Hello,
We are using Searchguard-SSL 2.4.1.19 for the transport client, Searchguard-SSL 2.4.1.16 and Searchguard-2 2.4.1.7 for elasticsearch 2.4.1.
Below is the configuration which is related to our issue:
···
sg_internal_users.yml:
…
‘EMAILADDRESS=our-dept@swift?com, CN=our-app, OU=Our Dept, O=OurCompany, L=A City, C=BE’:
hash: “transport_only”
…
sg_roles_mapping.yml:
…
read_write:
users:
- ‘EMAILADDRESS=our-dept@swift.com, CN=our-app, OU=Our Dept, O=OurCompany, L=A City, C=BE’
…
sg_config.yml:
…
transport_auth_domain:
enabled: true
order: 1
http_authenticator:
authentication_backend:
type: internal
…
And this is the error we obtain:
org.elasticsearch.transport.RemoteTransportException: [Martha Johansson][172.18.0.3:9300][cluster:monitor/nodes/liveness]
Caused by: org.elasticsearch.ElasticsearchSecurityException: java.util.concurrent.ExecutionException: java.lang.Exception: no such user 1.2.840.113549.1.9.1=#161e6f617369732d61646d696e2d73797367726f75704073776966742e636f6d,CN=our-app, OU=Our Dept, O=OurCompany, L=A City, C=BE
at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:303) ~[na:na]
at com.floragunn.searchguard.transport.SearchGuardTransportService.messageReceivedDecorate(SearchGuardTransportService.java:254) ~[na:na]
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService$Interceptor.messageReceived(SearchGuardSSLTransportService.java:138) ~[search-guard-ssl-2.4.1.19.jar:2.4.1.19]
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:77) ~[elasticsearch-2.4.1.jar:2.4.1]
at org.elasticsearch.transport.netty.MessageChannelHandler.handleRequest(MessageChannelHandler.java:227) ~[elasticsearch-2.4.1.jar:2.4.1]
at com.floragunn.searchguard.ssl.transport.SearchGuardMessageChannelHandler.handleRequest(SearchGuardMessageChannelHandler.java:62) ~[search-guard-ssl-2.4.1.19.jar:2.4.1.19]
at org.elasticsearch.transport.netty.MessageChannelHandler.messageReceived(MessageChannelHandler.java:116) ~[elasticsearch-2.4.1.jar:2.4.1]
at com.floragunn.searchguard.ssl.transport.SearchGuardMessageChannelHandler.messageReceived(SearchGuardMessageChannelHandler.java:50) ~[search-guard-ssl-2.4.1.19.jar:2.4.1.19]
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) ~[netty-3.10.6.Final.jar:na]
at org.elasticsearch.common.netty.OpenChannelsHandler.handleUpstream(OpenChannelsHandler.java:75) ~[elasticsearch-2.4.1.jar:2.4.1]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) ~[netty-3.10.6.Final.jar:na]
at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) ~[netty-3.10.6.Final.jar:na]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ~[na:1.8.0_45]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) ~[na:1.8.0_45]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_45]
Caused by: org.elasticsearch.common.io.stream.NotSerializableExceptionWrapper: execution_exception: java.lang.Exception: no such user 1.2.840.113549.1.9.1=#161e6f617369732d61646d696e2d73797367726f75704073776966742e636f6d,CN=our-app, OU=Our Dept, O=OurCompany, L=A City, C=BE
at com.google.common.util.concurrent.AbstractFuture$Sync.getValue(AbstractFuture.java:299) ~[na:na]
at com.google.common.util.concurrent.AbstractFuture$Sync.get(AbstractFuture.java:286) ~[na:na]
at com.google.common.util.concurrent.AbstractFuture.get(AbstractFuture.java:116) ~[guava-19.0.jar:na]
at com.google.common.util.concurrent.Uninterruptibles.getUninterruptibly(Uninterruptibles.java:137) ~[guava-19.0.jar:na]
at com.google.common.cache.LocalCache$Segment.getAndRecordStats(LocalCache.java:2348) ~[guava-19.0.jar:na]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2320) ~[guava-19.0.jar:na]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2282) ~[guava-19.0.jar:na]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2197) ~[guava-19.0.jar:na]
at com.google.common.cache.LocalCache.get(LocalCache.java:3937) ~[guava-19.0.jar:na]
at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4739) ~[guava-19.0.jar:na]
at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:277) ~[na:na]
… 39 common frames omitted
Caused by: org.elasticsearch.common.io.stream.NotSerializableExceptionWrapper: exception: no such user 1.2.840.113549.1.9.1=#161e6f617369732d61646d696e2d73797367726f75704073776966742e636f6d,CN=our-app, OU=Our Dept, O=OurCompany, L=A City, C=BE
at com.floragunn.searchguard.auth.BackendRegistry$4.call(BackendRegistry.java:298) ~[na:na]
at com.floragunn.searchguard.auth.BackendRegistry$4.call(BackendRegistry.java:277) ~[na:na]
at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4742) ~[guava-19.0.jar:na]
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3527) ~[guava-19.0.jar:na]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2319) ~[guava-19.0.jar:na]
… 44 common frames omitted
My guess is that Searchguard-2 doesn’t accept the dot une the email address. Is there a way to tackle this issue apart from removing the email address ?
Thank you very much,
William.