kibana cannot connect to elasticsearch when searchguard is on with ArrayIndexOutOfBoundsException[0]

hello i’m sorry for asking so many questions but i couldn’t get searchguard to work with kibana 4.0.2. and i couldn’t figure out what’s the problem…

btw, plain search against elasticsearch works and searchguard seems to be functioning as intended. it just stops working whenever kibana is involved…

kibana goes to the following error page as soon as i verify myself as user ‘marketing’ with role ‘guest’:

Fatal Error

Courier Fetch Error: unhandled error Error: ArrayIndexOutOfBoundsException[0]

at respond (http://127.0.0.1:9548/index.js?_b=6004:81691:15)
at checkRespForFailure (http://127.0.0.1:9548/index.js?_b=6004:81659:7)
at http://127.0.0.1:9548/index.js?_b=6004:80322:7
at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78)
at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78)
at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78)
at http://127.0.0.1:9548/index.js?_b=6004:21030:76
at Scope.$eval (http://127.0.0.1:9548/index.js?_b=6004:22017:28)
at Scope.$digest (http://127.0.0.1:9548/index.js?_b=6004:21829:31)
at Scope.$apply (http://127.0.0.1:9548/index.js?_b=6004:22121:24)

    Error: unhandled error Error: ArrayIndexOutOfBoundsException[0]
at respond (http://127.0.0.1:9548/index.js?_b=6004:81691:15)
at checkRespForFailure (http://127.0.0.1:9548/index.js?_b=6004:81659:7)
at http://127.0.0.1:9548/index.js?_b=6004:80322:7
at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78)
at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78)
at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78)
at http://127.0.0.1:9548/index.js?_b=6004:21030:76
at Scope.$eval (http://127.0.0.1:9548/index.js?_b=6004:22017:28)
at Scope.$digest (http://127.0.0.1:9548/index.js?_b=6004:21829:31)
at Scope.$apply (http://127.0.0.1:9548/index.js?_b=6004:22121:24)
at handleError (http://127.0.0.1:9548/index.js?_b=6004:42664:22)
at DocRequest.AbstractReqProvider.AbstractReq.handleFailure (http://127.0.0.1:9548/index.js?_b=6004:42740:14)
at http://127.0.0.1:9548/index.js?_b=6004:42945:17
at Array.forEach (native)
at http://127.0.0.1:9548/index.js?_b=6004:42943:18
at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78)
at http://127.0.0.1:9548/index.js?_b=6004:21030:76
at Scope.$eval (http://127.0.0.1:9548/index.js?_b=6004:22017:28)
at Scope.$digest (http://127.0.0.1:9548/index.js?_b=6004:21829:31)
at Scope.$apply (http://127.0.0.1:9548/index.js?_b=6004:22121:24)

here’s my search-guard setting and acl setting(i’m trying to apply minimum security just to get it work first, i want role ‘admin’ to be able to do everything and role ‘guest’ to have the field ‘user’ filtered out on all search responses):

#############################################################################################

SEARCH GUARD

Configuration

#############################################################################################

Enable or disable the complete Searchguard plugin functionality

searchguard.enabled: false

Path where to write/read the searchguard master key file

searchguard.key_path: /tmp/dldm/elasticsearchConfig

When using DLS or FLS and a get or mget is performed then rewrite it as search request

searchguard.rewrite_get_as_search: true

The index name where Searchguard will store its configuration and various other informations related to Searchguard itself

This index can only be access from localhost

searchguard.config_index_name: searchguard

Enable or disable HTTP session which caches the authentication and authorization informations in a cookie

searchguard.http.enable_sessions: false

Enable or disable audit logging

searchguard.auditlog.enabled: true

If this is true (default is false) then Searchguard will check if elasticsearch is running as root/windows admin and if so then abort.

searchguard.check_for_root: false

If this is true (default is false) then allow all HTTP REST requests from nodes loopback (e.g. localhost)

searchguard.allow_all_from_loopback: true

#############################################################################################

X-Forwarded-For (XFF) header

#############################################################################################

X-Forwarded-For (XFF) header

If you have a http proxy in front of elasticsearch you have to configure this options to handle XFF properly

searchguard.http.xforwardedfor.header: null

#searchguard.http.xforwardedfor.trustedproxies: null

#searchguard.http.xforwardedfor.enforce: false

#############################################################################################

Authentication backend

#############################################################################################

searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackend

searchguard.authentication.authentication_backend.cache.enable: true

#############################################################################################

Authorization backend (authorizer)

#############################################################################################

searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.SettingsBasedAuthorizator

searchguard.authentication.authorizer.cache.enable: true

#############################################################################################

HTTP authentication method

#############################################################################################

Define HTTP authentication method. In future we will here have more like NTLM, SPNEGO/Kerberos and Digest.

searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator

#####################################################

Settings based authentication (define users and password directly here in the settings. Note: this is per node)

#searchguard.authentication.settingsdb.user.: password

searchguard.authentication.settingsdb.user.root: ********

searchguard.authentication.settingsdb.user.kibana: ********

searchguard.authentication.settingsdb.user.marketing: ********

#####################################################

Settings based authorization (define users and their roles directly here in the settings. Note: this is per node)

#searchguard.authentication.authorization.settingsdb.roles.:

searchguard.authentication.authorization.settingsdb.roles.root: [“admin”]

searchguard.authentication.authorization.settingsdb.roles.kibana: [“guest”]

searchguard.authentication.authorization.settingsdb.roles.marketing: [“guest”]

#####################################################

##############################################################################################

Below here you configure what authenticated and authorized users are allowed to do (or not)#

This maps to the acl defined in the searchguard configuration index

#############################################################################################

Configure the field level security (fls) filter to filter _source

searchguard.flsfilter.names: [“guest”]

searchguard.flsfilter.guest.source_excludes: [“user”]

  • ACL:

{

“acl”: [

{

Comment”: “By default no filters are executed and no filters are by-passed. In such a case a exception is thrown and access will be denied.”,

“filters_bypass”: ,

“filters_execute”:

},

{

Comment”: “For role ‘admin’ all filters are bypassed (so none will be executed). This means unrestricted access.”,

“roles”: [

“admin”

],

“filters_bypass”: ["*"],

“filters_execute”:

},

{

Comment”: “For role ‘guest’ all filters will be executed.”,

“roles”: [

“guest”

],

“filters_bypass”: ,

“filters_execute”: ["*"]

}

]

}

Attached is the elasticsearch log.

data_manager.log (163 KB)

Btw, i get the following error if i refresh the page:

Fatal Error

Courier Fetch: Cannot read property ‘timed_out’ of undefined

    TypeError: Cannot read property 'timed_out' of undefined
at http://127.0.0.1:9548/index.js?_b=6004:42972:17
at Function.Promise.try (http://127.0.0.1:9548/index.js?_b=6004:46233:26)
at http://127.0.0.1:9548/index.js?_b=6004:46211:27
at Array.map (native)
at Function.Promise.map (http://127.0.0.1:9548/index.js?_b=6004:46210:30)
at callResponseHandlers (http://127.0.0.1:9548/index.js?_b=6004:42965:22)
at http://127.0.0.1:9548/index.js?_b=6004:43083:16
at wrappedCallback (http://127.0.0.1:9548/index.js?_b=6004:20888:81)
at wrappedCallback (http://127.0.0.1:9548/index.js?_b=6004:20888:81)
at http://127.0.0.1:9548/index.js?_b=6004:20974:26
···

On Monday, June 8, 2015 at 10:42:43 AM UTC+8, Lingxiao Xia wrote:

hello i’m sorry for asking so many questions but i couldn’t get searchguard to work with kibana 4.0.2. and i couldn’t figure out what’s the problem…

btw, plain search against elasticsearch works and searchguard seems to be functioning as intended. it just stops working whenever kibana is involved…

kibana goes to the following error page as soon as i verify myself as user ‘marketing’ with role ‘guest’:

Fatal Error

Courier Fetch Error: unhandled error Error: ArrayIndexOutOfBoundsException [0]
at respond (http://127.0.0.1:9548/index.js?_b=6004:81691:15 )
at checkRespForFailure (http://127.0.0.1:9548/index.js?_b=6004:81659:7 )
at http://127.0.0.1:9548/index.js?_b=6004:80322:7
at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78 )
at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78 )
at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78 )
at http://127.0.0.1:9548/index.js?_b=6004:21030:76
at Scope.$eval (http://127.0.0.1:9548/index.js?_b=6004:22017:28 )
at Scope.$digest (http://127.0.0.1:9548/index.js?_b=6004:21829:31 )
at Scope.$apply (http://127.0.0.1:9548/index.js?_b=6004:22121:24)

Error: unhandled error Error: ArrayIndexOutOfBoundsException    [0]
at respond ([http://127.0.0.1:9548/index.js?_b=6004:81691:15](http://127.0.0.1:9548/index.js?_b=6004:81691:15)    )
at checkRespForFailure ([http://127.0.0.1:9548/index.js?_b=6004:81659:7](http://127.0.0.1:9548/index.js?_b=6004:81659:7)    )
at [http://127.0.0.1:9548/index.js?_b=6004:80322:7](http://127.0.0.1:9548/index.js?_b=6004:80322:7)
    at wrappedErrback ([http://127.0.0.1:9548/index.js?_b=6004:20897:78](http://127.0.0.1:9548/index.js?_b=6004:20897:78)    )
at wrappedErrback ([http://127.0.0.1:9548/index.js?_b=6004:20897:78](http://127.0.0.1:9548/index.js?_b=6004:20897:78)    )
at wrappedErrback ([http://127.0.0.1:9548/index.js?_b=6004:20897:78](http://127.0.0.1:9548/index.js?_b=6004:20897:78)    )
at [http://127.0.0.1:9548/index.js?_b=6004:21030:76](http://127.0.0.1:9548/index.js?_b=6004:21030:76)
    at Scope.$eval ([http://127.0.0.1:9548/index.js?_b=6004:22017:28](http://127.0.0.1:9548/index.js?_b=6004:22017:28)    )
at Scope.$digest ([http://127.0.0.1:9548/index.js?_b=6004:21829:31](http://127.0.0.1:9548/index.js?_b=6004:21829:31)    )
at Scope.$apply ([http://127.0.0.1:9548/index.js?_b=6004:22121:24](http://127.0.0.1:9548/index.js?_b=6004:22121:24)    )
at handleError ([http://127.0.0.1:9548/index.js?_b=6004:42664:22](http://127.0.0.1:9548/index.js?_b=6004:42664:22)    )
at DocRequest.AbstractReqProvider.AbstractReq.handleFailure ([http://127.0.0.1:9548/index.js?_b=6004:42740:14](http://127.0.0.1:9548/index.js?_b=6004:42740:14)    )
at [http://127.0.0.1:9548/index.js?_b=6004:42945:17](http://127.0.0.1:9548/index.js?_b=6004:42945:17)
    at Array.forEach (native)
at [http://127.0.0.1:9548/index.js?_b=6004:42943:18](http://127.0.0.1:9548/index.js?_b=6004:42943:18)
    at wrappedErrback ([http://127.0.0.1:9548/index.js?_b=6004:20897:78](http://127.0.0.1:9548/index.js?_b=6004:20897:78)    )
at [http://127.0.0.1:9548/index.js?_b=6004:21030:76](http://127.0.0.1:9548/index.js?_b=6004:21030:76)
    at Scope.$eval ([http://127.0.0.1:9548/index.js?_b=6004:22017:28](http://127.0.0.1:9548/index.js?_b=6004:22017:28)    )
at Scope.$digest ([http://127.0.0.1:9548/index.js?_b=6004:21829:31](http://127.0.0.1:9548/index.js?_b=6004:21829:31)    )
at Scope.$apply ([http://127.0.0.1:9548/index.js?_b=6004:22121:24](http://127.0.0.1:9548/index.js?_b=6004:22121:24))

here’s my search-guard setting and acl setting(i’m trying to apply minimum security just to get it work first, i want role ‘admin’ to be able to do everything and role ‘guest’ to have the field ‘user’ filtered out on all search responses):

#############################################################################################

SEARCH GUARD

Configuration

#############################################################################################

Enable or disable the complete Searchguard plugin functionality

searchguard.enabled: false

Path where to write/read the searchguard master key file

searchguard.key_path: /tmp/dldm/elasticsearchConfig

When using DLS or FLS and a get or mget is performed then rewrite it as search request

searchguard.rewrite_get_as_search: true

The index name where Searchguard will store its configuration and various other informations related to Searchguard itself

This index can only be access from localhost

searchguard.config_index_name: searchguard

Enable or disable HTTP session which caches the authentication and authorization informations in a cookie

searchguard.http.enable_sessions: false

Enable or disable audit logging

searchguard.auditlog.enabled: true

If this is true (default is false) then Searchguard will check if elasticsearch is running as root/windows admin and if so then abort.

searchguard.check_for_root: false

If this is true (default is false) then allow all HTTP REST requests from nodes loopback (e.g. localhost)

searchguard.allow_all_from_loopback: true

#############################################################################################

X-Forwarded-For (XFF) header

#############################################################################################

X-Forwarded-For (XFF) header

If you have a http proxy in front of elasticsearch you have to configure this options to handle XFF properly

searchguard.http.xforwardedfor.header: null

#searchguard.http.xforwardedfor.trustedproxies: null

#searchguard.http.xforwardedfor.enforce: false

#############################################################################################

Authentication backend

#############################################################################################

searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackend

searchguard.authentication.authentication_backend.cache.enable: true

#############################################################################################

Authorization backend (authorizer)

#############################################################################################

searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.SettingsBasedAuthorizator

searchguard.authentication.authorizer.cache.enable: true

#############################################################################################

HTTP authentication method

#############################################################################################

Define HTTP authentication method. In future we will here have more like NTLM, SPNEGO/Kerberos and Digest.

searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator

#####################################################

Settings based authentication (define users and password directly here in the settings. Note: this is per node)

#searchguard.authentication.settingsdb.user.: password

searchguard.authentication.settingsdb.user.root: ********

searchguard.authentication.settingsdb.user.kibana: ********

searchguard.authentication.settingsdb.user.marketing: ********

#####################################################

Settings based authorization (define users and their roles directly here in the settings. Note: this is per node)

#searchguard.authentication.authorization.settingsdb.roles.:

searchguard.authentication.authorization.settingsdb.roles.root: [“admin”]

searchguard.authentication.authorization.settingsdb.roles.kibana: [“guest”]

searchguard.authentication.authorization.settingsdb.roles.marketing: [“guest”]

#####################################################

##############################################################################################

Below here you configure what authenticated and authorized users are allowed to do (or not)#

This maps to the acl defined in the searchguard configuration index

#############################################################################################

Configure the field level security (fls) filter to filter _source

searchguard.flsfilter.names: [“guest”]

searchguard.flsfilter.guest.source_excludes: [“user”]

  • ACL:

{

“acl”: [

{

Comment”: “By default no filters are executed and no filters are by-passed. In such a case a exception is thrown and access will be denied.”,

“filters_bypass”: ,

“filters_execute”:

},

{

Comment”: “For role ‘admin’ all filters are bypassed (so none will be executed). This means unrestricted access.”,

“roles”: [

“admin”

],

“filters_bypass”: ["*"],

“filters_execute”:

},

{

Comment”: “For role ‘guest’ all filters will be executed.”,

“roles”: [

“guest”

],

“filters_bypass”: ,

“filters_execute”: ["*"]

}

]

}

Attached is the elasticsearch log.

first: why “searchguard.enabled: false” ?

second: seems the “ArrayIndexOutOfBoundsException” is coming from kibana, there is no error in the logfile you provided. Pls. look into the kibana logs

and make sure you configured kibana to use a username/password in kibana.yml

If your Elasticsearch is protected with basic auth, this is the user credentials

used by the Kibana server to perform maintence on the kibana_index at statup. Your Kibana

users will still need to authenticate with Elasticsearch (which is proxied thorugh

the Kibana server)

kibana_elasticsearch_username: user

kibana_elasticsearch_password: pass

···

Am Montag, 8. Juni 2015 04:42:43 UTC+2 schrieb Lingxiao Xia:

hello i’m sorry for asking so many questions but i couldn’t get searchguard to work with kibana 4.0.2. and i couldn’t figure out what’s the problem…

btw, plain search against elasticsearch works and searchguard seems to be functioning as intended. it just stops working whenever kibana is involved…

kibana goes to the following error page as soon as i verify myself as user ‘marketing’ with role ‘guest’:

Fatal Error

Courier Fetch Error: unhandled error Error: ArrayIndexOutOfBoundsException [0]
at respond (http://127.0.0.1:9548/index.js?_b=6004:81691:15 )
at checkRespForFailure (http://127.0.0.1:9548/index.js?_b=6004:81659:7 )
at http://127.0.0.1:9548/index.js?_b=6004:80322:7
at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78 )
at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78 )
at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78 )
at http://127.0.0.1:9548/index.js?_b=6004:21030:76
at Scope.$eval (http://127.0.0.1:9548/index.js?_b=6004:22017:28 )
at Scope.$digest (http://127.0.0.1:9548/index.js?_b=6004:21829:31 )
at Scope.$apply (http://127.0.0.1:9548/index.js?_b=6004:22121:24)

Error: unhandled error Error: ArrayIndexOutOfBoundsException    [0]
at respond ([http://127.0.0.1:9548/index.js?_b=6004:81691:15](http://127.0.0.1:9548/index.js?_b=6004:81691:15)    )
at checkRespForFailure ([http://127.0.0.1:9548/index.js?_b=6004:81659:7](http://127.0.0.1:9548/index.js?_b=6004:81659:7)    )
at [http://127.0.0.1:9548/index.js?_b=6004:80322:7](http://127.0.0.1:9548/index.js?_b=6004:80322:7)
    at wrappedErrback ([http://127.0.0.1:9548/index.js?_b=6004:20897:78](http://127.0.0.1:9548/index.js?_b=6004:20897:78)    )
at wrappedErrback ([http://127.0.0.1:9548/index.js?_b=6004:20897:78](http://127.0.0.1:9548/index.js?_b=6004:20897:78)    )
at wrappedErrback ([http://127.0.0.1:9548/index.js?_b=6004:20897:78](http://127.0.0.1:9548/index.js?_b=6004:20897:78)    )
at [http://127.0.0.1:9548/index.js?_b=6004:21030:76](http://127.0.0.1:9548/index.js?_b=6004:21030:76)
    at Scope.$eval ([http://127.0.0.1:9548/index.js?_b=6004:22017:28](http://127.0.0.1:9548/index.js?_b=6004:22017:28)    )
at Scope.$digest ([http://127.0.0.1:9548/index.js?_b=6004:21829:31](http://127.0.0.1:9548/index.js?_b=6004:21829:31)    )
at Scope.$apply ([http://127.0.0.1:9548/index.js?_b=6004:22121:24](http://127.0.0.1:9548/index.js?_b=6004:22121:24)    )
at handleError ([http://127.0.0.1:9548/index.js?_b=6004:42664:22](http://127.0.0.1:9548/index.js?_b=6004:42664:22)    )
at DocRequest.AbstractReqProvider.AbstractReq.handleFailure ([http://127.0.0.1:9548/index.js?_b=6004:42740:14](http://127.0.0.1:9548/index.js?_b=6004:42740:14)    )
at [http://127.0.0.1:9548/index.js?_b=6004:42945:17](http://127.0.0.1:9548/index.js?_b=6004:42945:17)
    at Array.forEach (native)
at [http://127.0.0.1:9548/index.js?_b=6004:42943:18](http://127.0.0.1:9548/index.js?_b=6004:42943:18)
    at wrappedErrback ([http://127.0.0.1:9548/index.js?_b=6004:20897:78](http://127.0.0.1:9548/index.js?_b=6004:20897:78)    )
at [http://127.0.0.1:9548/index.js?_b=6004:21030:76](http://127.0.0.1:9548/index.js?_b=6004:21030:76)
    at Scope.$eval ([http://127.0.0.1:9548/index.js?_b=6004:22017:28](http://127.0.0.1:9548/index.js?_b=6004:22017:28)    )
at Scope.$digest ([http://127.0.0.1:9548/index.js?_b=6004:21829:31](http://127.0.0.1:9548/index.js?_b=6004:21829:31)    )
at Scope.$apply ([http://127.0.0.1:9548/index.js?_b=6004:22121:24](http://127.0.0.1:9548/index.js?_b=6004:22121:24))

here’s my search-guard setting and acl setting(i’m trying to apply minimum security just to get it work first, i want role ‘admin’ to be able to do everything and role ‘guest’ to have the field ‘user’ filtered out on all search responses):

#############################################################################################

SEARCH GUARD

Configuration

#############################################################################################

Enable or disable the complete Searchguard plugin functionality

searchguard.enabled: false

Path where to write/read the searchguard master key file

searchguard.key_path: /tmp/dldm/elasticsearchConfig

When using DLS or FLS and a get or mget is performed then rewrite it as search request

searchguard.rewrite_get_as_search: true

The index name where Searchguard will store its configuration and various other informations related to Searchguard itself

This index can only be access from localhost

searchguard.config_index_name: searchguard

Enable or disable HTTP session which caches the authentication and authorization informations in a cookie

searchguard.http.enable_sessions: false

Enable or disable audit logging

searchguard.auditlog.enabled: true

If this is true (default is false) then Searchguard will check if elasticsearch is running as root/windows admin and if so then abort.

searchguard.check_for_root: false

If this is true (default is false) then allow all HTTP REST requests from nodes loopback (e.g. localhost)

searchguard.allow_all_from_loopback: true

#############################################################################################

X-Forwarded-For (XFF) header

#############################################################################################

X-Forwarded-For (XFF) header

If you have a http proxy in front of elasticsearch you have to configure this options to handle XFF properly

searchguard.http.xforwardedfor.header: null

#searchguard.http.xforwardedfor.trustedproxies: null

#searchguard.http.xforwardedfor.enforce: false

#############################################################################################

Authentication backend

#############################################################################################

searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackend

searchguard.authentication.authentication_backend.cache.enable: true

#############################################################################################

Authorization backend (authorizer)

#############################################################################################

searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.SettingsBasedAuthorizator

searchguard.authentication.authorizer.cache.enable: true

#############################################################################################

HTTP authentication method

#############################################################################################

Define HTTP authentication method. In future we will here have more like NTLM, SPNEGO/Kerberos and Digest.

searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator

#####################################################

Settings based authentication (define users and password directly here in the settings. Note: this is per node)

#searchguard.authentication.settingsdb.user.: password

searchguard.authentication.settingsdb.user.root: ********

searchguard.authentication.settingsdb.user.kibana: ********

searchguard.authentication.settingsdb.user.marketing: ********

#####################################################

Settings based authorization (define users and their roles directly here in the settings. Note: this is per node)

#searchguard.authentication.authorization.settingsdb.roles.:

searchguard.authentication.authorization.settingsdb.roles.root: [“admin”]

searchguard.authentication.authorization.settingsdb.roles.kibana: [“guest”]

searchguard.authentication.authorization.settingsdb.roles.marketing: [“guest”]

#####################################################

##############################################################################################

Below here you configure what authenticated and authorized users are allowed to do (or not)#

This maps to the acl defined in the searchguard configuration index

#############################################################################################

Configure the field level security (fls) filter to filter _source

searchguard.flsfilter.names: [“guest”]

searchguard.flsfilter.guest.source_excludes: [“user”]

  • ACL:

{

“acl”: [

{

Comment”: “By default no filters are executed and no filters are by-passed. In such a case a exception is thrown and access will be denied.”,

“filters_bypass”: ,

“filters_execute”:

},

{

Comment”: “For role ‘admin’ all filters are bypassed (so none will be executed). This means unrestricted access.”,

“roles”: [

“admin”

],

“filters_bypass”: ["*"],

“filters_execute”:

},

{

Comment”: “For role ‘guest’ all filters will be executed.”,

“roles”: [

“guest”

],

“filters_bypass”: ,

“filters_execute”: ["*"]

}

]

}

Attached is the elasticsearch log.

Sorry the configuration is for when elasticsearch is starting, i disabled searchguard in the beginning because i had to create the acl entry, i enabled searchguard after that and restarted the cluster.
and yes i did configure kibana_elasticsearch_user and kibana_elasticsearch_pass and actually gave it admin power(which is different from user marketing's privileges, i don’t know if that would cause a problem but i doubt so). so yea… anyone got kibana to work and would like to share a set of working configuration? please?

···

On Tuesday, June 9, 2015 at 10:30:16 PM UTC+8, in...@search-guard.com wrote:

first: why “searchguard.enabled: false” ?

second: seems the “ArrayIndexOutOfBoundsException” is coming from kibana, there is no error in the logfile you provided. Pls. look into the kibana logs

and make sure you configured kibana to use a username/password in kibana.yml

If your Elasticsearch is protected with basic auth, this is the user credentials

used by the Kibana server to perform maintence on the kibana_index at statup. Your Kibana

users will still need to authenticate with Elasticsearch (which is proxied thorugh

the Kibana server)

kibana_elasticsearch_username: user

kibana_elasticsearch_password: pass

Am Montag, 8. Juni 2015 04:42:43 UTC+2 schrieb Lingxiao Xia:

hello i’m sorry for asking so many questions but i couldn’t get searchguard to work with kibana 4.0.2. and i couldn’t figure out what’s the problem…

btw, plain search against elasticsearch works and searchguard seems to be functioning as intended. it just stops working whenever kibana is involved…

kibana goes to the following error page as soon as i verify myself as user ‘marketing’ with role ‘guest’:

Fatal Error

Courier Fetch Error: unhandled error Error: ArrayIndexOutOfBoundsException [0]
at respond (http://127.0.0.1:9548/index.js?_b=6004:81691:15 )
at checkRespForFailure (http://127.0.0.1:9548/index.js?_b=6004:81659:7 )
at http://127.0.0.1:9548/index.js?_b=6004:80322:7
at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78 )
at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78 )
at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78 )
at http://127.0.0.1:9548/index.js?_b=6004:21030:76
at Scope.$eval (http://127.0.0.1:9548/index.js?_b=6004:22017:28 )
at Scope.$digest (http://127.0.0.1:9548/index.js?_b=6004:21829:31 )
at Scope.$apply (http://127.0.0.1:9548/index.js?_b=6004:22121:24)

Error: unhandled error Error: ArrayIndexOutOfBoundsException    [0]
at respond ([http://127.0.0.1:9548/index.js?_b=6004:81691:15](http://127.0.0.1:9548/index.js?_b=6004:81691:15)    )
at checkRespForFailure ([http://127.0.0.1:9548/index.js?_b=6004:81659:7](http://127.0.0.1:9548/index.js?_b=6004:81659:7)    )
at [http://127.0.0.1:9548/index.js?_b=6004:80322:7](http://127.0.0.1:9548/index.js?_b=6004:80322:7)
    at wrappedErrback ([http://127.0.0.1:9548/index.js?_b=6004:20897:78](http://127.0.0.1:9548/index.js?_b=6004:20897:78)    )
at wrappedErrback ([http://127.0.0.1:9548/index.js?_b=6004:20897:78](http://127.0.0.1:9548/index.js?_b=6004:20897:78)    )
at wrappedErrback ([http://127.0.0.1:9548/index.js?_b=6004:20897:78](http://127.0.0.1:9548/index.js?_b=6004:20897:78)    )
at [http://127.0.0.1:9548/index.js?_b=6004:21030:76](http://127.0.0.1:9548/index.js?_b=6004:21030:76)
    at Scope.$eval ([http://127.0.0.1:9548/index.js?_b=6004:22017:28](http://127.0.0.1:9548/index.js?_b=6004:22017:28)    )
at Scope.$digest ([http://127.0.0.1:9548/index.js?_b=6004:21829:31](http://127.0.0.1:9548/index.js?_b=6004:21829:31)    )
at Scope.$apply ([http://127.0.0.1:9548/index.js?_b=6004:22121:24](http://127.0.0.1:9548/index.js?_b=6004:22121:24)    )
at handleError ([http://127.0.0.1:9548/index.js?_b=6004:42664:22](http://127.0.0.1:9548/index.js?_b=6004:42664:22)    )
at DocRequest.AbstractReqProvider.AbstractReq.handleFailure ([http://127.0.0.1:9548/index.js?_b=6004:42740:14](http://127.0.0.1:9548/index.js?_b=6004:42740:14)    )
at [http://127.0.0.1:9548/index.js?_b=6004:42945:17](http://127.0.0.1:9548/index.js?_b=6004:42945:17)
    at Array.forEach (native)
at [http://127.0.0.1:9548/index.js?_b=6004:42943:18](http://127.0.0.1:9548/index.js?_b=6004:42943:18)
    at wrappedErrback ([http://127.0.0.1:9548/index.js?_b=6004:20897:78](http://127.0.0.1:9548/index.js?_b=6004:20897:78)    )
at [http://127.0.0.1:9548/index.js?_b=6004:21030:76](http://127.0.0.1:9548/index.js?_b=6004:21030:76)
    at Scope.$eval ([http://127.0.0.1:9548/index.js?_b=6004:22017:28](http://127.0.0.1:9548/index.js?_b=6004:22017:28)    )
at Scope.$digest ([http://127.0.0.1:9548/index.js?_b=6004:21829:31](http://127.0.0.1:9548/index.js?_b=6004:21829:31)    )
at Scope.$apply ([http://127.0.0.1:9548/index.js?_b=6004:22121:24](http://127.0.0.1:9548/index.js?_b=6004:22121:24))

here’s my search-guard setting and acl setting(i’m trying to apply minimum security just to get it work first, i want role ‘admin’ to be able to do everything and role ‘guest’ to have the field ‘user’ filtered out on all search responses):

#############################################################################################

SEARCH GUARD

Configuration

#############################################################################################

Enable or disable the complete Searchguard plugin functionality

searchguard.enabled: false

Path where to write/read the searchguard master key file

searchguard.key_path: /tmp/dldm/elasticsearchConfig

When using DLS or FLS and a get or mget is performed then rewrite it as search request

searchguard.rewrite_get_as_search: true

The index name where Searchguard will store its configuration and various other informations related to Searchguard itself

This index can only be access from localhost

searchguard.config_index_name: searchguard

Enable or disable HTTP session which caches the authentication and authorization informations in a cookie

searchguard.http.enable_sessions: false

Enable or disable audit logging

searchguard.auditlog.enabled: true

If this is true (default is false) then Searchguard will check if elasticsearch is running as root/windows admin and if so then abort.

searchguard.check_for_root: false

If this is true (default is false) then allow all HTTP REST requests from nodes loopback (e.g. localhost)

searchguard.allow_all_from_loopback: true

#############################################################################################

X-Forwarded-For (XFF) header

#############################################################################################

X-Forwarded-For (XFF) header

If you have a http proxy in front of elasticsearch you have to configure this options to handle XFF properly

searchguard.http.xforwardedfor.header: null

#searchguard.http.xforwardedfor.trustedproxies: null

#searchguard.http.xforwardedfor.enforce: false

#############################################################################################

Authentication backend

#############################################################################################

searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackend

searchguard.authentication.authentication_backend.cache.enable: true

#############################################################################################

Authorization backend (authorizer)

#############################################################################################

searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.SettingsBasedAuthorizator

searchguard.authentication.authorizer.cache.enable: true

#############################################################################################

HTTP authentication method

#############################################################################################

Define HTTP authentication method. In future we will here have more like NTLM, SPNEGO/Kerberos and Digest.

searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator

#####################################################

Settings based authentication (define users and password directly here in the settings. Note: this is per node)

#searchguard.authentication.settingsdb.user.: password

searchguard.authentication.settingsdb.user.root: ********

searchguard.authentication.settingsdb.user.kibana: ********

searchguard.authentication.settingsdb.user.marketing: ********

#####################################################

Settings based authorization (define users and their roles directly here in the settings. Note: this is per node)

#searchguard.authentication.authorization.settingsdb.roles.:

searchguard.authentication.authorization.settingsdb.roles.root: [“admin”]

searchguard.authentication.authorization.settingsdb.roles.kibana: [“guest”]

searchguard.authentication.authorization.settingsdb.roles.marketing: [“guest”]

#####################################################

##############################################################################################

Below here you configure what authenticated and authorized users are allowed to do (or not)#

This maps to the acl defined in the searchguard configuration index

#############################################################################################

Configure the field level security (fls) filter to filter _source

searchguard.flsfilter.names: [“guest”]

searchguard.flsfilter.guest.source_excludes: [“user”]

  • ACL:

{

“acl”: [

{

Comment”: “By default no filters are executed and no filters are by-passed. In such a case a exception is thrown and access will be denied.”,

“filters_bypass”: ,

“filters_execute”:

},

{

Comment”: “For role ‘admin’ all filters are bypassed (so none will be executed). This means unrestricted access.”,

“roles”: [

“admin”

],

“filters_bypass”: ["*"],

“filters_execute”:

},

{

Comment”: “For role ‘guest’ all filters will be executed.”,

“roles”: [

“guest”

],

“filters_bypass”: ,

“filters_execute”: ["*"]

}

]

}

Attached is the elasticsearch log.

we will provide a guide, how to setup and configure search guard with kibana, soon

···

Am 11.06.2015 um 04:19 schrieb Lingxiao Xia <lingxiao.xia@dragonlaw.com.hk>:

Sorry the configuration is for when elasticsearch is starting, i disabled searchguard in the beginning because i had to create the acl entry, i enabled searchguard after that and restarted the cluster.
and yes i did configure kibana_elasticsearch_user and kibana_elasticsearch_pass and actually gave it admin power(which is different from user `marketing`'s privileges, i don't know if that would cause a problem but i doubt so). so yea... anyone got kibana to work and would like to share a set of working configuration? please?

On Tuesday, June 9, 2015 at 10:30:16 PM UTC+8, in...@search-guard.com wrote:
first: why "searchguard.enabled: false" ?

second: seems the "ArrayIndexOutOfBoundsException" is coming from kibana, there is no error in the logfile you provided. Pls. look into the kibana logs
and make sure you configured kibana to use a username/password in kibana.yml

# If your Elasticsearch is protected with basic auth, this is the user credentials
# used by the Kibana server to perform maintence on the kibana_index at statup. Your Kibana
# users will still need to authenticate with Elasticsearch (which is proxied thorugh
# the Kibana server)
# kibana_elasticsearch_username: user
# kibana_elasticsearch_password: pass

Am Montag, 8. Juni 2015 04:42:43 UTC+2 schrieb Lingxiao Xia:
hello i'm sorry for asking so many questions but i couldn't get searchguard to work with kibana 4.0.2. and i couldn't figure out what's the problem...

btw, plain search against elasticsearch works and searchguard seems to be functioning as intended. it just stops working whenever kibana is involved...

kibana goes to the following error page as soon as i verify myself as user 'marketing' with role 'guest':

Fatal Error

Courier Fetch Error: unhandled error Error: ArrayIndexOutOfBoundsException
[0]
    at respond (
http://127.0.0.1:9548/index.js?_b=6004:81691:15
)
    at checkRespForFailure (
http://127.0.0.1:9548/index.js?_b=6004:81659:7
)
    at
http://127.0.0.1:9548/index.js?_b=6004:80322:7

    at wrappedErrback (
http://127.0.0.1:9548/index.js?_b=6004:20897:78
)
    at wrappedErrback (
http://127.0.0.1:9548/index.js?_b=6004:20897:78
)
    at wrappedErrback (
http://127.0.0.1:9548/index.js?_b=6004:20897:78
)
    at
http://127.0.0.1:9548/index.js?_b=6004:21030:76

    at Scope.$eval (
http://127.0.0.1:9548/index.js?_b=6004:22017:28
)
    at Scope.$digest (
http://127.0.0.1:9548/index.js?_b=6004:21829:31
)
    at Scope.$apply (
http://127.0.0.1:9548/index.js?_b=6004:22121:24)
Error: unhandled error Error: ArrayIndexOutOfBoundsException
[0]
    at respond (
http://127.0.0.1:9548/index.js?_b=6004:81691:15
)
    at checkRespForFailure (
http://127.0.0.1:9548/index.js?_b=6004:81659:7
)
    at
http://127.0.0.1:9548/index.js?_b=6004:80322:7

    at wrappedErrback (
http://127.0.0.1:9548/index.js?_b=6004:20897:78
)
    at wrappedErrback (
http://127.0.0.1:9548/index.js?_b=6004:20897:78
)
    at wrappedErrback (
http://127.0.0.1:9548/index.js?_b=6004:20897:78
)
    at
http://127.0.0.1:9548/index.js?_b=6004:21030:76

    at Scope.$eval (
http://127.0.0.1:9548/index.js?_b=6004:22017:28
)
    at Scope.$digest (
http://127.0.0.1:9548/index.js?_b=6004:21829:31
)
    at Scope.$apply (
http://127.0.0.1:9548/index.js?_b=6004:22121:24
)
    at handleError (
http://127.0.0.1:9548/index.js?_b=6004:42664:22
)
    at DocRequest.
AbstractReqProvider.AbstractReq.handleFailure (http://127.0.0.1:9548/index.js?_b=6004:42740:14
)
    at
http://127.0.0.1:9548/index.js?_b=6004:42945:17

    at Array.forEach (native)
    at
http://127.0.0.1:9548/index.js?_b=6004:42943:18

    at wrappedErrback (
http://127.0.0.1:9548/index.js?_b=6004:20897:78
)
    at
http://127.0.0.1:9548/index.js?_b=6004:21030:76

    at Scope.$eval (
http://127.0.0.1:9548/index.js?_b=6004:22017:28
)
    at Scope.$digest (
http://127.0.0.1:9548/index.js?_b=6004:21829:31
)
    at Scope.$apply (
http://127.0.0.1:9548/index.js?_b=6004:22121:24)

here's my search-guard setting and acl setting(i'm trying to apply minimum security just to get it work first, i want role 'admin' to be able to do everything and role 'guest' to have the field 'user' filtered out on all search responses):

#############################################################################################
# SEARCH GUARD #
# Configuration #
#############################################################################################

# Enable or disable the complete Searchguard plugin functionality
searchguard.enabled: false

# Path where to write/read the searchguard master key file
searchguard.key_path: /tmp/dldm/elasticsearchConfig

# When using DLS or FLS and a get or mget is performed then rewrite it as search request
searchguard.rewrite_get_as_search: true

# The index name where Searchguard will store its configuration and various other informations related to Searchguard itself
# This index can only be access from localhost
searchguard.config_index_name: searchguard

# Enable or disable HTTP session which caches the authentication and authorization informations in a cookie
searchguard.http.enable_sessions: false

# Enable or disable audit logging
searchguard.auditlog.enabled: true

# If this is true (default is false) then Searchguard will check if elasticsearch is running as root/windows admin and if so then abort.
searchguard.check_for_root: false

# If this is true (default is false) then allow all HTTP REST requests from nodes loopback (e.g. localhost)
searchguard.allow_all_from_loopback: true

#############################################################################################
# X-Forwarded-For (XFF) header #
# #
#############################################################################################
# X-Forwarded-For (XFF) header
# If you have a http proxy in front of elasticsearch you have to configure this options to handle XFF properly
searchguard.http.xforwardedfor.header: null
#searchguard.http.xforwardedfor.trustedproxies: null
#searchguard.http.xforwardedfor.enforce: false

#############################################################################################
# Authentication backend #
# #
#############################################################################################
searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackend
searchguard.authentication.authentication_backend.cache.enable: true

#############################################################################################
# Authorization backend (authorizer) #
# #
#############################################################################################
searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.SettingsBasedAuthorizator
searchguard.authentication.authorizer.cache.enable: true

#############################################################################################
# HTTP authentication method #
# #
#############################################################################################
# Define HTTP authentication method. In future we will here have more like NTLM, SPNEGO/Kerberos and Digest.
searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator

#####################################################
# Settings based authentication (define users and password directly here in the settings. Note: this is per node)
#searchguard.authentication.settingsdb.user.<username>: password
searchguard.authentication.settingsdb.user.root: ********
searchguard.authentication.settingsdb.user.kibana: ********
searchguard.authentication.settingsdb.user.marketing: ********

#####################################################
# Settings based authorization (define users and their roles directly here in the settings. Note: this is per node)
#searchguard.authentication.authorization.settingsdb.roles.<username>: <array of roles>
searchguard.authentication.authorization.settingsdb.roles.root: ["admin"]
searchguard.authentication.authorization.settingsdb.roles.kibana: ["guest"]
searchguard.authentication.authorization.settingsdb.roles.marketing: ["guest"]
#####################################################

##############################################################################################
# Below here you configure what authenticated and authorized users are allowed to do (or not)#
# This maps to the acl defined in the searchguard configuration index #
#############################################################################################

# Configure the field level security (fls) filter to filter _source
searchguard.flsfilter.names: ["guest"]
searchguard.flsfilter.guest.source_excludes: ["user"]
  • ACL:
{
    "acl": [
    {
        "__Comment__": "By default no filters are executed and no filters are by-passed. In such a case a exception is thrown and access will be denied.",
        "filters_bypass": ,
        "filters_execute":
     },
     {
           "__Comment__": "For role 'admin' all filters are bypassed (so none will be executed). This means unrestricted access.",
           "roles": [
               "admin"
           ],
           "filters_bypass": ["*"],
           "filters_execute":
     },
     {
           "__Comment__": "For role 'guest' all filters will be executed.",
           "roles": [
               "guest"
           ],
           "filters_bypass": ,
           "filters_execute": ["*"]
     }
     ]
}

Attached is the elasticsearch log.

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4e331b3f-efe9-49f5-96c0-ac05235045fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Thank you so much!!!

···

On Friday, June 12, 2015 at 4:21:13 AM UTC+8, SG wrote:

we will provide a guide, how to setup and configure search guard with kibana, soon

Am 11.06.2015 um 04:19 schrieb Lingxiao Xia lingxi...@dragonlaw.com.hk:

Sorry the configuration is for when elasticsearch is starting, i disabled searchguard in the beginning because i had to create the acl entry, i enabled searchguard after that and restarted the cluster.
and yes i did configure kibana_elasticsearch_user and kibana_elasticsearch_pass and actually gave it admin power(which is different from user marketing's privileges, i don’t know if that would cause a problem but i doubt so). so yea… anyone got kibana to work and would like to share a set of working configuration? please?

On Tuesday, June 9, 2015 at 10:30:16 PM UTC+8, in...@search-guard.com wrote:

first: why “searchguard.enabled: false” ?

second: seems the “ArrayIndexOutOfBoundsException” is coming from kibana, there is no error in the logfile you provided. Pls. look into the kibana logs

and make sure you configured kibana to use a username/password in kibana.yml

If your Elasticsearch is protected with basic auth, this is the user credentials

used by the Kibana server to perform maintence on the kibana_index at statup. Your Kibana

users will still need to authenticate with Elasticsearch (which is proxied thorugh

the Kibana server)

kibana_elasticsearch_username: user

kibana_elasticsearch_password: pass

Am Montag, 8. Juni 2015 04:42:43 UTC+2 schrieb Lingxiao Xia:

hello i’m sorry for asking so many questions but i couldn’t get searchguard to work with kibana 4.0.2. and i couldn’t figure out what’s the problem…

btw, plain search against elasticsearch works and searchguard seems to be functioning as intended. it just stops working whenever kibana is involved…

kibana goes to the following error page as soon as i verify myself as user ‘marketing’ with role ‘guest’:

Fatal Error

Courier Fetch Error: unhandled error Error: ArrayIndexOutOfBoundsException

[0]

at respond (

http://127.0.0.1:9548/index.js?_b=6004:81691:15

)

at checkRespForFailure (

http://127.0.0.1:9548/index.js?_b=6004:81659:7

)

at

http://127.0.0.1:9548/index.js?_b=6004:80322:7

at wrappedErrback (

http://127.0.0.1:9548/index.js?_b=6004:20897:78

)

at wrappedErrback (

http://127.0.0.1:9548/index.js?_b=6004:20897:78

)

at wrappedErrback (

http://127.0.0.1:9548/index.js?_b=6004:20897:78

)

at

http://127.0.0.1:9548/index.js?_b=6004:21030:76

at Scope.$eval (

http://127.0.0.1:9548/index.js?_b=6004:22017:28

)

at Scope.$digest (

http://127.0.0.1:9548/index.js?_b=6004:21829:31

)

at Scope.$apply (

http://127.0.0.1:9548/index.js?_b=6004:22121:24)

Error: unhandled error Error: ArrayIndexOutOfBoundsException

[0]

at respond (

http://127.0.0.1:9548/index.js?_b=6004:81691:15

)

at checkRespForFailure (

http://127.0.0.1:9548/index.js?_b=6004:81659:7

)

at

http://127.0.0.1:9548/index.js?_b=6004:80322:7

at wrappedErrback (

http://127.0.0.1:9548/index.js?_b=6004:20897:78

)

at wrappedErrback (

http://127.0.0.1:9548/index.js?_b=6004:20897:78

)

at wrappedErrback (

http://127.0.0.1:9548/index.js?_b=6004:20897:78

)

at

http://127.0.0.1:9548/index.js?_b=6004:21030:76

at Scope.$eval (

http://127.0.0.1:9548/index.js?_b=6004:22017:28

)

at Scope.$digest (

http://127.0.0.1:9548/index.js?_b=6004:21829:31

)

at Scope.$apply (

http://127.0.0.1:9548/index.js?_b=6004:22121:24

)

at handleError (

http://127.0.0.1:9548/index.js?_b=6004:42664:22

)

at DocRequest.

AbstractReqProvider.AbstractReq.handleFailure (http://127.0.0.1:9548/index.js?_b=6004:42740:14

)

at

http://127.0.0.1:9548/index.js?_b=6004:42945:17

at Array.forEach (native)
at

http://127.0.0.1:9548/index.js?_b=6004:42943:18

at wrappedErrback (

http://127.0.0.1:9548/index.js?_b=6004:20897:78

)

at

http://127.0.0.1:9548/index.js?_b=6004:21030:76

at Scope.$eval (

http://127.0.0.1:9548/index.js?_b=6004:22017:28

)

at Scope.$digest (

http://127.0.0.1:9548/index.js?_b=6004:21829:31

)

at Scope.$apply (

http://127.0.0.1:9548/index.js?_b=6004:22121:24)

here’s my search-guard setting and acl setting(i’m trying to apply minimum security just to get it work first, i want role ‘admin’ to be able to do everything and role ‘guest’ to have the field ‘user’ filtered out on all search responses):

#############################################################################################

SEARCH GUARD

Configuration

#############################################################################################

Enable or disable the complete Searchguard plugin functionality

searchguard.enabled: false

Path where to write/read the searchguard master key file

searchguard.key_path: /tmp/dldm/elasticsearchConfig

When using DLS or FLS and a get or mget is performed then rewrite it as search request

searchguard.rewrite_get_as_search: true

The index name where Searchguard will store its configuration and various other informations related to Searchguard itself

This index can only be access from localhost

searchguard.config_index_name: searchguard

Enable or disable HTTP session which caches the authentication and authorization informations in a cookie

searchguard.http.enable_sessions: false

Enable or disable audit logging

searchguard.auditlog.enabled: true

If this is true (default is false) then Searchguard will check if elasticsearch is running as root/windows admin and if so then abort.

searchguard.check_for_root: false

If this is true (default is false) then allow all HTTP REST requests from nodes loopback (e.g. localhost)

searchguard.allow_all_from_loopback: true

#############################################################################################

X-Forwarded-For (XFF) header

#############################################################################################

X-Forwarded-For (XFF) header

If you have a http proxy in front of elasticsearch you have to configure this options to handle XFF properly

searchguard.http.xforwardedfor.header: null

#searchguard.http.xforwardedfor.trustedproxies: null

#searchguard.http.xforwardedfor.enforce: false

#############################################################################################

Authentication backend

#############################################################################################

searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackend

searchguard.authentication.authentication_backend.cache.enable: true

#############################################################################################

Authorization backend (authorizer)

#############################################################################################

searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.SettingsBasedAuthorizator

searchguard.authentication.authorizer.cache.enable: true

#############################################################################################

HTTP authentication method

#############################################################################################

Define HTTP authentication method. In future we will here have more like NTLM, SPNEGO/Kerberos and Digest.

searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator

#####################################################

Settings based authentication (define users and password directly here in the settings. Note: this is per node)

#searchguard.authentication.settingsdb.user.: password

searchguard.authentication.settingsdb.user.root: ********

searchguard.authentication.settingsdb.user.kibana: ********

searchguard.authentication.settingsdb.user.marketing: ********

#####################################################

Settings based authorization (define users and their roles directly here in the settings. Note: this is per node)

#searchguard.authentication.authorization.settingsdb.roles.:

searchguard.authentication.authorization.settingsdb.roles.root: [“admin”]

searchguard.authentication.authorization.settingsdb.roles.kibana: [“guest”]

searchguard.authentication.authorization.settingsdb.roles.marketing: [“guest”]

#####################################################

##############################################################################################

Below here you configure what authenticated and authorized users are allowed to do (or not)#

This maps to the acl defined in the searchguard configuration index

#############################################################################################

Configure the field level security (fls) filter to filter _source

searchguard.flsfilter.names: [“guest”]

searchguard.flsfilter.guest.source_excludes: [“user”]

    • ACL:

{

"acl": [
{    
    "__Comment__": "By default no filters are executed and no filters are by-passed. In such a case a exception is thrown and access will be denied.",
    "filters_bypass": [],
    "filters_execute": []
 },
 {
       "__Comment__": "For role 'admin' all filters are bypassed (so none will be executed). This means unrestricted access.",
       "roles": [
           "admin"
       ],
       "filters_bypass": ["*"],
       "filters_execute": []
 },
 {
       "__Comment__": "For role 'guest' all filters will be executed.",
       "roles": [
           "guest"
       ],
       "filters_bypass": [],
       "filters_execute": ["*"]
 }
 ]

}

Attached is the elasticsearch log.


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4e331b3f-efe9-49f5-96c0-ac05235045fe%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Will a guide be provided?? I am having some issues connecting ES to Searchguard

···

On Saturday, June 13, 2015 at 8:21:35 AM UTC-4, Lingxiao Xia wrote:

Thank you so much!!!

On Friday, June 12, 2015 at 4:21:13 AM UTC+8, SG wrote:

we will provide a guide, how to setup and configure search guard with kibana, soon

Am 11.06.2015 um 04:19 schrieb Lingxiao Xia lingxi...@dragonlaw.com.hk:

Sorry the configuration is for when elasticsearch is starting, i disabled searchguard in the beginning because i had to create the acl entry, i enabled searchguard after that and restarted the cluster.
and yes i did configure kibana_elasticsearch_user and kibana_elasticsearch_pass and actually gave it admin power(which is different from user marketing's privileges, i don’t know if that would cause a problem but i doubt so). so yea… anyone got kibana to work and would like to share a set of working configuration? please?

On Tuesday, June 9, 2015 at 10:30:16 PM UTC+8, in...@search-guard.com wrote:

first: why “searchguard.enabled: false” ?

second: seems the “ArrayIndexOutOfBoundsException” is coming from kibana, there is no error in the logfile you provided. Pls. look into the kibana logs

and make sure you configured kibana to use a username/password in kibana.yml

If your Elasticsearch is protected with basic auth, this is the user credentials

used by the Kibana server to perform maintence on the kibana_index at statup. Your Kibana

users will still need to authenticate with Elasticsearch (which is proxied thorugh

the Kibana server)

kibana_elasticsearch_username: user

kibana_elasticsearch_password: pass

Am Montag, 8. Juni 2015 04:42:43 UTC+2 schrieb Lingxiao Xia:

hello i’m sorry for asking so many questions but i couldn’t get searchguard to work with kibana 4.0.2. and i couldn’t figure out what’s the problem…

btw, plain search against elasticsearch works and searchguard seems to be functioning as intended. it just stops working whenever kibana is involved…

kibana goes to the following error page as soon as i verify myself as user ‘marketing’ with role ‘guest’:

Fatal Error

Courier Fetch Error: unhandled error Error: ArrayIndexOutOfBoundsException

[0]

at respond (

http://127.0.0.1:9548/index.js?_b=6004:81691:15

)

at checkRespForFailure (

http://127.0.0.1:9548/index.js?_b=6004:81659:7

)

at

http://127.0.0.1:9548/index.js?_b=6004:80322:7

at wrappedErrback (

http://127.0.0.1:9548/index.js?_b=6004:20897:78

)

at wrappedErrback (

http://127.0.0.1:9548/index.js?_b=6004:20897:78

)

at wrappedErrback (

http://127.0.0.1:9548/index.js?_b=6004:20897:78

)

at

http://127.0.0.1:9548/index.js?_b=6004:21030:76

at Scope.$eval (

http://127.0.0.1:9548/index.js?_b=6004:22017:28

)

at Scope.$digest (

http://127.0.0.1:9548/index.js?_b=6004:21829:31

)

at Scope.$apply (

http://127.0.0.1:9548/index.js?_b=6004:22121:24)

Error: unhandled error Error: ArrayIndexOutOfBoundsException

[0]

at respond (

http://127.0.0.1:9548/index.js?_b=6004:81691:15

)

at checkRespForFailure (

http://127.0.0.1:9548/index.js?_b=6004:81659:7

)

at

http://127.0.0.1:9548/index.js?_b=6004:80322:7

at wrappedErrback (

http://127.0.0.1:9548/index.js?_b=6004:20897:78

)

at wrappedErrback (

http://127.0.0.1:9548/index.js?_b=6004:20897:78

)

at wrappedErrback (

http://127.0.0.1:9548/index.js?_b=6004:20897:78

)

at

http://127.0.0.1:9548/index.js?_b=6004:21030:76

at Scope.$eval (

http://127.0.0.1:9548/index.js?_b=6004:22017:28

)

at Scope.$digest (

http://127.0.0.1:9548/index.js?_b=6004:21829:31

)

at Scope.$apply (

http://127.0.0.1:9548/index.js?_b=6004:22121:24

)

at handleError (

http://127.0.0.1:9548/index.js?_b=6004:42664:22

)

at DocRequest.

AbstractReqProvider.AbstractReq.handleFailure (http://127.0.0.1:9548/index.js?_b=6004:42740:14

)

at

http://127.0.0.1:9548/index.js?_b=6004:42945:17

at Array.forEach (native)
at

http://127.0.0.1:9548/index.js?_b=6004:42943:18

at wrappedErrback (

http://127.0.0.1:9548/index.js?_b=6004:20897:78

)

at

http://127.0.0.1:9548/index.js?_b=6004:21030:76

at Scope.$eval (

http://127.0.0.1:9548/index.js?_b=6004:22017:28

)

at Scope.$digest (

http://127.0.0.1:9548/index.js?_b=6004:21829:31

)

at Scope.$apply (

http://127.0.0.1:9548/index.js?_b=6004:22121:24)

here’s my search-guard setting and acl setting(i’m trying to apply minimum security just to get it work first, i want role ‘admin’ to be able to do everything and role ‘guest’ to have the field ‘user’ filtered out on all search responses):

#############################################################################################

SEARCH GUARD

Configuration

#############################################################################################

Enable or disable the complete Searchguard plugin functionality

searchguard.enabled: false

Path where to write/read the searchguard master key file

searchguard.key_path: /tmp/dldm/elasticsearchConfig

When using DLS or FLS and a get or mget is performed then rewrite it as search request

searchguard.rewrite_get_as_search: true

The index name where Searchguard will store its configuration and various other informations related to Searchguard itself

This index can only be access from localhost

searchguard.config_index_name: searchguard

Enable or disable HTTP session which caches the authentication and authorization informations in a cookie

searchguard.http.enable_sessions: false

Enable or disable audit logging

searchguard.auditlog.enabled: true

If this is true (default is false) then Searchguard will check if elasticsearch is running as root/windows admin and if so then abort.

searchguard.check_for_root: false

If this is true (default is false) then allow all HTTP REST requests from nodes loopback (e.g. localhost)

searchguard.allow_all_from_loopback: true

#############################################################################################

X-Forwarded-For (XFF) header

#############################################################################################

X-Forwarded-For (XFF) header

If you have a http proxy in front of elasticsearch you have to configure this options to handle XFF properly

searchguard.http.xforwardedfor.header: null

#searchguard.http.xforwardedfor.trustedproxies: null

#searchguard.http.xforwardedfor.enforce: false

#############################################################################################

Authentication backend

#############################################################################################

searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackend

searchguard.authentication.authentication_backend.cache.enable: true

#############################################################################################

Authorization backend (authorizer)

#############################################################################################

searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.SettingsBasedAuthorizator

searchguard.authentication.authorizer.cache.enable: true

#############################################################################################

HTTP authentication method

#############################################################################################

Define HTTP authentication method. In future we will here have more like NTLM, SPNEGO/Kerberos and Digest.

searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator

#####################################################

Settings based authentication (define users and password directly here in the settings. Note: this is per node)

#searchguard.authentication.settingsdb.user.: password

searchguard.authentication.settingsdb.user.root: ********

searchguard.authentication.settingsdb.user.kibana: ********

searchguard.authentication.settingsdb.user.marketing: ********

#####################################################

Settings based authorization (define users and their roles directly here in the settings. Note: this is per node)

#searchguard.authentication.authorization.settingsdb.roles.:

searchguard.authentication.authorization.settingsdb.roles.root: [“admin”]

searchguard.authentication.authorization.settingsdb.roles.kibana: [“guest”]

searchguard.authentication.authorization.settingsdb.roles.marketing: [“guest”]

#####################################################

##############################################################################################

Below here you configure what authenticated and authorized users are allowed to do (or not)#

This maps to the acl defined in the searchguard configuration index

#############################################################################################

Configure the field level security (fls) filter to filter _source

searchguard.flsfilter.names: [“guest”]

searchguard.flsfilter.guest.source_excludes: [“user”]

    • ACL:

{

"acl": [
{    
    "__Comment__": "By default no filters are executed and no filters are by-passed. In such a case a exception is thrown and access will be denied.",
    "filters_bypass": [],
    "filters_execute": []
 },
 {
       "__Comment__": "For role 'admin' all filters are bypassed (so none will be executed). This means unrestricted access.",
       "roles": [
           "admin"
       ],
       "filters_bypass": ["*"],
       "filters_execute": []
 },
 {
       "__Comment__": "For role 'guest' all filters will be executed.",
       "roles": [
           "guest"
       ],
       "filters_bypass": [],
       "filters_execute": ["*"]
 }
 ]

}

Attached is the elasticsearch log.


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4e331b3f-efe9-49f5-96c0-ac05235045fe%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.