Modify Existing User names in elasticsearch

Am Mittwoch, 29. Juni 2016 09:12:24 UTC+2 schrieb Vin:

Hi,

I want to rename the existing usernames in elasticsearch, Is this possible. if Yes, How?

Thanks.

On Wednesday, 29 June 2016 12:42:24 UTC+5:30, Vin wrote:

Hi,

I want to rename the existing usernames in elasticsearch, Is this possible. if Yes, How?

Thanks.

On Wednesday, 29 June 2016 13:06:35 UTC+5:30, Vin wrote:

Thanks For your replay

there is a default user like .

kibanaro:
hash: $2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC

#password is: kibanaro

I want to rename it with another username.

On Wednesday, 29 June 2016 12:42:24 UTC+5:30, Vin wrote:

Hi,

I want to rename the existing usernames in elasticsearch, Is this possible. if Yes, How?

Thanks.

Am Mittwoch, 29. Juni 2016 12:31:59 UTC+2 schrieb Vin:

Hi,

I am new to this search guard could you please explain in detail.about renaming the existing user.

Thankyou.

On Wednesday, 29 June 2016 13:06:35 UTC+5:30, Vin wrote:

Thanks For your replay

there is a default user like .

kibanaro:
hash: $2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC

#password is: kibanaro

I want to rename it with another username.

On Wednesday, 29 June 2016 12:42:24 UTC+5:30, Vin wrote:

Hi,

I want to rename the existing usernames in elasticsearch, Is this possible. if Yes, How?

Thanks.

On Wednesday, 29 June 2016 16:17:10 UTC+5:30, Jochen Kressin wrote:

Vinod,

please kindly read the documentation to Search Guard regarding the different authentication methods and how to configure Search Guard in general. You will need to understand some of the basic concepts in order to use Search Guard successfully.

To point you in the right direction:

From your previous post I see that you want to use the internal Search Guard user database (as opposed to advanced authentication backends like LDAP or Kerberos). In this case, all changes regarding usernames and passwords have to be done in “sg_users.yml”. You can change the username here, and also set a new password. The password is hashed, and the hashe can be generated by the hash.sh script that ships with Search Guard.

After you have changed the username in “sg_users.yml”, you will also need to adjust the file “sg_roles_mapping.yml”. This file contains the mapping from users to roles. If in addition you also want to change the roles of the user, this has to be done in “sg_roles.yml”. But this is not relevant if you just want to change username and/or password.

After you changed these files, you need to push the changes to Search Guard. The configuration for Search Guard is kept in a specially secured index, so you can hot reload most of the configuration settings. Config changes have to be pushed to Search Guard by using the sgadmin.sh script that ships with Search Guard.

You can read more about the basic concepts here:

https://github.com/floragunncom/search-guard-docs/blob/master/configuration.md

And I recommend also to kindly read the Kibana chapter, which contains step-by-step instructions on how to set up users, roles and permissions. While this chapter is geared towards Kibana, configuring users and roles is basically always the same:

https://github.com/floragunncom/search-guard-docs/blob/master/kibana.md

Am Mittwoch, 29. Juni 2016 12:31:59 UTC+2 schrieb Vin:

Hi,

I am new to this search guard could you please explain in detail.about renaming the existing user.

Thankyou.

On Wednesday, 29 June 2016 13:06:35 UTC+5:30, Vin wrote:

Thanks For your replay

there is a default user like .

kibanaro:
hash: $2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC

#password is: kibanaro

I want to rename it with another username.

On Wednesday, 29 June 2016 12:42:24 UTC+5:30, Vin wrote:

Hi,

I want to rename the existing usernames in elasticsearch, Is this possible. if Yes, How?

Thanks.

Am Mittwoch, 29. Juni 2016 13:54:25 UTC+2 schrieb Vin:

I have added the chnaged the username in sg_internal_users.yml. after that I tried to pushed to Search Guard by using the sgadmin.sh using below command

./tools/sgadmin.sh -h localhost -p 9200 -f /path/sg_internal_users.yml -t internalusers --configdir sgconfig/ --keystore /path/kirk-keystore.jks --keystore-password **** --truststore path/truststore.jks --truststore-password **** -icl –disable-host-name-verification

but i got following error

Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{127.0.0.1}{localhost/127.0.0.1:9300}]]

at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)

at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)

at org.elasticsearch.client.transport.support.TransportProxyClient.execute(TransportProxyClient.java:55)

at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:288)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:348)

at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:848)

at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.health(AbstractClient.java:868)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:137)

On Wednesday, 29 June 2016 16:17:10 UTC+5:30, Jochen Kressin wrote:

Vinod,

please kindly read the documentation to Search Guard regarding the different authentication methods and how to configure Search Guard in general. You will need to understand some of the basic concepts in order to use Search Guard successfully.

To point you in the right direction:

From your previous post I see that you want to use the internal Search Guard user database (as opposed to advanced authentication backends like LDAP or Kerberos). In this case, all changes regarding usernames and passwords have to be done in “sg_users.yml”. You can change the username here, and also set a new password. The password is hashed, and the hashe can be generated by the hash.sh script that ships with Search Guard.

After you have changed the username in “sg_users.yml”, you will also need to adjust the file “sg_roles_mapping.yml”. This file contains the mapping from users to roles. If in addition you also want to change the roles of the user, this has to be done in “sg_roles.yml”. But this is not relevant if you just want to change username and/or password.

After you changed these files, you need to push the changes to Search Guard. The configuration for Search Guard is kept in a specially secured index, so you can hot reload most of the configuration settings. Config changes have to be pushed to Search Guard by using the sgadmin.sh script that ships with Search Guard.

You can read more about the basic concepts here:

https://github.com/floragunncom/search-guard-docs/blob/master/configuration.md

And I recommend also to kindly read the Kibana chapter, which contains step-by-step instructions on how to set up users, roles and permissions. While this chapter is geared towards Kibana, configuring users and roles is basically always the same:

https://github.com/floragunncom/search-guard-docs/blob/master/kibana.md

Am Mittwoch, 29. Juni 2016 12:31:59 UTC+2 schrieb Vin:

Hi,

I am new to this search guard could you please explain in detail.about renaming the existing user.

Thankyou.

On Wednesday, 29 June 2016 13:06:35 UTC+5:30, Vin wrote:

Thanks For your replay

there is a default user like .

kibanaro:
hash: $2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC

#password is: kibanaro

I want to rename it with another username.

On Wednesday, 29 June 2016 12:42:24 UTC+5:30, Vin wrote:

Hi,

I want to rename the existing usernames in elasticsearch, Is this possible. if Yes, How?

Thanks.

Am Mittwoch, 29. Juni 2016 14:05:35 UTC+2 schrieb Jochen Kressin:

You specified the wrong port, 9200 is the HTTP port. Have a look at the error message:

Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{127.0.0.1}{localhost/127.0.0.1:9300}]]

**"**localhost/127.0.0.1:9300"

Use the following setting instead:

-p 9300

Am Mittwoch, 29. Juni 2016 13:54:25 UTC+2 schrieb Vin:

I have added the chnaged the username in sg_internal_users.yml. after that I tried to pushed to Search Guard by using the sgadmin.sh using below command

./tools/sgadmin.sh -h localhost -p 9200 -f /path/sg_internal_users.yml -t internalusers --configdir sgconfig/ --keystore /path/kirk-keystore.jks --keystore-password **** --truststore path/truststore.jks --truststore-password **** -icl –disable-host-name-verification

but i got following error

Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{127.0.0.1}{localhost/127.0.0.1:9300}]]

at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)

at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)

at org.elasticsearch.client.transport.support.TransportProxyClient.execute(TransportProxyClient.java:55)

at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:288)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:348)

at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:848)

at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.health(AbstractClient.java:868)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:137)

On Wednesday, 29 June 2016 16:17:10 UTC+5:30, Jochen Kressin wrote:

Vinod,

please kindly read the documentation to Search Guard regarding the different authentication methods and how to configure Search Guard in general. You will need to understand some of the basic concepts in order to use Search Guard successfully.

To point you in the right direction:

From your previous post I see that you want to use the internal Search Guard user database (as opposed to advanced authentication backends like LDAP or Kerberos). In this case, all changes regarding usernames and passwords have to be done in “sg_users.yml”. You can change the username here, and also set a new password. The password is hashed, and the hashe can be generated by the hash.sh script that ships with Search Guard.

After you have changed the username in “sg_users.yml”, you will also need to adjust the file “sg_roles_mapping.yml”. This file contains the mapping from users to roles. If in addition you also want to change the roles of the user, this has to be done in “sg_roles.yml”. But this is not relevant if you just want to change username and/or password.

After you changed these files, you need to push the changes to Search Guard. The configuration for Search Guard is kept in a specially secured index, so you can hot reload most of the configuration settings. Config changes have to be pushed to Search Guard by using the sgadmin.sh script that ships with Search Guard.

You can read more about the basic concepts here:

https://github.com/floragunncom/search-guard-docs/blob/master/configuration.md

And I recommend also to kindly read the Kibana chapter, which contains step-by-step instructions on how to set up users, roles and permissions. While this chapter is geared towards Kibana, configuring users and roles is basically always the same:

https://github.com/floragunncom/search-guard-docs/blob/master/kibana.md

Am Mittwoch, 29. Juni 2016 12:31:59 UTC+2 schrieb Vin:

Hi,

I am new to this search guard could you please explain in detail.about renaming the existing user.

Thankyou.

On Wednesday, 29 June 2016 13:06:35 UTC+5:30, Vin wrote:

Thanks For your replay

there is a default user like .

kibanaro:
hash: $2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC

#password is: kibanaro

I want to rename it with another username.

On Wednesday, 29 June 2016 12:42:24 UTC+5:30, Vin wrote:

Hi,

I want to rename the existing usernames in elasticsearch, Is this possible. if Yes, How?

Thanks.

On Wednesday, 29 June 2016 18:43:21 UTC+5:30, Jochen Kressin wrote:

The command line arguments should work. I tested again with the default settings from the Search Guard bundle, and your settings:

plugins/search-guard-2/tools/sgadmin.sh -h localhost -p 9300 -f plugins/search-guard-2/sgconfig/sg_internal_users.yml -t internalusers -ks plugins/search-guard-2/sgconfig/CN=sgadmin-keystore.jks -kspass 09331bbe58aa3104745a -ts plugins/search-guard-2/sgconfig/truststore.jks -tspass a2c5d0e04b62aa275753 -icl –disable-host-name-verification

Are you sure that your Elasticsearch nodes are reachable via localhost on port 9300? For example, can you telnet on localhost and port 9300?

Am Mittwoch, 29. Juni 2016 14:05:35 UTC+2 schrieb Jochen Kressin:

You specified the wrong port, 9200 is the HTTP port. Have a look at the error message:

Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{127.0.0.1}{localhost/127.0.0.1:9300}]]

**"**localhost/127.0.0.1:9300"

Use the following setting instead:

-p 9300

Am Mittwoch, 29. Juni 2016 13:54:25 UTC+2 schrieb Vin:

I have added the chnaged the username in sg_internal_users.yml. after that I tried to pushed to Search Guard by using the sgadmin.sh using below command

./tools/sgadmin.sh -h localhost -p 9200 -f /path/sg_internal_users.yml -t internalusers --configdir sgconfig/ --keystore /path/kirk-keystore.jks --keystore-password **** --truststore path/truststore.jks --truststore-password **** -icl –disable-host-name-verification

but i got following error

Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{127.0.0.1}{localhost/127.0.0.1:9300}]]

at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)

at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)

at org.elasticsearch.client.transport.support.TransportProxyClient.execute(TransportProxyClient.java:55)

at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:288)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:348)

at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:848)

at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.health(AbstractClient.java:868)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:137)

On Wednesday, 29 June 2016 16:17:10 UTC+5:30, Jochen Kressin wrote:

Vinod,

please kindly read the documentation to Search Guard regarding the different authentication methods and how to configure Search Guard in general. You will need to understand some of the basic concepts in order to use Search Guard successfully.

To point you in the right direction:

From your previous post I see that you want to use the internal Search Guard user database (as opposed to advanced authentication backends like LDAP or Kerberos). In this case, all changes regarding usernames and passwords have to be done in “sg_users.yml”. You can change the username here, and also set a new password. The password is hashed, and the hashe can be generated by the hash.sh script that ships with Search Guard.

After you have changed the username in “sg_users.yml”, you will also need to adjust the file “sg_roles_mapping.yml”. This file contains the mapping from users to roles. If in addition you also want to change the roles of the user, this has to be done in “sg_roles.yml”. But this is not relevant if you just want to change username and/or password.

After you changed these files, you need to push the changes to Search Guard. The configuration for Search Guard is kept in a specially secured index, so you can hot reload most of the configuration settings. Config changes have to be pushed to Search Guard by using the sgadmin.sh script that ships with Search Guard.

You can read more about the basic concepts here:

https://github.com/floragunncom/search-guard-docs/blob/master/configuration.md

And I recommend also to kindly read the Kibana chapter, which contains step-by-step instructions on how to set up users, roles and permissions. While this chapter is geared towards Kibana, configuring users and roles is basically always the same:

https://github.com/floragunncom/search-guard-docs/blob/master/kibana.md

Am Mittwoch, 29. Juni 2016 12:31:59 UTC+2 schrieb Vin:

Hi,

I am new to this search guard could you please explain in detail.about renaming the existing user.

Thankyou.

On Wednesday, 29 June 2016 13:06:35 UTC+5:30, Vin wrote:

Thanks For your replay

there is a default user like .

kibanaro:
hash: $2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC

#password is: kibanaro

I want to rename it with another username.

On Wednesday, 29 June 2016 12:42:24 UTC+5:30, Vin wrote:

Hi,

I want to rename the existing usernames in elasticsearch, Is this possible. if Yes, How?

Thanks.

Am Donnerstag, 30. Juni 2016 06:33:09 UTC+2 schrieb Vin:

Yes, elasticsearch is conecting via 9300 port.

Still same issue.

Connect to localhost:9300

[10:01:39,358][WARN ] org.elasticsearch.com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - [Indech] exception caught on transport layer [[id: 0x5194831f, /127.0.0.1:52542 => localhost/127.0.0.1:9300]], closing connection

javax.net.ssl.SSLHandshakeException: General SSLEngine problem

** at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)**

** at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)**

** at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)**

** at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)**

** at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)**

** at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)**

** at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)**

** at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)**

** at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)**

** at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)**

** at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)**

** at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)**

** at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)**

** at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)**

** at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)**

** at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)**

** at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)**

** at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)**

** at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)**

** at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)**

** at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)**

** at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)**

** at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)**

** at java.lang.Thread.run(Thread.java:745)**

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

** at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)**

** at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)**

** at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)**

** at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)**

** at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)**

** at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)**

** at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)**

** at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)**

** at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)**

** at java.security.AccessController.doPrivileged(Native Method)**

** at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)**

** at org.jboss.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1392)**

** at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1255)**

** … 18 more**

Caused by: java.security.cert.CertificateException: No name matching localhost found

** at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:221)**

** at sun.security.util.HostnameChecker.match(HostnameChecker.java:95)**

** at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)**

** at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)**

** at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)**

** at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)**

** at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)**

** … 26 more**

Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{127.0.0.1}{localhost/127.0.0.1:9300}]]

** at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)**

** at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)**

** at org.elasticsearch.client.transport.support.TransportProxyClient.execute(TransportProxyClient.java:55)**

** at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:288)**

** at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)**

** at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:348)**

** at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:848)**

** at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.health(AbstractClient.java:868)**

** at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:137)**

On Wednesday, 29 June 2016 18:43:21 UTC+5:30, Jochen Kressin wrote:

The command line arguments should work. I tested again with the default settings from the Search Guard bundle, and your settings:

plugins/search-guard-2/tools/sgadmin.sh -h localhost -p 9300 -f plugins/search-guard-2/sgconfig/sg_internal_users.yml -t internalusers -ks plugins/search-guard-2/sgconfig/CN=sgadmin-keystore.jks -kspass 09331bbe58aa3104745a -ts plugins/search-guard-2/sgconfig/truststore.jks -tspass a2c5d0e04b62aa275753 -icl –disable-host-name-verification

Are you sure that your Elasticsearch nodes are reachable via localhost on port 9300? For example, can you telnet on localhost and port 9300?

Am Mittwoch, 29. Juni 2016 14:05:35 UTC+2 schrieb Jochen Kressin:

You specified the wrong port, 9200 is the HTTP port. Have a look at the error message:

Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{127.0.0.1}{localhost/127.0.0.1:9300}]]

**"**localhost/127.0.0.1:9300"

Use the following setting instead:

-p 9300

Am Mittwoch, 29. Juni 2016 13:54:25 UTC+2 schrieb Vin:

I have added the chnaged the username in sg_internal_users.yml. after that I tried to pushed to Search Guard by using the sgadmin.sh using below command

./tools/sgadmin.sh -h localhost -p 9200 -f /path/sg_internal_users.yml -t internalusers --configdir sgconfig/ --keystore /path/kirk-keystore.jks --keystore-password **** --truststore path/truststore.jks --truststore-password **** -icl –disable-host-name-verification

but i got following error

Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{127.0.0.1}{localhost/127.0.0.1:9300}]]

at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)

at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)

at org.elasticsearch.client.transport.support.TransportProxyClient.execute(TransportProxyClient.java:55)

at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:288)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:348)

at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:848)

at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.health(AbstractClient.java:868)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:137)

On Wednesday, 29 June 2016 16:17:10 UTC+5:30, Jochen Kressin wrote:

Vinod,

please kindly read the documentation to Search Guard regarding the different authentication methods and how to configure Search Guard in general. You will need to understand some of the basic concepts in order to use Search Guard successfully.

To point you in the right direction:

From your previous post I see that you want to use the internal Search Guard user database (as opposed to advanced authentication backends like LDAP or Kerberos). In this case, all changes regarding usernames and passwords have to be done in “sg_users.yml”. You can change the username here, and also set a new password. The password is hashed, and the hashe can be generated by the hash.sh script that ships with Search Guard.

After you have changed the username in “sg_users.yml”, you will also need to adjust the file “sg_roles_mapping.yml”. This file contains the mapping from users to roles. If in addition you also want to change the roles of the user, this has to be done in “sg_roles.yml”. But this is not relevant if you just want to change username and/or password.

After you changed these files, you need to push the changes to Search Guard. The configuration for Search Guard is kept in a specially secured index, so you can hot reload most of the configuration settings. Config changes have to be pushed to Search Guard by using the sgadmin.sh script that ships with Search Guard.

You can read more about the basic concepts here:

https://github.com/floragunncom/search-guard-docs/blob/master/configuration.md

And I recommend also to kindly read the Kibana chapter, which contains step-by-step instructions on how to set up users, roles and permissions. While this chapter is geared towards Kibana, configuring users and roles is basically always the same:

https://github.com/floragunncom/search-guard-docs/blob/master/kibana.md

Am Mittwoch, 29. Juni 2016 12:31:59 UTC+2 schrieb Vin:

Hi,

I am new to this search guard could you please explain in detail.about renaming the existing user.

Thankyou.

On Wednesday, 29 June 2016 13:06:35 UTC+5:30, Vin wrote:

Thanks For your replay

there is a default user like .

kibanaro:
hash: $2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC

#password is: kibanaro

I want to rename it with another username.

On Wednesday, 29 June 2016 12:42:24 UTC+5:30, Vin wrote:

Hi,

I want to rename the existing usernames in elasticsearch, Is this possible. if Yes, How?

Thanks.

On Thursday, 30 June 2016 11:12:28 UTC+5:30, Jochen Kressin wrote:

ok, I have a guess. Could you please post your elasticsearch.yml file so we can see your config settings? Also, what happens if you try to connect via curl or browser to Elasticsearch? Do you get a similar Exception in the logs?

Am Donnerstag, 30. Juni 2016 06:33:09 UTC+2 schrieb Vin:

Yes, elasticsearch is conecting via 9300 port.

Still same issue.

Connect to localhost:9300

[10:01:39,358][WARN ] org.elasticsearch.com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - [Indech] exception caught on transport layer [[id: 0x5194831f, /127.0.0.1:52542 => localhost/127.0.0.1:9300]], closing connection

javax.net.ssl.SSLHandshakeException: General SSLEngine problem

** at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)**

** at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)**

** at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)**

** at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)**

** at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)**

** at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)**

** at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)**

** at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)**

** at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)**

** at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)**

** at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)**

** at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)**

** at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)**

** at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)**

** at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)**

** at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)**

** at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)**

** at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)**

** at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)**

** at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)**

** at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)**

** at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)**

** at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)**

** at java.lang.Thread.run(Thread.java:745)**

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

** at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)**

** at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)**

** at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)**

** at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)**

** at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)**

** at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)**

** at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)**

** at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)**

** at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)**

** at java.security.AccessController.doPrivileged(Native Method)**

** at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)**

** at org.jboss.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1392)**

** at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1255)**

** … 18 more**

Caused by: java.security.cert.CertificateException: No name matching localhost found

** at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:221)**

** at sun.security.util.HostnameChecker.match(HostnameChecker.java:95)**

** at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)**

** at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)**

** at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)**

** at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)**

** at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)**

** … 26 more**

Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{127.0.0.1}{localhost/127.0.0.1:9300}]]

** at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)**

** at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)**

** at org.elasticsearch.client.transport.support.TransportProxyClient.execute(TransportProxyClient.java:55)**

** at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:288)**

** at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)**

** at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:348)**

** at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:848)**

** at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.health(AbstractClient.java:868)**

** at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:137)**

On Wednesday, 29 June 2016 18:43:21 UTC+5:30, Jochen Kressin wrote:

The command line arguments should work. I tested again with the default settings from the Search Guard bundle, and your settings:

plugins/search-guard-2/tools/sgadmin.sh -h localhost -p 9300 -f plugins/search-guard-2/sgconfig/sg_internal_users.yml -t internalusers -ks plugins/search-guard-2/sgconfig/CN=sgadmin-keystore.jks -kspass 09331bbe58aa3104745a -ts plugins/search-guard-2/sgconfig/truststore.jks -tspass a2c5d0e04b62aa275753 -icl –disable-host-name-verification

Are you sure that your Elasticsearch nodes are reachable via localhost on port 9300? For example, can you telnet on localhost and port 9300?

Am Mittwoch, 29. Juni 2016 14:05:35 UTC+2 schrieb Jochen Kressin:

You specified the wrong port, 9200 is the HTTP port. Have a look at the error message:

Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{127.0.0.1}{localhost/127.0.0.1:9300}]]

**"**localhost/127.0.0.1:9300"

Use the following setting instead:

-p 9300

Am Mittwoch, 29. Juni 2016 13:54:25 UTC+2 schrieb Vin:

I have added the chnaged the username in sg_internal_users.yml. after that I tried to pushed to Search Guard by using the sgadmin.sh using below command

./tools/sgadmin.sh -h localhost -p 9200 -f /path/sg_internal_users.yml -t internalusers --configdir sgconfig/ --keystore /path/kirk-keystore.jks --keystore-password **** --truststore path/truststore.jks --truststore-password **** -icl –disable-host-name-verification

but i got following error

Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{127.0.0.1}{localhost/127.0.0.1:9300}]]

at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)

at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)

at org.elasticsearch.client.transport.support.TransportProxyClient.execute(TransportProxyClient.java:55)

at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:288)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:348)

at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:848)

at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.health(AbstractClient.java:868)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:137)

On Wednesday, 29 June 2016 16:17:10 UTC+5:30, Jochen Kressin wrote:

Vinod,

please kindly read the documentation to Search Guard regarding the different authentication methods and how to configure Search Guard in general. You will need to understand some of the basic concepts in order to use Search Guard successfully.

To point you in the right direction:

From your previous post I see that you want to use the internal Search Guard user database (as opposed to advanced authentication backends like LDAP or Kerberos). In this case, all changes regarding usernames and passwords have to be done in “sg_users.yml”. You can change the username here, and also set a new password. The password is hashed, and the hashe can be generated by the hash.sh script that ships with Search Guard.

After you have changed the username in “sg_users.yml”, you will also need to adjust the file “sg_roles_mapping.yml”. This file contains the mapping from users to roles. If in addition you also want to change the roles of the user, this has to be done in “sg_roles.yml”. But this is not relevant if you just want to change username and/or password.

After you changed these files, you need to push the changes to Search Guard. The configuration for Search Guard is kept in a specially secured index, so you can hot reload most of the configuration settings. Config changes have to be pushed to Search Guard by using the sgadmin.sh script that ships with Search Guard.

You can read more about the basic concepts here:

https://github.com/floragunncom/search-guard-docs/blob/master/configuration.md

And I recommend also to kindly read the Kibana chapter, which contains step-by-step instructions on how to set up users, roles and permissions. While this chapter is geared towards Kibana, configuring users and roles is basically always the same:

https://github.com/floragunncom/search-guard-docs/blob/master/kibana.md

Am Mittwoch, 29. Juni 2016 12:31:59 UTC+2 schrieb Vin:

Hi,

I am new to this search guard could you please explain in detail.about renaming the existing user.

Thankyou.

On Wednesday, 29 June 2016 13:06:35 UTC+5:30, Vin wrote:

Thanks For your replay

there is a default user like .

kibanaro:
hash: $2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC

#password is: kibanaro

I want to rename it with another username.

On Wednesday, 29 June 2016 12:42:24 UTC+5:30, Vin wrote:

Hi,

I want to rename the existing usernames in elasticsearch, Is this possible. if Yes, How?

Thanks.

Am Donnerstag, 30. Juni 2016 07:55:22 UTC+2 schrieb Vin:

yeah, In browser i am getting
“Search Guard not initialized (SG11)” error.

On Thursday, 30 June 2016 11:12:28 UTC+5:30, Jochen Kressin wrote:

ok, I have a guess. Could you please post your elasticsearch.yml file so we can see your config settings? Also, what happens if you try to connect via curl or browser to Elasticsearch? Do you get a similar Exception in the logs?

Am Donnerstag, 30. Juni 2016 06:33:09 UTC+2 schrieb Vin:

Yes, elasticsearch is conecting via 9300 port.

Still same issue.

Connect to localhost:9300

[10:01:39,358][WARN ] org.elasticsearch.com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - [Indech] exception caught on transport layer [[id: 0x5194831f, /127.0.0.1:52542 => localhost/127.0.0.1:9300]], closing connection

javax.net.ssl.SSLHandshakeException: General SSLEngine problem

** at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)**

** at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)**

** at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)**

** at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)**

** at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)**

** at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)**

** at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)**

** at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)**

** at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)**

** at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)**

** at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)**

** at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)**

** at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)**

** at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)**

** at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)**

** at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)**

** at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)**

** at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)**

** at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)**

** at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)**

** at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)**

** at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)**

** at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)**

** at java.lang.Thread.run(Thread.java:745)**

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

** at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)**

** at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)**

** at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)**

** at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)**

** at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)**

** at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)**

** at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)**

** at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)**

** at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)**

** at java.security.AccessController.doPrivileged(Native Method)**

** at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)**

** at org.jboss.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1392)**

** at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1255)**

** … 18 more**

Caused by: java.security.cert.CertificateException: No name matching localhost found

** at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:221)**

** at sun.security.util.HostnameChecker.match(HostnameChecker.java:95)**

** at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)**

** at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)**

** at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)**

** at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)**

** at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)**

** … 26 more**

Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{127.0.0.1}{localhost/127.0.0.1:9300}]]

** at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)**

** at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)**

** at org.elasticsearch.client.transport.support.TransportProxyClient.execute(TransportProxyClient.java:55)**

** at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:288)**

** at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)**

** at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:348)**

** at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:848)**

** at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.health(AbstractClient.java:868)**

** at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:137)**

On Wednesday, 29 June 2016 18:43:21 UTC+5:30, Jochen Kressin wrote:

The command line arguments should work. I tested again with the default settings from the Search Guard bundle, and your settings:

plugins/search-guard-2/tools/sgadmin.sh -h localhost -p 9300 -f plugins/search-guard-2/sgconfig/sg_internal_users.yml -t internalusers -ks plugins/search-guard-2/sgconfig/CN=sgadmin-keystore.jks -kspass 09331bbe58aa3104745a -ts plugins/search-guard-2/sgconfig/truststore.jks -tspass a2c5d0e04b62aa275753 -icl –disable-host-name-verification

Are you sure that your Elasticsearch nodes are reachable via localhost on port 9300? For example, can you telnet on localhost and port 9300?

Am Mittwoch, 29. Juni 2016 14:05:35 UTC+2 schrieb Jochen Kressin:

You specified the wrong port, 9200 is the HTTP port. Have a look at the error message:

Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{127.0.0.1}{localhost/127.0.0.1:9300}]]

**"**localhost/127.0.0.1:9300"

Use the following setting instead:

-p 9300

Am Mittwoch, 29. Juni 2016 13:54:25 UTC+2 schrieb Vin:

I have added the chnaged the username in sg_internal_users.yml. after that I tried to pushed to Search Guard by using the sgadmin.sh using below command

./tools/sgadmin.sh -h localhost -p 9200 -f /path/sg_internal_users.yml -t internalusers --configdir sgconfig/ --keystore /path/kirk-keystore.jks --keystore-password **** --truststore path/truststore.jks --truststore-password **** -icl –disable-host-name-verification

but i got following error

Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{127.0.0.1}{localhost/127.0.0.1:9300}]]

at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)

at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)

at org.elasticsearch.client.transport.support.TransportProxyClient.execute(TransportProxyClient.java:55)

at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:288)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:348)

at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:848)

at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.health(AbstractClient.java:868)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:137)

On Wednesday, 29 June 2016 16:17:10 UTC+5:30, Jochen Kressin wrote:

Vinod,

please kindly read the documentation to Search Guard regarding the different authentication methods and how to configure Search Guard in general. You will need to understand some of the basic concepts in order to use Search Guard successfully.

To point you in the right direction:

From your previous post I see that you want to use the internal Search Guard user database (as opposed to advanced authentication backends like LDAP or Kerberos). In this case, all changes regarding usernames and passwords have to be done in “sg_users.yml”. You can change the username here, and also set a new password. The password is hashed, and the hashe can be generated by the hash.sh script that ships with Search Guard.

After you have changed the username in “sg_users.yml”, you will also need to adjust the file “sg_roles_mapping.yml”. This file contains the mapping from users to roles. If in addition you also want to change the roles of the user, this has to be done in “sg_roles.yml”. But this is not relevant if you just want to change username and/or password.

After you changed these files, you need to push the changes to Search Guard. The configuration for Search Guard is kept in a specially secured index, so you can hot reload most of the configuration settings. Config changes have to be pushed to Search Guard by using the sgadmin.sh script that ships with Search Guard.

You can read more about the basic concepts here:

https://github.com/floragunncom/search-guard-docs/blob/master/configuration.md

And I recommend also to kindly read the Kibana chapter, which contains step-by-step instructions on how to set up users, roles and permissions. While this chapter is geared towards Kibana, configuring users and roles is basically always the same:

https://github.com/floragunncom/search-guard-docs/blob/master/kibana.md

Am Mittwoch, 29. Juni 2016 12:31:59 UTC+2 schrieb Vin:

Hi,

I am new to this search guard could you please explain in detail.about renaming the existing user.

Thankyou.

On Wednesday, 29 June 2016 13:06:35 UTC+5:30, Vin wrote:

Thanks For your replay

there is a default user like .

kibanaro:
hash: $2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC

#password is: kibanaro

I want to rename it with another username.

On Wednesday, 29 June 2016 12:42:24 UTC+5:30, Vin wrote:

Hi,

I want to rename the existing usernames in elasticsearch, Is this possible. if Yes, How?

Thanks.

On Thursday, 30 June 2016 11:37:07 UTC+5:30, Jochen Kressin wrote:

Please try to use 127.0.0.1 instead of localhost. In order for us to reproduce the error: How did you generate the certificates? Did you use the example.sh script?

Am Donnerstag, 30. Juni 2016 07:55:22 UTC+2 schrieb Vin:

yeah, In browser i am getting
“Search Guard not initialized (SG11)” error.

On Thursday, 30 June 2016 11:12:28 UTC+5:30, Jochen Kressin wrote:

ok, I have a guess. Could you please post your elasticsearch.yml file so we can see your config settings? Also, what happens if you try to connect via curl or browser to Elasticsearch? Do you get a similar Exception in the logs?

Am Donnerstag, 30. Juni 2016 06:33:09 UTC+2 schrieb Vin:

Yes, elasticsearch is conecting via 9300 port.

Still same issue.

Connect to localhost:9300

[10:01:39,358][WARN ] org.elasticsearch.com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - [Indech] exception caught on transport layer [[id: 0x5194831f, /127.0.0.1:52542 => localhost/127.0.0.1:9300]], closing connection

javax.net.ssl.SSLHandshakeException: General SSLEngine problem

** at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)**

** at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)**

** at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)**

** at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)**

** at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)**

** at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)**

** at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)**

** at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)**

** at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)**

** at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)**

** at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)**

** at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)**

** at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)**

** at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)**

** at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)**

** at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)**

** at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)**

** at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)**

** at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)**

** at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)**

** at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)**

** at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)**

** at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)**

** at java.lang.Thread.run(Thread.java:745)**

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

** at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)**

** at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)**

** at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)**

** at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)**

** at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)**

** at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)**

** at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)**

** at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)**

** at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)**

** at java.security.AccessController.doPrivileged(Native Method)**

** at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)**

** at org.jboss.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1392)**

** at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1255)**

** … 18 more**

Caused by: java.security.cert.CertificateException: No name matching localhost found

** at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:221)**

** at sun.security.util.HostnameChecker.match(HostnameChecker.java:95)**

** at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)**

** at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)**

** at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)**

** at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)**

** at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)**

** … 26 more**

Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{127.0.0.1}{localhost/127.0.0.1:9300}]]

** at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)**

** at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)**

** at org.elasticsearch.client.transport.support.TransportProxyClient.execute(TransportProxyClient.java:55)**

** at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:288)**

** at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)**

** at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:348)**

** at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:848)**

** at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.health(AbstractClient.java:868)**

** at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:137)**

On Wednesday, 29 June 2016 18:43:21 UTC+5:30, Jochen Kressin wrote:

The command line arguments should work. I tested again with the default settings from the Search Guard bundle, and your settings:

plugins/search-guard-2/tools/sgadmin.sh -h localhost -p 9300 -f plugins/search-guard-2/sgconfig/sg_internal_users.yml -t internalusers -ks plugins/search-guard-2/sgconfig/CN=sgadmin-keystore.jks -kspass 09331bbe58aa3104745a -ts plugins/search-guard-2/sgconfig/truststore.jks -tspass a2c5d0e04b62aa275753 -icl –disable-host-name-verification

Are you sure that your Elasticsearch nodes are reachable via localhost on port 9300? For example, can you telnet on localhost and port 9300?

Am Mittwoch, 29. Juni 2016 14:05:35 UTC+2 schrieb Jochen Kressin:

You specified the wrong port, 9200 is the HTTP port. Have a look at the error message:

Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{127.0.0.1}{localhost/127.0.0.1:9300}]]

**"**localhost/127.0.0.1:9300"

Use the following setting instead:

-p 9300

Am Mittwoch, 29. Juni 2016 13:54:25 UTC+2 schrieb Vin:

I have added the chnaged the username in sg_internal_users.yml. after that I tried to pushed to Search Guard by using the sgadmin.sh using below command

./tools/sgadmin.sh -h localhost -p 9200 -f /path/sg_internal_users.yml -t internalusers --configdir sgconfig/ --keystore /path/kirk-keystore.jks --keystore-password **** --truststore path/truststore.jks --truststore-password **** -icl –disable-host-name-verification

but i got following error

Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{127.0.0.1}{localhost/127.0.0.1:9300}]]

at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)

at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)

at org.elasticsearch.client.transport.support.TransportProxyClient.execute(TransportProxyClient.java:55)

at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:288)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:348)

at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:848)

at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.health(AbstractClient.java:868)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:137)

On Wednesday, 29 June 2016 16:17:10 UTC+5:30, Jochen Kressin wrote:

Vinod,

please kindly read the documentation to Search Guard regarding the different authentication methods and how to configure Search Guard in general. You will need to understand some of the basic concepts in order to use Search Guard successfully.

To point you in the right direction:

From your previous post I see that you want to use the internal Search Guard user database (as opposed to advanced authentication backends like LDAP or Kerberos). In this case, all changes regarding usernames and passwords have to be done in “sg_users.yml”. You can change the username here, and also set a new password. The password is hashed, and the hashe can be generated by the hash.sh script that ships with Search Guard.

After you have changed the username in “sg_users.yml”, you will also need to adjust the file “sg_roles_mapping.yml”. This file contains the mapping from users to roles. If in addition you also want to change the roles of the user, this has to be done in “sg_roles.yml”. But this is not relevant if you just want to change username and/or password.

After you changed these files, you need to push the changes to Search Guard. The configuration for Search Guard is kept in a specially secured index, so you can hot reload most of the configuration settings. Config changes have to be pushed to Search Guard by using the sgadmin.sh script that ships with Search Guard.

You can read more about the basic concepts here:

https://github.com/floragunncom/search-guard-docs/blob/master/configuration.md

And I recommend also to kindly read the Kibana chapter, which contains step-by-step instructions on how to set up users, roles and permissions. While this chapter is geared towards Kibana, configuring users and roles is basically always the same:

https://github.com/floragunncom/search-guard-docs/blob/master/kibana.md

Am Mittwoch, 29. Juni 2016 12:31:59 UTC+2 schrieb Vin:

Hi,

I am new to this search guard could you please explain in detail.about renaming the existing user.

Thankyou.

On Wednesday, 29 June 2016 13:06:35 UTC+5:30, Vin wrote:

Thanks For your replay

there is a default user like .

kibanaro:
hash: $2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC

#password is: kibanaro

I want to rename it with another username.

On Wednesday, 29 June 2016 12:42:24 UTC+5:30, Vin wrote:

Hi,

I want to rename the existing usernames in elasticsearch, Is this possible. if Yes, How?

Thanks.