Question about basic setup

Nathan_Miranda · June 23, 2015, 9:07pm

I’ve used the sample config from the readme,

···

#####################################################

Settings based authorization (define users and their roles directly here in the settings. Note: this is per node)

searchguard.authentication.authorization.settingsdb.roles.spock: [“kolinahr”,“starfleet”,“command”]

searchguard.authentication.authorization.settingsdb.roles.admin: [“root”]

searchguard.authentication.authorization.settingsdb.roles.michaeljackson: [“kingofpop”,“superstar”]

#####################################################

#############################################################################################

#Below here you configure what authenticated and authorized users are allowed to do (or not)#

#This maps to the acl defined in the searchguard configuration index #

#############################################################################################

Configure the actionrequestfilter to allow or forbid action

searchguard.actionrequestfilter.names: [“readonly”]

searchguard.actionrequestfilter.readonly.allowed_actions: [“indices:data/read/*”, “monitor”]

searchguard.actionrequestfilter.readonly.forbidden_actions: [“cluster:", "indices:admin”]

``

and I’ve added the user roles in the sample acl under the searchguard index

curl -XPUT ‘http://localhost:9200/searchguard/ac/ac?pretty’ -d ’

{“acl”: [
{
“Comment”: “Default is to execute all filters”,
“filters_bypass”: ,
“filters_execute”: [““]
},
{
“Comment”: “Any authenticated user do anything on the ‘public’ index - no filter will be executed”,
“indices”: [“public”],
“filters_bypass”: [””],
“filters_execute”:
},
{
“Comment”: “This means any user with the role starfleet or command can do anything with the starfleetinfos index”,
“roles” : [“starfleet”, “command”],
“indices”: [“starfleetinfos”],
“filters_bypass”: [““],
“filters_execute”: []
},
{
“Comment”: “This means that every requestor (regardless of the requestors hostname and username) which has the root role can do anything”,
“roles”: [
“root”
],
“filters_bypass”: [””],
“filters_execute”:
},
{
“Comment”: “This means that the user michaeljackson can do anything on index popstuff.”,
“users”: [“michaeljackson”],
“indices”: [“popstuff”],
“filters_bypass”: [“*”],
“filters_execute”:
},
{
“Comment”: “This means that for the user spock on index popstuff only the actionrequestfilter.readonly will be executed, no other”,
“users”: [“spock”],
“indices”: [“popstuff”],
“filters_bypass”: ,
“filters_execute”: [“actionrequestfilter.readonly”]
}
]}’

``

I’ve also had to add
searchguard.check_for_root: false

``

since I’m running on a Windows machine as an admin user. Now when I start up my nodes, it doesn’t seem like there’s any security in place - I can curl anything and update docs/indexes without any prompts for authentication, which is probably related to the fact that my elasticsearch.bat files keep reloading their status every second with

[com.floragunn.searchguard.service.SearchGuardConfigService] Security configuration reloaded

``

Does anyone know what the problem might be? Thanks!

Nathan_Miranda · June 23, 2015, 9:19pm

It seems like there is an error here:

[2015-06-23 17:18:00,530][ERROR][com.floragunn.searchguard.service.SearchGuardCo

nfigService] [Optimize Node] Try to refresh security configuration but it failed

due to org.elasticsearch.action.NoShardAvailableActionException: [searchguard][

4] null

``

The NoShardAvailableException appears whenever I run the .bat file - even for the first time.

···

On Tuesday, June 23, 2015 at 5:07:39 PM UTC-4, Nathan Miranda wrote:

I’ve used the sample config from the readme,

#####################################################

Settings based authorization (define users and their roles directly here in the settings. Note: this is per node)

searchguard.authentication.authorization.settingsdb.roles.spock: [“kolinahr”,“starfleet”,“command”]

searchguard.authentication.authorization.settingsdb.roles.admin: [“root”]

searchguard.authentication.authorization.settingsdb.roles.michaeljackson: [“kingofpop”,“superstar”]

#####################################################

#############################################################################################

#Below here you configure what authenticated and authorized users are allowed to do (or not)#

#This maps to the acl defined in the searchguard configuration index #

#############################################################################################

Configure the actionrequestfilter to allow or forbid action

searchguard.actionrequestfilter.names: [“readonly”]

searchguard.actionrequestfilter.readonly.allowed_actions: [“indices:data/read/*”, “monitor”]

searchguard.actionrequestfilter.readonly.forbidden_actions: [“cluster:", "indices:admin”]

``

and I’ve added the user roles in the sample acl under the searchguard index

curl -XPUT ‘http://localhost:9200/searchguard/ac/ac?pretty’ -d ’

{“acl”: [
{
“Comment”: “Default is to execute all filters”,
“filters_bypass”: ,
“filters_execute”: [““]
},
{
“Comment”: “Any authenticated user do anything on the ‘public’ index - no filter will be executed”,
“indices”: [“public”],
“filters_bypass”: [””],
“filters_execute”:
},
{
“Comment”: “This means any user with the role starfleet or command can do anything with the starfleetinfos index”,
“roles” : [“starfleet”, “command”],
“indices”: [“starfleetinfos”],
“filters_bypass”: [““],
“filters_execute”: []
},
{
“Comment”: “This means that every requestor (regardless of the requestors hostname and username) which has the root role can do anything”,
“roles”: [
“root”
],
“filters_bypass”: [””],
“filters_execute”:
},
{
“Comment”: “This means that the user michaeljackson can do anything on index popstuff.”,
“users”: [“michaeljackson”],
“indices”: [“popstuff”],
“filters_bypass”: [“*”],
“filters_execute”:
},
{
“Comment”: “This means that for the user spock on index popstuff only the actionrequestfilter.readonly will be executed, no other”,
“users”: [“spock”],
“indices”: [“popstuff”],
“filters_bypass”: ,
“filters_execute”: [“actionrequestfilter.readonly”]
}
]}’

``

I’ve also had to add
searchguard.check_for_root: false

``

since I’m running on a Windows machine as an admin user. Now when I start up my nodes, it doesn’t seem like there’s any security in place - I can curl anything and update docs/indexes without any prompts for authentication, which is probably related to the fact that my elasticsearch.bat files keep reloading their status every second with

[com.floragunn.searchguard.service.SearchGuardConfigService] Security configuration reloaded

``

Does anyone know what the problem might be? Thanks!

searchguard_google_group · June 25, 2015, 2:15pm

does this problem still occur? cause in you other post it seems you SG up and running.

···

Am 23.06.2015 um 23:19 schrieb Nathan Miranda <nate845@gmail.com>:

It seems like there is an error here:

[2015-06-23 17:18:00,530][ERROR][com.floragunn.searchguard.service.SearchGuardCo
nfigService] [Optimize Node] Try to refresh security configuration but it failed
due to org.elasticsearch.action.NoShardAvailableActionException: [searchguard][
4] null

The NoShardAvailableException appears whenever I run the .bat file - even for the first time.

On Tuesday, June 23, 2015 at 5:07:39 PM UTC-4, Nathan Miranda wrote:
I've used the sample config from the readme,

#####################################################
# Settings based authorization (define users and their roles directly here in the settings. Note: this is per node)
searchguard.authentication.authorization.settingsdb.roles.spock: ["kolinahr","starfleet","command"]
searchguard.authentication.authorization.settingsdb.roles.admin: ["root"]
searchguard.authentication.authorization.settingsdb.roles.michaeljackson: ["kingofpop","superstar"]
#####################################################

#############################################################################################
#Below here you configure what authenticated and authorized users are allowed to do (or not)#
#This maps to the acl defined in the searchguard configuration index #
#############################################################################################

# Configure the actionrequestfilter to allow or forbid action
searchguard.actionrequestfilter.names: ["readonly"]
searchguard.actionrequestfilter.readonly.allowed_actions: ["indices:data/read/*", "*monitor*"]
searchguard.actionrequestfilter.readonly.forbidden_actions: ["cluster:*", "indices:admin*"]

and I've added the user roles in the sample acl under the searchguard index

curl -XPUT 'http://localhost:9200/searchguard/ac/ac?pretty' -d '

{"acl": [
    {
      "__Comment__": "Default is to execute all filters",
      "filters_bypass": ,
      "filters_execute": ["*"]
    },
    {
      "__Comment__": "Any authenticated user do anything on the 'public' index - no filter will be executed",
      "indices": ["public"],
      "filters_bypass": ["*"],
      "filters_execute":
    },
    {
      "__Comment__": "This means any user with the role starfleet or command can do anything with the starfleetinfos index",
      "roles" : ["starfleet", "command"],
      "indices": ["starfleetinfos"],
      "filters_bypass": ["*"],
      "filters_execute":
    },
    {
      "__Comment__": "This means that every requestor (regardless of the requestors hostname and username) which has the root role can do anything",
      "roles": [
        "root"
      ],
      "filters_bypass": ["*"],
      "filters_execute":
    },
    {
      "__Comment__": "This means that the user michaeljackson can do anything on index popstuff.",
      "users": ["michaeljackson"],
      "indices": ["popstuff"],
      "filters_bypass": ["*"],
      "filters_execute":
    },
    {
      "__Comment__": "This means that for the user spock on index popstuff only the actionrequestfilter.readonly will be executed, no other",
      "users": ["spock"],
      "indices": ["popstuff"],
      "filters_bypass": ,
      "filters_execute": ["actionrequestfilter.readonly"]
    }

  ]}'

I've also had to add
searchguard.check_for_root: false

since I'm running on a Windows machine as an admin user. Now when I start up my nodes, it doesn't seem like there's any security in place - I can curl anything and update docs/indexes without any prompts for authentication, which is probably related to the fact that my elasticsearch.bat files keep reloading their status every second with

[com.floragunn.searchguard.service.SearchGuardConfigService] Security configuration reloaded

Does anyone know what the problem might be? Thanks!

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/dc2dc8ee-8f33-4a10-a530-fe2a2926b452%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

Topic		Replies	Views
No handler found for uri [/popstuff/testid] and method [PUT] Search Guard	2	722	June 25, 2015
management api user/ rolesmapping Search Guard	1	418	March 9, 2017
Sample config for search-guard-ssl to search-guard transition Search Guard	6	371	October 15, 2018
sg_roles regular expression Search Guard	2	384	January 8, 2019
ACL management when searchguard is enabled Search Guard	3	445	January 15, 2016

Question about basic setup

Settings based authorization (define users and their roles directly here in the settings. Note: this is per node)

Configure the actionrequestfilter to allow or forbid action

Settings based authorization (define users and their roles directly here in the settings. Note: this is per node)

Configure the actionrequestfilter to allow or forbid action

Related Topics