na]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2320) ~[guava-19.0.jar:na]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2282) ~[guava-19.0.jar:na]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2197) ~[guava-19.0.jar:na]
at com.google.common.cache.LocalCache.get(LocalCache.java:3937) ~[guava-19.0.jar:na]
at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4739) ~[guava-19.0.jar:na]
at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:277) ~[na:na]
… 39 common frames omitted
Caused by: org.elasticsearch.common.io.stream.NotSerializableExceptionWrapper: exception: no such user 1.2.840.113549.1.9.1=#161e6f617369732d61646d696e2d73797367726f75704073776966742e636f6d,CN=our-app, OU=Our Dept, O=OurCompany, L=A City, C=BE
at com.floragunn.searchguard.auth.BackendRegistry$4.call(BackendRegistry.java:298) ~[na:na]
at com.floragunn.searchguard.auth.BackendRegistry$4.call(BackendRegistry.java:277) ~[na:na]
at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4742) ~[guava-19.0.jar:na]
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3527) ~[guava-19.0.jar:na]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2319) ~[guava-19.0.jar:na]
… 44 common frames omitted

My guess is that Searchguard-2 doesn’t accept the dot une the email address. Is there a way to tackle this issue apart from removing the email address ?

Thank you very much,

William.

seems EMAILADDRESS gets somehow decoded into its binary representaion, can you open an github issue for that?

···

Am 09.01.2017 um 14:15 schrieb William Deveaux <william.deveaux@euranova.eu>:

Hello,

We are using Searchguard-SSL 2.4.1.19 for the transport client, Searchguard-SSL 2.4.1.16 and Searchguard-2 2.4.1.7 for elasticsearch 2.4.1.

Below is the configuration which is related to our issue:
___________________________________
sg_internal_users.yml:
...
'EMAILADDRESS=our-dept@swift?com, CN=our-app, OU=Our Dept, O=OurCompany, L=A City, C=BE':

hash: "_transport_only_"

...

___________________________________

sg_roles_mapping.yml:

...

read_write:

  users:

   - 'EMAILADDRESS=our-dept@swift.com, CN=our-app, OU=Our Dept, O=OurCompany, L=A City, C=BE'

...

___________________________________

sg_config.yml:

...

transport_auth_domain:

  enabled: true

  order: 1

  http_authenticator:

  authentication_backend:

    type: internal

...

___________________________________

And this is the error we obtain:

org.elasticsearch.transport.RemoteTransportException: [Martha Johansson][172.18.0.3:9300][cluster:monitor/nodes/liveness]
Caused by: org.elasticsearch.ElasticsearchSecurityException: java.util.concurrent.ExecutionException: java.lang.Exception: no such user 1.2.840.113549.1.9.1=#161e6f617369732d61646d696e2d73797367726f75704073776966742e636f6d,CN=our-app, OU=Our Dept, O=OurCompany, L=A City, C=BE

at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:303) ~[na:na]
at com.floragunn.searchguard.transport.SearchGuardTransportService.messageReceivedDecorate(SearchGuardTransportService.java:254) ~[na:na]
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor.messageReceived(SearchGuardSSLTransportService.java:138) ~[search-guard-ssl-2.4.1.19.jar:2.4.1.19]
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:77) ~[elasticsearch-2.4.1.jar:2.4.1]
at org.elasticsearch.transport.netty.MessageChannelHandler.handleRequest(MessageChannelHandler.java:227) ~[elasticsearch-2.4.1.jar:2.4.1]
at com.floragunn.searchguard.ssl.transport.SearchGuardMessageChannelHandler.handleRequest(SearchGuardMessageChannelHandler.java:62) ~[search-guard-ssl-2.4.1.19.jar:2.4.1.19]
at org.elasticsearch.transport.netty.MessageChannelHandler.messageReceived(MessageChannelHandler.java:116) ~[elasticsearch-2.4.1.jar:2.4.1]
at com.floragunn.searchguard.ssl.transport.SearchGuardMessageChannelHandler.messageReceived(SearchGuardMessageChannelHandler.java:50) ~[search-guard-ssl-2.4.1.19.jar:2.4.1.19]
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) ~[netty-3.10.6.Final.jar:na]
at org.elasticsearch.common.netty.OpenChannelsHandler.handleUpstream(OpenChannelsHandler.java:75) ~[elasticsearch-2.4.1.jar:2.4.1]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) ~[netty-3.10.6.Final.jar:na]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ~[na:1.8.0_45]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) ~[na:1.8.0_45]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_45]
Caused by: org.elasticsearch.common.io.stream.NotSerializableExceptionWrapper: execution_exception: java.lang.Exception: no such user 1.2.840.113549.1.9.1=#161e6f617369732d61646d696e2d73797367726f75704073776966742e636f6d,CN=our-app, OU=Our Dept, O=OurCompany, L=A City, C=BE
at com.google.common.util.concurrent.AbstractFuture$Sync.getValue(AbstractFuture.java:299) ~[na:na]
at com.google.common.util.concurrent.AbstractFuture$Sync.get(AbstractFuture.java:286) ~[na:na]
at com.google.common.util.concurrent.AbstractFuture.get(AbstractFuture.java:116) ~[guava-19.0.jar:na]
at com.google.common.util.concurrent.Uninterruptibles.getUninterruptibly(Uninterruptibles.java:137) ~[guava-19.0.jar:na]
at com.google.common.cache.LocalCache$Segment.getAndRecordStats(LocalCache.java:2348) ~[guava-19.0.jar:na]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2320) ~[guava-19.0.jar:na]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2282) ~[guava-19.0.jar:na]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2197) ~[guava-19.0.jar:na]
at com.google.common.cache.LocalCache.get(LocalCache.java:3937) ~[guava-19.0.jar:na]
at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4739) ~[guava-19.0.jar:na]
at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:277) ~[na:na]
... 39 common frames omitted
Caused by: org.elasticsearch.common.io.stream.NotSerializableExceptionWrapper: exception: no such user 1.2.840.113549.1.9.1=#161e6f617369732d61646d696e2d73797367726f75704073776966742e636f6d,CN=our-app, OU=Our Dept, O=OurCompany, L=A City, C=BE
at com.floragunn.searchguard.auth.BackendRegistry$4.call(BackendRegistry.java:298) ~[na:na]
at com.floragunn.searchguard.auth.BackendRegistry$4.call(BackendRegistry.java:277) ~[na:na]
at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4742) ~[guava-19.0.jar:na]
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3527) ~[guava-19.0.jar:na]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2319) ~[guava-19.0.jar:na]
... 44 common frames omitted

My guess is that Searchguard-2 doesn't accept the dot une the email address. Is there a way to tackle this issue apart from removing the email address ?

Thank you very much,

William.

:recycle: Be green, keep it on the screen

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ace5b775-c6d9-4ef9-9fb0-17568ae2bb44%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.