Am 12.07.2017 um 16:14 schrieb Michael <idiotek@gmail.com>:

OS: Red Hat Enterprise Linux Server release 7.3
JVM: openjdk version "1.8.0_111"
Search Guard: 5.5.0-14
Elasticsearch: 5.5.0-1

Number of nodes in cluster: 3

I upgraded from Search Guard 5.3.0 & Elasticsearch 5.3.0 and found I cannot update my Search Guard configuration using sgadmin.sh anymore. Whenever I run the the sgadmin.sh command, I get the following below error:

> plugins/search-guard-5/tools/sgadmin.sh -h myhost -cd plugins/search-guard-5/sgconfig/ -ks mykeystore.jks -kspass kspass -ts mytruststore.jks -tspass tspass -nhnv -icl

Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: mycluster
Clusterstate: GREEN
Number of nodes: 3
Number of data nodes: 2
ERR: An unexpected ElasticsearchSecurityException occured: no permissions for indices:admin/exists
Trace:
ElasticsearchSecurityException[no permissions for indices:admin/exists]
at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:147)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:168)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:142)
at org.elasticsearch.action.support.HandledTransportAction$TransportHandler.messageReceived(HandledTransportAction.java:64)
at org.elasticsearch.action.support.HandledTransportAction$TransportHandler.messageReceived(HandledTransportAction.java:54)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceivedDecorate(SearchGuardSSLRequestHandler.java:177)
at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:191)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:139)
at com.floragunn.searchguard.SearchGuardPlugin$2$1.messageReceived(SearchGuardPlugin.java:336)
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69)
at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544)
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)
at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:110)
at org.elasticsearch.transport.TcpTransport.handleRequest(TcpTransport.java:1501)
at org.elasticsearch.transport.TcpTransport.messageReceived(TcpTransport.java:1385)
at org.elasticsearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:74)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:310)
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:297)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:413)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1267)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858)
at java.lang.Thread.run(Thread.java:745)

Using the Search Guard REST Management API, I gotten the relevant current configuration items.

actiongroups
{
  "CLUSTER_ALL" : [
    "cluster:*"
  ],
  "ALL" : [
    "indices:*"
  ],
  "CRUD" : [
    "READ",
    "WRITE"
  ],
  "SEARCH" : [
    "indices:data/read/search*",
    "indices:data/read/msearch*",
    "SUGGEST"
  ],
  "MONITOR" : [
    "indices:monitor/*"
  ],
  "DATA_ACCESS" : [
    "indices:data/*",
    "indices:admin/mapping/put"
  ],
  "CREATE_INDEX" : [
    "indices:admin/create",
    "indices:admin/mapping/put"
  ],
  "WRITE" : [
    "indices:data/write*",
    "indices:admin/mapping/put"
  ],
  "MANAGE_ALIASES" : [
    "indices:admin/aliases*"
  ],
  "READ" : [
    "indices:data/read*"
  ],
  "DELETE" : [
    "indices:data/write/delete*"
  ],
  "CLUSTER_COMPOSITE_OPS" : [
    "indices:data/write/bulk",
    "indices:admin/aliases*",
    "CLUSTER_COMPOSITE_OPS_RO"
  ],
  "CLUSTER_COMPOSITE_OPS_RO" : [
    "indices:data/read/mget",
    "indices:data/read/msearch",
    "indices:data/read/mtv",
    "indices:data/read/coordinate-msearch*",
    "indices:admin/aliases/exists*",
    "indices:admin/aliases/get*"
  ],
  "GET" : [
    "indices:data/read/get*",
    "indices:data/read/mget*"
  ],
  "MANAGE" : [
    "indices:monitor/*",
    "indices:admin/*"
  ],
  "CLUSTER_MONITOR" : [
    "cluster:monitor/*"
  ],
  "INDEX" : [
    "indices:data/write/index*",
    "indices:data/write/update*",
    "indices:admin/mapping/put"
  ],
  "SUGGEST" : [
    "indices:data/read/suggest*"
  ]
}

roles
{

  "sg_all_access" : {
    "cluster" : [
      "*"
    ],
    "indices" : {
      "*" : {
        "*" : [
          "*"
        ]
      }
    }
  },
  "sg_kibana" : {
    "cluster" : [
      "CLUSTER_MONITOR",
      "CLUSTER_COMPOSITE_OPS_RO"
    ],
    "indices" : {
      "*" : {
        "*" : [
          "READ",
          "indices:admin/mappings/fields/get*"
        ]
      },
      "?kibana" : {
        "*" : [
          "ALL"
        ]
      }
    }
  },
  "sg_public" : {
    "cluster" : [
      "cluster:monitor/main",
      "CLUSTER_COMPOSITE_OPS_RO"
    ]
  },
  "sg_own_index" : {
    "cluster" : [
      "CLUSTER_COMPOSITE_OPS"
    ],
    "indices" : {
      "${user_name}" : {
        "*" : [
          "ALL"
        ]
      }
    }
  },
  "sg_logstash" : {
    "cluster" : [
      "indices:admin/template/get",
      "indices:admin/template/put",
      "CLUSTER_MONITOR",
      "CLUSTER_COMPOSITE_OPS"
    ],
    "indices" : {
      "*beat*" : {
        "*" : [
          "CRUD",
          "CREATE_INDEX"
        ]
      },
      "logstash-*" : {
        "*" : [
          "CRUD",
          "CREATE_INDEX"
        ]
      }
    }
  },
  "sg_readall" : {
    "cluster" : [
      "CLUSTER_COMPOSITE_OPS_RO"
    ],
    "indices" : {
      "*" : {
        "*" : [
          "READ"
        ]
      }
    }
  }
}

rolesmapping
{
  "sg_all_access" : {
    "users" : [
      "admin"
    ]
  },
  "sg_kibana" : {
    "users" : [
      "kibana"
    ]
  },
  "sg_logstash" : {
    "users" : [
      "logstash"
    ]
  },
  "sg_readall" : {
    "users" : [
      "ronly1"
    ]
  }
}

Any suggestions for overcoming this issue?

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e643a359-df02-4989-b163-eb3c13b6d460%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: node1-keystore.jks
searchguard.ssl.http.keystore_password: node1pass
searchguard.ssl.http.truststore_filepath: mytruststore.jks
searchguard.ssl.http.truststore_password: tspass
searchguard.ssl.transport.keystore_filepath: node1-keystore.jks
searchguard.ssl.transport.keystore_password: node1pass
searchguard.ssl.transport.truststore_filepath: mytruststore.jks
searchguard.ssl.transport.truststore_password: tspass
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.authcz.admin_dn:

• CN=sgadmin
• CN=node1-keystore

``

Here’s the relevant keystores

keytool -list -keystore plugins/search-guard-5/sgconfig/sgadmin-keystore.jks -storepass sgpass

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

cn=sgadmin, Apr 5, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): :::::::::::::::::::

keytool -list -keystore plugins/search-guard-5/sgconfig/node1-keystore.jks -storepass node1pass

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

cn=node1-keystore, Apr 5, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): :::::::::::::::::::

keytool -list -keystore plugins/search-guard-5/sgconfig/mytruststore.jks -storepass tspass

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

root-ca-chain, Apr 5, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): :::::::::::::::::::

``

The keystores were not changed as part of the upgrade and the same sgadmin command provided was able to run sgadmin.sh in SG 5.3.0 and ES 5.3.0.

On Thursday, 13 July 2017 00:14:25 UTC+10, Michael wrote:

OS: Red Hat Enterprise Linux Server release 7.3

JVM: openjdk version “1.8.0_111”

Search Guard: 5.5.0-14

Elasticsearch: 5.5.0-1

Number of nodes in cluster: 3

I upgraded from Search Guard 5.3.0 & Elasticsearch 5.3.0 and found I cannot update my Search Guard configuration using sgadmin.sh anymore. Whenever I run the the sgadmin.sh command, I get the following below error:

plugins/search-guard-5/tools/sgadmin.sh -h myhost -cd plugins/search-guard-5/sgconfig/ -ks mykeystore.jks -kspass kspass -ts mytruststore.jks -tspass tspass -nhnv -icl

Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …
Clustername: mycluster
Clusterstate: GREEN
Number of nodes: 3
Number of data nodes: 2
ERR: An unexpected ElasticsearchSecurityException occured: no permissions for indices:admin/exists
Trace:
ElasticsearchSecurityException[no permissions for indices:admin/exists]
at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:147)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:168)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:142)
at org.elasticsearch.action.support.HandledTransportAction$TransportHandler.messageReceived(HandledTransportAction.java:64)
at org.elasticsearch.action.support.HandledTransportAction$TransportHandler.messageReceived(HandledTransportAction.java:54)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceivedDecorate(SearchGuardSSLRequestHandler.java:177)
at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:191)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:139)
at com.floragunn.searchguard.SearchGuardPlugin$2$1.messageReceived(SearchGuardPlugin.java:336)
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69)
at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544)
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)
at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:110)
at org.elasticsearch.transport.TcpTransport.handleRequest(TcpTransport.java:1501)
at org.elasticsearch.transport.TcpTransport.messageReceived(TcpTransport.java:1385)
at org.elasticsearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:74)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:310)
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:297)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:413)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1267)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858)
at java.lang.Thread.run(Thread.java:745)

``

Using the Search Guard REST Management API, I gotten the relevant current configuration items.

actiongroups

{
“CLUSTER_ALL” : [
“cluster:"
],
“ALL” : [
"indices:”
],
“CRUD” : [
“READ”,
“WRITE”
],
“SEARCH” : [
“indices:data/read/search*”,
“indices:data/read/msearch*”,
“SUGGEST”
],
“MONITOR” : [
“indices:monitor/"
],
“DATA_ACCESS” : [
"indices:data/”,
“indices:admin/mapping/put”
],
“CREATE_INDEX” : [
“indices:admin/create”,
“indices:admin/mapping/put”
],
“WRITE” : [
“indices:data/write*”,
“indices:admin/mapping/put”
],
“MANAGE_ALIASES” : [
“indices:admin/aliases*”
],
“READ” : [
“indices:data/read*”
],
“DELETE” : [
“indices:data/write/delete*”
],
“CLUSTER_COMPOSITE_OPS” : [
“indices:data/write/bulk”,
“indices:admin/aliases*”,
“CLUSTER_COMPOSITE_OPS_RO”
],
“CLUSTER_COMPOSITE_OPS_RO” : [
“indices:data/read/mget”,
“indices:data/read/msearch”,
“indices:data/read/mtv”,
“indices:data/read/coordinate-msearch*”,
“indices:admin/aliases/exists*”,
“indices:admin/aliases/get*”
],
“GET” : [
“indices:data/read/get*”,
“indices:data/read/mget*”
],
“MANAGE” : [
“indices:monitor/",
"indices:admin/”
],
“CLUSTER_MONITOR” : [
“cluster:monitor/"
],
“INDEX” : [
"indices:data/write/index”,
“indices:data/write/update*”,
“indices:admin/mapping/put”
],
“SUGGEST” : [
“indices:data/read/suggest*”
]
}

``

roles

{

“sg_all_access” : {
“cluster” : [
“"
],
“indices” : {
"” : {
“" : [
"”
]
}
}
},
“sg_kibana” : {
“cluster” : [
“CLUSTER_MONITOR”,
“CLUSTER_COMPOSITE_OPS_RO”
],
“indices” : {
“" : {
"” : [
“READ”,
“indices:admin/mappings/fields/get*”
]
},
“?kibana” : {
“" : [
“ALL”
]
}
}
},
“sg_public” : {
“cluster” : [
“cluster:monitor/main”,
“CLUSTER_COMPOSITE_OPS_RO”
]
},
“sg_own_index” : {
“cluster” : [
“CLUSTER_COMPOSITE_OPS”
],
“indices” : {
“${user_name}” : {
"” : [
“ALL”
]
}
}
},
“sg_logstash” : {
“cluster” : [
“indices:admin/template/get”,
“indices:admin/template/put”,
“CLUSTER_MONITOR”,
“CLUSTER_COMPOSITE_OPS”
],
“indices” : {
“beat” : {
“" : [
“CRUD”,
“CREATE_INDEX”
]
},
"logstash-” : {
“" : [
“CRUD”,
“CREATE_INDEX”
]
}
}
},
“sg_readall” : {
“cluster” : [
“CLUSTER_COMPOSITE_OPS_RO”
],
“indices” : {
"” : {
“*” : [
“READ”
]
}
}
}
}

``

rolesmapping

{
“sg_all_access” : {
“users” : [
“admin”
]
},
“sg_kibana” : {
“users” : [
“kibana”
]
},
“sg_logstash” : {
“users” : [
“logstash”
]
},
“sg_readall” : {
“users” : [
“ronly1”
]
}
}

``

Any suggestions for overcoming this issue?

On Thursday, 13 July 2017 00:14:25 UTC+10, Michael wrote:

OS: Red Hat Enterprise Linux Server release 7.3

JVM: openjdk version “1.8.0_111”

Search Guard: 5.5.0-14

Elasticsearch: 5.5.0-1

Number of nodes in cluster: 3

I upgraded from Search Guard 5.3.0 & Elasticsearch 5.3.0 and found I cannot update my Search Guard configuration using sgadmin.sh anymore. Whenever I run the the sgadmin.sh command, I get the following below error:

plugins/search-guard-5/tools/sgadmin.sh -h myhost -cd plugins/search-guard-5/sgconfig/ -ks mykeystore.jks -kspass kspass -ts mytruststore.jks -tspass tspass -nhnv -icl

Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …
Clustername: mycluster
Clusterstate: GREEN
Number of nodes: 3
Number of data nodes: 2
ERR: An unexpected ElasticsearchSecurityException occured: no permissions for indices:admin/exists
Trace:
ElasticsearchSecurityException[no permissions for indices:admin/exists]
at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:147)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:168)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:142)
at org.elasticsearch.action.support.HandledTransportAction$TransportHandler.messageReceived(HandledTransportAction.java:64)
at org.elasticsearch.action.support.HandledTransportAction$TransportHandler.messageReceived(HandledTransportAction.java:54)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceivedDecorate(SearchGuardSSLRequestHandler.java:177)
at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:191)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:139)
at com.floragunn.searchguard.SearchGuardPlugin$2$1.messageReceived(SearchGuardPlugin.java:336)
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69)
at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544)
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)
at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:110)
at org.elasticsearch.transport.TcpTransport.handleRequest(TcpTransport.java:1501)
at org.elasticsearch.transport.TcpTransport.messageReceived(TcpTransport.java:1385)
at org.elasticsearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:74)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:310)
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:297)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:413)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1267)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858)
at java.lang.Thread.run(Thread.java:745)

``

Using the Search Guard REST Management API, I gotten the relevant current configuration items.

actiongroups

{
“CLUSTER_ALL” : [
“cluster:"
],
“ALL” : [
"indices:”
],
“CRUD” : [
“READ”,
“WRITE”
],
“SEARCH” : [
“indices:data/read/search*”,
“indices:data/read/msearch*”,
“SUGGEST”
],
“MONITOR” : [
“indices:monitor/"
],
“DATA_ACCESS” : [
"indices:data/”,
“indices:admin/mapping/put”
],
“CREATE_INDEX” : [
“indices:admin/create”,
“indices:admin/mapping/put”
],
“WRITE” : [
“indices:data/write*”,
“indices:admin/mapping/put”
],
“MANAGE_ALIASES” : [
“indices:admin/aliases*”
],
“READ” : [
“indices:data/read*”
],
“DELETE” : [
“indices:data/write/delete*”
],
“CLUSTER_COMPOSITE_OPS” : [
“indices:data/write/bulk”,
“indices:admin/aliases*”,
“CLUSTER_COMPOSITE_OPS_RO”
],
“CLUSTER_COMPOSITE_OPS_RO” : [
“indices:data/read/mget”,
“indices:data/read/msearch”,
“indices:data/read/mtv”,
“indices:data/read/coordinate-msearch*”,
“indices:admin/aliases/exists*”,
“indices:admin/aliases/get*”
],
“GET” : [
“indices:data/read/get*”,
“indices:data/read/mget*”
],
“MANAGE” : [
“indices:monitor/",
"indices:admin/”
],
“CLUSTER_MONITOR” : [
“cluster:monitor/"
],
“INDEX” : [
"indices:data/write/index”,
“indices:data/write/update*”,
“indices:admin/mapping/put”
],
“SUGGEST” : [
“indices:data/read/suggest*”
]
}

``

roles

{

“sg_all_access” : {
“cluster” : [
“"
],
“indices” : {
"” : {
“" : [
"”
]
}
}
},
“sg_kibana” : {
“cluster” : [
“CLUSTER_MONITOR”,
“CLUSTER_COMPOSITE_OPS_RO”
],
“indices” : {
“" : {
"” : [
“READ”,
“indices:admin/mappings/fields/get*”
]
},
“?kibana” : {
“" : [
“ALL”
]
}
}
},
“sg_public” : {
“cluster” : [
“cluster:monitor/main”,
“CLUSTER_COMPOSITE_OPS_RO”
]
},
“sg_own_index” : {
“cluster” : [
“CLUSTER_COMPOSITE_OPS”
],
“indices” : {
“${user_name}” : {
"” : [
“ALL”
]
}
}
},
“sg_logstash” : {
“cluster” : [
“indices:admin/template/get”,
“indices:admin/template/put”,
“CLUSTER_MONITOR”,
“CLUSTER_COMPOSITE_OPS”
],
“indices” : {
“beat” : {
“" : [
“CRUD”,
“CREATE_INDEX”
]
},
"logstash-” : {
“" : [
“CRUD”,
“CREATE_INDEX”
]
}
}
},
“sg_readall” : {
“cluster” : [
“CLUSTER_COMPOSITE_OPS_RO”
],
“indices” : {
"” : {
“*” : [
“READ”
]
}
}
}
}

``

rolesmapping

{
“sg_all_access” : {
“users” : [
“admin”
]
},
“sg_kibana” : {
“users” : [
“kibana”
]
},
“sg_logstash” : {
“users” : [
“logstash”
]
},
“sg_readall” : {
“users” : [
“ronly1”
]
}
}

``

Any suggestions for overcoming this issue?

Am 13.07.2017 um 06:34 schrieb Michael <idiotek@gmail.com>:

So a bit of a breakthrough / workaround - when I include the keystore and truststore passwords as part of the sgadmin command on the command line, it fails with the reported error.
If I exported the same passwords as environment variables SG_KS_PASS and SG_TS_PASS, then sgadmin works as expected.

On Thursday, 13 July 2017 00:14:25 UTC+10, Michael wrote:
OS: Red Hat Enterprise Linux Server release 7.3
JVM: openjdk version "1.8.0_111"
Search Guard: 5.5.0-14
Elasticsearch: 5.5.0-1

Number of nodes in cluster: 3

I upgraded from Search Guard 5.3.0 & Elasticsearch 5.3.0 and found I cannot update my Search Guard configuration using sgadmin.sh anymore. Whenever I run the the sgadmin.sh command, I get the following below error:

> plugins/search-guard-5/tools/sgadmin.sh -h myhost -cd plugins/search-guard-5/sgconfig/ -ks mykeystore.jks -kspass kspass -ts mytruststore.jks -tspass tspass -nhnv -icl

Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: mycluster
Clusterstate: GREEN
Number of nodes: 3
Number of data nodes: 2
ERR: An unexpected ElasticsearchSecurityException occured: no permissions for indices:admin/exists
Trace:
ElasticsearchSecurityException[no permissions for indices:admin/exists]
at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:147)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:168)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:142)
at org.elasticsearch.action.support.HandledTransportAction$TransportHandler.messageReceived(HandledTransportAction.java:64)
at org.elasticsearch.action.support.HandledTransportAction$TransportHandler.messageReceived(HandledTransportAction.java:54)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceivedDecorate(SearchGuardSSLRequestHandler.java:177)
at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:191)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:139)
at com.floragunn.searchguard.SearchGuardPlugin$2$1.messageReceived(SearchGuardPlugin.java:336)
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69)
at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544)
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)
at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:110)
at org.elasticsearch.transport.TcpTransport.handleRequest(TcpTransport.java:1501)
at org.elasticsearch.transport.TcpTransport.messageReceived(TcpTransport.java:1385)
at org.elasticsearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:74)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:310)
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:297)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:413)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1267)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858)
at java.lang.Thread.run(Thread.java:745)

Using the Search Guard REST Management API, I gotten the relevant current configuration items.

actiongroups
{
  "CLUSTER_ALL" : [
    "cluster:*"
  ],
  "ALL" : [
    "indices:*"
  ],
  "CRUD" : [
    "READ",
    "WRITE"
  ],
  "SEARCH" : [
    "indices:data/read/search*",
    "indices:data/read/msearch*",
    "SUGGEST"
  ],
  "MONITOR" : [
    "indices:monitor/*"
  ],
  "DATA_ACCESS" : [
    "indices:data/*",
    "indices:admin/mapping/put"
  ],
  "CREATE_INDEX" : [
    "indices:admin/create",
    "indices:admin/mapping/put"
  ],
  "WRITE" : [
    "indices:data/write*",
    "indices:admin/mapping/put"
  ],
  "MANAGE_ALIASES" : [
    "indices:admin/aliases*"
  ],
  "READ" : [
    "indices:data/read*"
  ],
  "DELETE" : [
    "indices:data/write/delete*"
  ],
  "CLUSTER_COMPOSITE_OPS" : [
    "indices:data/write/bulk",
    "indices:admin/aliases*",
    "CLUSTER_COMPOSITE_OPS_RO"
  ],
  "CLUSTER_COMPOSITE_OPS_RO" : [
    "indices:data/read/mget",
    "indices:data/read/msearch",
    "indices:data/read/mtv",
    "indices:data/read/coordinate-msearch*",
    "indices:admin/aliases/exists*",
    "indices:admin/aliases/get*"
  ],
  "GET" : [
    "indices:data/read/get*",
    "indices:data/read/mget*"
  ],
  "MANAGE" : [
    "indices:monitor/*",
    "indices:admin/*"
  ],
  "CLUSTER_MONITOR" : [
    "cluster:monitor/*"
  ],
  "INDEX" : [
    "indices:data/write/index*",
    "indices:data/write/update*",
    "indices:admin/mapping/put"
  ],
  "SUGGEST" : [
    "indices:data/read/suggest*"
  ]
}

roles
{

  "sg_all_access" : {
    "cluster" : [
      "*"
    ],
    "indices" : {
      "*" : {
        "*" : [
          "*"
        ]
      }
    }
  },
  "sg_kibana" : {
    "cluster" : [
      "CLUSTER_MONITOR",
      "CLUSTER_COMPOSITE_OPS_RO"
    ],
    "indices" : {
      "*" : {
        "*" : [
          "READ",
          "indices:admin/mappings/fields/get*"
        ]
      },
      "?kibana" : {
        "*" : [
          "ALL"
        ]
      }
    }
  },
  "sg_public" : {
    "cluster" : [
      "cluster:monitor/main",
      "CLUSTER_COMPOSITE_OPS_RO"
    ]
  },
  "sg_own_index" : {
    "cluster" : [
      "CLUSTER_COMPOSITE_OPS"
    ],
    "indices" : {
      "${user_name}" : {
        "*" : [
          "ALL"
        ]
      }
    }
  },
  "sg_logstash" : {
    "cluster" : [
      "indices:admin/template/get",
      "indices:admin/template/put",
      "CLUSTER_MONITOR",
      "CLUSTER_COMPOSITE_OPS"
    ],
    "indices" : {
      "*beat*" : {
        "*" : [
          "CRUD",
          "CREATE_INDEX"
        ]
      },
      "logstash-*" : {
        "*" : [
          "CRUD",
          "CREATE_INDEX"
        ]
      }
    }
  },
  "sg_readall" : {
    "cluster" : [
      "CLUSTER_COMPOSITE_OPS_RO"
    ],
    "indices" : {
      "*" : {
        "*" : [
          "READ"
        ]
      }
    }
  }
}

rolesmapping
{
  "sg_all_access" : {
    "users" : [
      "admin"
    ]
  },
  "sg_kibana" : {
    "users" : [
      "kibana"
    ]
  },
  "sg_logstash" : {
    "users" : [
      "logstash"
    ]
  },
  "sg_readall" : {
    "users" : [
      "ronly1"
    ]
  }
}

Any suggestions for overcoming this issue?

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/68e68964-b57c-42a0-8998-1e3981875c73%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

On Thursday, 13 July 2017 04:43:04 UTC+2, Michael wrote:

This is a proof of concept, but one of the acceptance criteria is to ensure TLS is implemented. Therefore, the configuration feels like it’s for production. The root, signing CA, client and node certificates were generated using https://floragunn.com/tls-certificate-generator/ and are valid at least until 2019.

Here’s the relevant snippet in elasticsearch.yml

--------------------------------- Search Guard SSL Configuration -------------

searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: node1-keystore.jks
searchguard.ssl.http.keystore_password: node1pass
searchguard.ssl.http.truststore_filepath: mytruststore.jks
searchguard.ssl.http.truststore_password: tspass
searchguard.ssl.transport.keystore_filepath: node1-keystore.jks
searchguard.ssl.transport.keystore_password: node1pass
searchguard.ssl.transport.truststore_filepath: mytruststore.jks
searchguard.ssl.transport.truststore_password: tspass
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.authcz.admin_dn:

• CN=sgadmin
• CN=node1-keystore

``

Here’s the relevant keystores

keytool -list -keystore plugins/search-guard-5/sgconfig/sgadmin-keystore.jks -storepass sgpass

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

cn=sgadmin, Apr 5, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): :::::::::::::::::::

keytool -list -keystore plugins/search-guard-5/sgconfig/node1-keystore.jks -storepass node1pass

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

cn=node1-keystore, Apr 5, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): :::::::::::::::::::

keytool -list -keystore plugins/search-guard-5/sgconfig/mytruststore.jks -storepass tspass

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

root-ca-chain, Apr 5, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): :::::::::::::::::::

``

The keystores were not changed as part of the upgrade and the same sgadmin command provided was able to run sgadmin.sh in SG 5.3.0 and ES 5.3.0.

On Thursday, 13 July 2017 00:14:25 UTC+10, Michael wrote:

OS: Red Hat Enterprise Linux Server release 7.3

JVM: openjdk version “1.8.0_111”

Search Guard: 5.5.0-14

Elasticsearch: 5.5.0-1

Number of nodes in cluster: 3

I upgraded from Search Guard 5.3.0 & Elasticsearch 5.3.0 and found I cannot update my Search Guard configuration using sgadmin.sh anymore. Whenever I run the the sgadmin.sh command, I get the following below error:

plugins/search-guard-5/tools/sgadmin.sh -h myhost -cd plugins/search-guard-5/sgconfig/ -ks mykeystore.jks -kspass kspass -ts mytruststore.jks -tspass tspass -nhnv -icl

Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …
Clustername: mycluster
Clusterstate: GREEN
Number of nodes: 3
Number of data nodes: 2
ERR: An unexpected ElasticsearchSecurityException occured: no permissions for indices:admin/exists
Trace:
ElasticsearchSecurityException[no permissions for indices:admin/exists]
at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:147)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:168)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:142)
at org.elasticsearch.action.support.HandledTransportAction$TransportHandler.messageReceived(HandledTransportAction.java:64)
at org.elasticsearch.action.support.HandledTransportAction$TransportHandler.messageReceived(HandledTransportAction.java:54)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceivedDecorate(SearchGuardSSLRequestHandler.java:177)
at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:191)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:139)
at com.floragunn.searchguard.SearchGuardPlugin$2$1.messageReceived(SearchGuardPlugin.java:336)
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69)
at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544)
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)
at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:110)
at org.elasticsearch.transport.TcpTransport.handleRequest(TcpTransport.java:1501)
at org.elasticsearch.transport.TcpTransport.messageReceived(TcpTransport.java:1385)
at org.elasticsearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:74)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:310)
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:297)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:413)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1267)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858)
at java.lang.Thread.run(Thread.java:745)

``

Using the Search Guard REST Management API, I gotten the relevant current configuration items.

actiongroups

{
“CLUSTER_ALL” : [
“cluster:"
],
“ALL” : [
"indices:”
],
“CRUD” : [
“READ”,
“WRITE”
],
“SEARCH” : [
“indices:data/read/search*”,
“indices:data/read/msearch*”,
“SUGGEST”
],
“MONITOR” : [
“indices:monitor/"
],
“DATA_ACCESS” : [
"indices:data/”,
“indices:admin/mapping/put”
],
“CREATE_INDEX” : [
“indices:admin/create”,
“indices:admin/mapping/put”
],
“WRITE” : [
“indices:data/write*”,
“indices:admin/mapping/put”
],
“MANAGE_ALIASES” : [
“indices:admin/aliases*”
],
“READ” : [
“indices:data/read*”
],
“DELETE” : [
“indices:data/write/delete*”
],
“CLUSTER_COMPOSITE_OPS” : [
“indices:data/write/bulk”,
“indices:admin/aliases*”,
“CLUSTER_COMPOSITE_OPS_RO”
],
“CLUSTER_COMPOSITE_OPS_RO” : [
“indices:data/read/mget”,
“indices:data/read/msearch”,
“indices:data/read/mtv”,
“indices:data/read/coordinate-msearch*”,
“indices:admin/aliases/exists*”,
“indices:admin/aliases/get*”
],
“GET” : [
“indices:data/read/get*”,
“indices:data/read/mget*”
],
“MANAGE” : [
“indices:monitor/",
"indices:admin/”
],
“CLUSTER_MONITOR” : [
“cluster:monitor/"
],
“INDEX” : [
"indices:data/write/index”,
“indices:data/write/update*”,
“indices:admin/mapping/put”
],
“SUGGEST” : [
“indices:data/read/suggest*”
]
}

``

roles

{

“sg_all_access” : {
“cluster” : [
“"
],
“indices” : {
"” : {
“" : [
"”
]
}
}
},
“sg_kibana” : {
“cluster” : [
“CLUSTER_MONITOR”,
“CLUSTER_COMPOSITE_OPS_RO”
],
“indices” : {
“" : {
"” : [
“READ”,
“indices:admin/mappings/fields/get*”
]
},
“?kibana” : {
“" : [
“ALL”
]
}
}
},
“sg_public” : {
“cluster” : [
“cluster:monitor/main”,
“CLUSTER_COMPOSITE_OPS_RO”
]
},
“sg_own_index” : {
“cluster” : [
“CLUSTER_COMPOSITE_OPS”
],
“indices” : {
“${user_name}” : {
"” : [
“ALL”
]
}
}
},
“sg_logstash” : {
“cluster” : [
“indices:admin/template/get”,
“indices:admin/template/put”,
“CLUSTER_MONITOR”,
“CLUSTER_COMPOSITE_OPS”
],
“indices” : {
“beat” : {
“" : [
“CRUD”,
“CREATE_INDEX”
]
},
"logstash-” : {
“" : [
“CRUD”,
“CREATE_INDEX”
]
}
}
},
“sg_readall” : {
“cluster” : [
“CLUSTER_COMPOSITE_OPS_RO”
],
“indices” : {
"” : {
“*” : [
“READ”
]
}
}
}
}

``

rolesmapping

{
“sg_all_access” : {
“users” : [
“admin”
]
},
“sg_kibana” : {
“users” : [
“kibana”
]
},
“sg_logstash” : {
“users” : [
“logstash”
]
},
“sg_readall” : {
“users” : [
“ronly1”
]
}
}

``

Any suggestions for overcoming this issue?

On Thursday, 13 July 2017 06:34:11 UTC+2, Michael wrote:

So a bit of a breakthrough / workaround - when I include the keystore and truststore passwords as part of the sgadmin command on the command line, it fails with the reported error.
If I exported the same passwords as environment variables SG_KS_PASS and SG_TS_PASS, then sgadmin works as expected.

On Thursday, 13 July 2017 00:14:25 UTC+10, Michael wrote:

OS: Red Hat Enterprise Linux Server release 7.3

JVM: openjdk version “1.8.0_111”

Search Guard: 5.5.0-14

Elasticsearch: 5.5.0-1

Number of nodes in cluster: 3

I upgraded from Search Guard 5.3.0 & Elasticsearch 5.3.0 and found I cannot update my Search Guard configuration using sgadmin.sh anymore. Whenever I run the the sgadmin.sh command, I get the following below error:

plugins/search-guard-5/tools/sgadmin.sh -h myhost -cd plugins/search-guard-5/sgconfig/ -ks mykeystore.jks -kspass kspass -ts mytruststore.jks -tspass tspass -nhnv -icl

Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …
Clustername: mycluster
Clusterstate: GREEN
Number of nodes: 3
Number of data nodes: 2
ERR: An unexpected ElasticsearchSecurityException occured: no permissions for indices:admin/exists
Trace:
ElasticsearchSecurityException[no permissions for indices:admin/exists]
at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:147)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:168)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:142)
at org.elasticsearch.action.support.HandledTransportAction$TransportHandler.messageReceived(HandledTransportAction.java:64)
at org.elasticsearch.action.support.HandledTransportAction$TransportHandler.messageReceived(HandledTransportAction.java:54)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceivedDecorate(SearchGuardSSLRequestHandler.java:177)
at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:191)
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:139)
at com.floragunn.searchguard.SearchGuardPlugin$2$1.messageReceived(SearchGuardPlugin.java:336)
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69)
at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544)
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)
at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:110)
at org.elasticsearch.transport.TcpTransport.handleRequest(TcpTransport.java:1501)
at org.elasticsearch.transport.TcpTransport.messageReceived(TcpTransport.java:1385)
at org.elasticsearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:74)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:310)
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:297)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:413)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1267)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858)
at java.lang.Thread.run(Thread.java:745)

``

Using the Search Guard REST Management API, I gotten the relevant current configuration items.

actiongroups

{
“CLUSTER_ALL” : [
“cluster:"
],
“ALL” : [
"indices:”
],
“CRUD” : [
“READ”,
“WRITE”
],
“SEARCH” : [
“indices:data/read/search*”,
“indices:data/read/msearch*”,
“SUGGEST”
],
“MONITOR” : [
“indices:monitor/"
],
“DATA_ACCESS” : [
"indices:data/”,
“indices:admin/mapping/put”
],
“CREATE_INDEX” : [
“indices:admin/create”,
“indices:admin/mapping/put”
],
“WRITE” : [
“indices:data/write*”,
“indices:admin/mapping/put”
],
“MANAGE_ALIASES” : [
“indices:admin/aliases*”
],
“READ” : [
“indices:data/read*”
],
“DELETE” : [
“indices:data/write/delete*”
],
“CLUSTER_COMPOSITE_OPS” : [
“indices:data/write/bulk”,
“indices:admin/aliases*”,
“CLUSTER_COMPOSITE_OPS_RO”
],
“CLUSTER_COMPOSITE_OPS_RO” : [
“indices:data/read/mget”,
“indices:data/read/msearch”,
“indices:data/read/mtv”,
“indices:data/read/coordinate-msearch*”,
“indices:admin/aliases/exists*”,
“indices:admin/aliases/get*”
],
“GET” : [
“indices:data/read/get*”,
“indices:data/read/mget*”
],
“MANAGE” : [
“indices:monitor/",
"indices:admin/”
],
“CLUSTER_MONITOR” : [
“cluster:monitor/"
],
“INDEX” : [
"indices:data/write/index”,
“indices:data/write/update*”,
“indices:admin/mapping/put”
],
“SUGGEST” : [
“indices:data/read/suggest*”
]
}

``

roles

{

“sg_all_access” : {
“cluster” : [
“"
],
“indices” : {
"” : {
“" : [
"”
]
}
}
},
“sg_kibana” : {
“cluster” : [
“CLUSTER_MONITOR”,
“CLUSTER_COMPOSITE_OPS_RO”
],
“indices” : {
“" : {
"” : [
“READ”,
“indices:admin/mappings/fields/get*”
]
},
“?kibana” : {
“" : [
“ALL”
]
}
}
},
“sg_public” : {
“cluster” : [
“cluster:monitor/main”,
“CLUSTER_COMPOSITE_OPS_RO”
]
},
“sg_own_index” : {
“cluster” : [
“CLUSTER_COMPOSITE_OPS”
],
“indices” : {
“${user_name}” : {
"” : [
“ALL”
]
}
}
},
“sg_logstash” : {
“cluster” : [
“indices:admin/template/get”,
“indices:admin/template/put”,
“CLUSTER_MONITOR”,
“CLUSTER_COMPOSITE_OPS”
],
“indices” : {
“beat” : {
“" : [
“CRUD”,
“CREATE_INDEX”
]
},
"logstash-” : {
“" : [
“CRUD”,
“CREATE_INDEX”
]
}
}
},
“sg_readall” : {
“cluster” : [
“CLUSTER_COMPOSITE_OPS_RO”
],
“indices” : {
"” : {
“*” : [
“READ”
]
}
}
}
}

``

rolesmapping

{
“sg_all_access” : {
“users” : [
“admin”
]
},
“sg_kibana” : {
“users” : [
“kibana”
]
},
“sg_logstash” : {
“users” : [
“logstash”
]
},
“sg_readall” : {
“users” : [
“ronly1”
]
}
}

``

Any suggestions for overcoming this issue?