Problems with GET/PUT internalusers

Search Guard
1

I have ES6.4. I am using basic auth and I can use the SG secured cluster to collect data and view it in Kibana.
I am trying to use the REST API to add more users to internalusers so I can have customer specific logins to Kibana.

Following these docs, as admin in the Kibana console or using CURL I submit the following:

GET /_searchguard/api/internalusers/

``

but I get the error:

{
“error”: {
“root_cause”: [
{
“type”: “security_exception”,
“reason”: “Unexpected exception indices:data/read/get”
}
],
“type”: “security_exception”,
“reason”: “Unexpected exception indices:data/read/get”
},
“status”: 500
}

``

I have also tried single users e.g.:

GET /_searchguard/api/internalusers/kibanaro

``

but get:

{
“error”: “no handler found for uri [/_searchguard/api/internalusers/kibanaro] and method [GET]”
}

``

I also tried to simply view the content of the searchguard index with this:

curl -sku admin: https://localhost:9200/_search/searchguard?pretty -H ‘Content-Type: application/json’ -d ‘{ “query” :{“match_all”:{}}}’

``

but got a similar error to the internalusers call:

{
“error” : {
“root_cause” : [
{
“type” : “security_exception”,
“reason” : “Unexpected exception indices:data/write/index”
}
],
“type” : “security_exception”,
“reason” : “Unexpected exception indices:data/write/index”
},
“status” : 500
}

``

Can you point me in the right direction.

Regards,

Martin

···

Initialise SG with:

./sgadmin.sh -cd …/sgconfig/ -nhnv -icl -arc -cacert root-ca.pem -cert admin.pem -key admin.key

``

SG reports everything is up, status green.

sgconfig folder (sg_action_groups.yml, sg_roles_mapping.yml & sg_roles.yml are unchanged).

sg_config.yml

searchguard:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: true
internalProxies: ‘.
remoteIpHeader: ‘x-forwarded-for’
proxiesHeader: ‘x-forwarded-by’
trustedProxies: '.
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern

``

sg_internal_users.yml

admin:
readonly: true
hash:
roles:
- admin

logstash:
readonly: true
hash:
roles:
- logstash

kibanaserver:
readonly: true
hash:

kibanaro:
readonly: true
hash:
roles:
- kibanauser
- readall

readall:
readonly: true
hash:
roles:
- readall

snapshotrestore:
readonly: true
hash:
roles:
- snapshotrestore

``

2

Can you post your elasticsearch.yml pls?

···

Am 17.10.2018 um 11:56 schrieb Martin <martin.lester@vualto.com>:

I have ES6.4. I am using basic auth and I can use the SG secured cluster to collect data and view it in Kibana.
I am trying to use the REST API to add more users to internalusers so I can have customer specific logins to Kibana.

Following these docs, as admin in the Kibana console or using CURL I submit the following:

GET /_searchguard/api/internalusers/

but I get the error:
{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "Unexpected exception indices:data/read/get"
      }
    ],
    "type": "security_exception",
    "reason": "Unexpected exception indices:data/read/get"
  },
  "status": 500
}

I have also tried single users e.g.:

GET /_searchguard/api/internalusers/kibanaro

but get:
{
  "error": "no handler found for uri [/_searchguard/api/internalusers/kibanaro] and method [GET]"
}

I also tried to simply view the content of the searchguard index with this:

curl -sku admin:<password> https://localhost:9200/_search/searchguard?pretty -H 'Content-Type: application/json' -d '{ "query" :{"match_all":{}}}'

but got a similar error to the internalusers call:

{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "Unexpected exception indices:data/write/index"
      }
    ],
    "type" : "security_exception",
    "reason" : "Unexpected exception indices:data/write/index"
  },
  "status" : 500
}

Can you point me in the right direction.

Regards,
  Martin

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Initialise SG with:

./sgadmin.sh -cd ../sgconfig/ -nhnv -icl -arc -cacert root-ca.pem -cert admin.pem -key admin.key

SG reports everything is up, status green.

sgconfig folder (sg_action_groups.yml, sg_roles_mapping.yml & sg_roles.yml are unchanged).

# sg_config.yml
searchguard:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: true
        internalProxies: '.*'
        remoteIpHeader: 'x-forwarded-for'
        proxiesHeader: 'x-forwarded-by'
        trustedProxies: '.*'
    authc:
      basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern

# sg_internal_users.yml
admin:
  readonly: true
  hash: <hashed password>
  roles:
    - admin

logstash:
  readonly: true
  hash: <hashed password>
  roles:
    - logstash

kibanaserver:
  readonly: true
  hash: <hashed password>

kibanaro:
  readonly: true
  hash: <hashed password>
  roles:
    - kibanauser
    - readall

readall:
  readonly: true
  hash: <hashed password>
  roles:
    - readall

snapshotrestore:
  readonly: true
  hash: <hashed password>
  roles:
    - snapshotrestore

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d6566674-87d5-43b6-af70-add0c80ed730%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

3

elasticsearch.yml

xpack.security.enabled: false
searchguard.enterprise_modules_enabled: false
searchguard.ssl.transport.pemcert_filepath: config/node.pem
searchguard.ssl.transport.pemkey_filepath: config/node.key
searchguard.ssl.transport.pemtrustedcas_filepath: config/root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.clientauth_mode: OPTIONAL
searchguard.ssl.http.pemcert_filepath: config/node.pem
searchguard.ssl.http.pemkey_filepath: config/node.key
searchguard.ssl.http.pemtrustedcas_filepath: config/root-ca.pem
searchguard.nodes_dn:

  • CN=*.vudrm.tech
  • CN=node.ca.vudrm.tech,OU=CA,O=VUDRM,DC=vurdm,DC=tech
    searchguard.authcz.admin_dn:
  • CN=admin.ca.vudrm.tech,OU=CA,O=VUDRM,DC=vurdm,DC=tech

cluster.name: “elasticsearch-aws-live”
bootstrap.memory_lock: true
node.attr.rack_id: SPOT
node.master: true
node.data: false
discovery.zen.minimum_master_nodes: 2
gateway.recover_after_nodes: 5
discovery.zen.ping.unicast.hosts: [“192.168.1.11”, “192.168.1.12”, “192.168.1.13”, “192.168.2.11”, “192.168.2.12”, “192.168.2.13”, “192.168.3.11”, “192.168.3.12”, “192.168.3.13”]
network.host: [“127.0.0.1”,“192.168.1.11”]

``

4

You need to set "searchguard.enterprise_modules_enabled: true" because REST api is an enterprise feature.
For production usage you also need to obtain a license. Pls contact us here Contact the Search Guard team - get in touch with us

Pls see "Feature comparison" Search Guard Security | Securing your Elasticsearch cluster with Search Guard for more details about free and commercial/enterprise features

···

Am 17.10.2018 um 16:03 schrieb Martin <martin.lester@vualto.com>:

# elasticsearch.yml

xpack.security.enabled: false
searchguard.enterprise_modules_enabled: false
searchguard.ssl.transport.pemcert_filepath: config/node.pem
searchguard.ssl.transport.pemkey_filepath: config/node.key
searchguard.ssl.transport.pemtrustedcas_filepath: config/root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.clientauth_mode: OPTIONAL
searchguard.ssl.http.pemcert_filepath: config/node.pem
searchguard.ssl.http.pemkey_filepath: config/node.key
searchguard.ssl.http.pemtrustedcas_filepath: config/root-ca.pem
searchguard.nodes_dn:
  - CN=*.vudrm.tech
  - CN=node.ca.vudrm.tech,OU=CA,O=VUDRM,DC=vurdm,DC=tech
searchguard.authcz.admin_dn:
  - CN=admin.ca.vudrm.tech,OU=CA,O=VUDRM,DC=vurdm,DC=tech

cluster.name: "elasticsearch-aws-live"
bootstrap.memory_lock: true
node.attr.rack_id: SPOT
node.master: true
node.data: false
discovery.zen.minimum_master_nodes: 2
gateway.recover_after_nodes: 5
discovery.zen.ping.unicast.hosts: ["192.168.1.11", "192.168.1.12", "192.168.1.13", "192.168.2.11", "192.168.2.12", "192.168.2.13", "192.168.3.11", "192.168.3.12", "192.168.3.13"]
network.host: ["127.0.0.1","192.168.1.11"]

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4669d955-5a90-4fc0-8211-6018c896c012%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

5

Thanks, I missed that. I read it as the Kibana integration was an enterprise feature whereas REST was community … not sure why.

I have a few questions about using sgadmin to achieve defining new users on the running system. i.e. if I use:

./sgadmin.sh -f ..    /sgconfig/sg_internal_users.yml -t internalusers \
-ts ... -tspass ... -ks ... -kspass ...

Does this take immediate effect? i.e. without node/cluster restart

Will sg_internal_users.yml overwrite or extend the currently loaded set of internal users? Could I have a 2nd file? e.g. customer_users.yml that only contained the more volatile list of customers and their user config.

As a suggestion for your docs, I think the reason I missed that the feature was enterprise was because it is just shown at the top of the page and I was linked to the page from another doc. Either it skipped me to a particular section or I simply scrolled past the intro as I had read it before. One solution could be to add a faint watermark as your page background stating the edition to which the page applies, or you could make the edition button position absolute so it is always visible at the top right of the page.

···

You need to set “searchguard.enterprise_modules_enabled: true” because REST api is an enterprise feature.

6

I have got in contact with regards to getting a license and I have answered my own previous 2 questions, but I am unable to add users.

Can you give an example of how I should update the roles/roles_mapping/internalusers so I can restrict a user so that they can only see indices with their name in it.

i.e. I am trying to add something like this in sg_roles.yml but with little success so far.

sg_userA:
readonly: true
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘logstash-${user_name}-':
'’:
- READ
- INDEX
':
'’:
- indices:data/read/field_caps

``

7

can you post all sg_*.yml files please?

···

Am 18.10.2018 um 18:26 schrieb Martin <martin.lester@vualto.com>:

I have got in contact with regards to getting a license and I have answered my own previous 2 questions, but I am unable to add users.

Can you give an example of how I should update the roles/roles_mapping/internalusers so I can restrict a user so that they can only see indices with their name in it.

i.e. I am trying to add something like this in sg_roles.yml but with little success so far.

sg_userA:
  readonly: true
  cluster:
    - CLUSTER_COMPOSITE_OPS_RO
  indices:
    'logstash-${user_name}-*':
      '*':
        - READ
        - INDEX
    '*':
      '*':
        - indices:data/read/field_caps

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/a6eb9583-28b8-4147-9775-9bda856ca7fd%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

8

Sorry for the delay I was on holiday.

My plan was to add similar entries for each customer (probably using Ansible). customer here is just a test name but there is data in ES for logstash-customer-. The aim is to have a Kibana login that allows a customer to view only the data we have stored for them in logstash--

Added this to sg_internal_users.yml

customer:

readonly: false

hash: $2y$12$hashed.password

roles:

  • kibanauser

  • customer

``

added to sg_roles.yml .
sg_customer:

readonly: true

cluster:

- INDICES_MONITOR

- CLUSTER_COMPOSITE_OPS

indices:

'?kibana':

  '*':

    - MANAGE

    - INDEX

    - READ

    - DELETE

'?kibana-6':

  '*':

    - MANAGE

    - INDEX

    - READ

    - DELETE

'logstash-customer-*':

  '*':

    - READ

    - INDEX

``

added to sg_roles_mapping.yml
sg_customer:

backendroles:

  • customer

``

9

Hi Martin,

is this resolved?

···

On Wednesday, 24 October 2018 12:31:26 UTC+2, Martin wrote:

Sorry for the delay I was on holiday.

My plan was to add similar entries for each customer (probably using Ansible). customer here is just a test name but there is data in ES for logstash-customer-. The aim is to have a Kibana login that allows a customer to view only the data we have stored for them in logstash--

Added this to sg_internal_users.yml

customer:

readonly: false

hash: $2y$12$hashed.password

roles:

  • kibanauser
  • customer

``

added to sg_roles.yml .
sg_customer:

readonly: true

cluster:

- INDICES_MONITOR

- CLUSTER_COMPOSITE_OPS

indices:

'?kibana':

  '*':

    - MANAGE

    - INDEX

    - READ

    - DELETE

'?kibana-6':

  '*':

    - MANAGE

    - INDEX

    - READ

    - DELETE

'logstash-customer-*':

  '*':

    - READ

    - INDEX

``

added to sg_roles_mapping.yml
sg_customer:

backendroles:

  • customer

``