Trying to go from search-guard-ssl on 6.2.4 to search-guard with 6.4.2 and my only desire is to get SSL working. I’ve manage to get the sgadmin.sh connecting and uploads the config. Looking at the sample config I tried setting in sg_config.yml anonymous_auth_enabled: true but that doesn’t seem to be enough, since I get “no permissions for [cluster:monitor/main] and User [name=sg_anonymous, roles=[sg_anonymous_backendrole], requestedTenant=null]”}".
Does anyone have sample configs that just does SSL and no auth or roles?
Might be useful for those of us having to make the transition from search-guard-ssl to search-guard. (Sorry if I’ve missed some doc.)
Thanks,
Andy
This is what I ended up with. Not sure if correct, but it seems to work.
sg_action_groups.yml =>
UNLIMITED:
readonly: false
permissions:
- “*”
``
sg_config.yml =>
searchguard:
dynamic:
http:
anonymous_auth_enabled: true
``
sg_internal_users.yml =>
sg_anonymous:
roles:
- sg_anonymous_backendrole
``
sg_roles_mapping.yml =>
sg_anonymous:
backendroles:
- sg_anonymous_backendrole
``
sg_roles.yml =>
sg_anonymous:
cluster: ‘’
indices:
'’:
‘*’:
- UNLIMITED
``
···
On Wednesday, October 10, 2018 at 9:46:28 PM UTC-4, Andy Wick wrote:
Does anyone have sample configs that just does SSL and no auth or roles?
Might be useful for those of us having to make the transition from search-guard-ssl to search-guard. (Sorry if I’ve missed some doc.)
Thanks,
Andy
Trying to go from search-guard-ssl on 6.2.4 to search-guard with 6.4.2 and my only desire is to get SSL working. I’ve manage to get the sgadmin.sh connecting and uploads the config. Looking at the sample config I tried setting in sg_config.yml anonymous_auth_enabled: true but that doesn’t seem to be enough, since I get “no permissions for [cluster:monitor/main] and User [name=sg_anonymous, roles=[sg_anonymous_backendrole], requestedTenant=null]”}".
why not compile and package search-guard-ssl for 6.4.2 yourself ?
···
On Thursday, 11 October 2018 15:09:50 UTC+2, Andy Wick wrote:
On Wednesday, October 10, 2018 at 9:46:28 PM UTC-4, Andy Wick wrote:
Does anyone have sample configs that just does SSL and no auth or roles?
Might be useful for those of us having to make the transition from search-guard-ssl to search-guard. (Sorry if I’ve missed some doc.)
Thanks,
Andy
Trying to go from search-guard-ssl on 6.2.4 to search-guard with 6.4.2 and my only desire is to get SSL working. I’ve manage to get the sgadmin.sh connecting and uploads the config. Looking at the sample config I tried setting in sg_config.yml anonymous_auth_enabled: true but that doesn’t seem to be enough, since I get “no permissions for [cluster:monitor/main] and User [name=sg_anonymous, roles=[sg_anonymous_backendrole], requestedTenant=null]”}".
This is what I ended up with. Not sure if correct, but it seems to work.
sg_action_groups.yml =>
UNLIMITED:
readonly: false
permissions:
- “*”
``
sg_config.yml =>
searchguard:
dynamic:
http:
anonymous_auth_enabled: true
``
sg_internal_users.yml =>
sg_anonymous:
roles:
- sg_anonymous_backendrole
``
sg_roles_mapping.yml =>
sg_anonymous:
backendroles:
- sg_anonymous_backendrole
``
sg_roles.yml =>
sg_anonymous:
cluster: ‘’
indices:
'’:
‘*’:
- UNLIMITED
``
I already have enough issues with our own open source project 
We tell folks to use search guard, and I don’t think it would help anyone if we used our own compiled version unless we publish it. See point one.
If its easy for anyone to compile search-guard-ssl still, is there a reason you don’t want to anymore? It really made things easy and was great!
Thanks,
Andy
···
On Thursday, October 11, 2018 at 9:56:06 AM UTC-4, Search Guard wrote:
why not compile and package search-guard-ssl for 6.4.2 yourself
Hi Andy,
your approach to using the anonymous auth features is the correct one if you just want to use the TLS features and do not care about auth/auth. The reason we don’t publish a separate plugin anymore is simply lack of interest versus build, maintenance and QA efforts on our side. We know that some folks use the SSL plugin (only), but the vast majority is using at least the SG community edition. Keeping SG SSL as separate plugin basically doubles the maintenance and QA efforts on our end. Given the insane rate of new Elasticsearch releases, and the few people using SG SSL standalone (as opposed to the community edition) it’s not feasible for us to maintain it as a standalone plugin.
···
On Thursday, October 11, 2018 at 4:30:17 PM UTC+2, Andy Wick wrote:
On Thursday, October 11, 2018 at 9:56:06 AM UTC-4, Search Guard wrote:
why not compile and package search-guard-ssl for 6.4.2 yourself
I already have enough issues with our own open source project We tell folks to use search guard, and I don’t think it would help anyone if we used our own compiled version unless we publish it. See point one.
If its easy for anyone to compile search-guard-ssl still, is there a reason you don’t want to anymore? It really made things easy and was great!
Thanks,
Andy
Cool, that makes sense. Two followups
-
Thoughts about making a new option to searchguard that just makes it work like the searchguard-ssl plugin used to? (or at least “easier”)
-
I see that there are new branches to searchguard-ssl for new ES versions, and the previous suggestion was for me to build myself. Do you plan to continue to maintain the searchguard-ssl repo with new versions of ES, so if I DO decide to compile myself I won’t get stuck in a few versions? Or will that be going away too?
Thanks,
Andy
···
On Thursday, October 11, 2018 at 3:07:01 PM UTC-4, Jochen Kressin wrote:
Hi Andy,
your approach to using the anonymous auth features is the correct one if you just want to use the TLS features and do not care about auth/auth. The reason we don’t publish a separate plugin anymore is simply lack of interest versus build, maintenance and QA efforts on our side. We know that some folks use the SSL plugin (only), but the vast majority is using at least the SG community edition. Keeping SG SSL as separate plugin basically doubles the maintenance and QA efforts on our end. Given the insane rate of new Elasticsearch releases, and the few people using SG SSL standalone (as opposed to the community edition) it’s not feasible for us to maintain it as a standalone plugin.
On Thursday, October 11, 2018 at 4:30:17 PM UTC+2, Andy Wick wrote:
On Thursday, October 11, 2018 at 9:56:06 AM UTC-4, Search Guard wrote:
why not compile and package search-guard-ssl for 6.4.2 yourself
I already have enough issues with our own open source project We tell folks to use search guard, and I don’t think it would help anyone if we used our own compiled version unless we publish it. See point one.
If its easy for anyone to compile search-guard-ssl still, is there a reason you don’t want to anymore? It really made things easy and was great!
Thanks,
Andy
Hi Andy,
-
this seems like a good idea because:
-
we’re going to merge the SSL repo into the main repository for Search Guard 7
So having an option to turn on SSL only seems like a good compromise. Thanks for suggesting that!
···
On Thursday, October 11, 2018 at 9:54:45 PM UTC+2, Andy Wick wrote:
Cool, that makes sense. Two followups
- Thoughts about making a new option to searchguard that just makes it work like the searchguard-ssl plugin used to? (or at least “easier”)
- I see that there are new branches to searchguard-ssl for new ES versions, and the previous suggestion was for me to build myself. Do you plan to continue to maintain the searchguard-ssl repo with new versions of ES, so if I DO decide to compile myself I won’t get stuck in a few versions? Or will that be going away too?
Thanks,
Andy
On Thursday, October 11, 2018 at 3:07:01 PM UTC-4, Jochen Kressin wrote:
Hi Andy,
your approach to using the anonymous auth features is the correct one if you just want to use the TLS features and do not care about auth/auth. The reason we don’t publish a separate plugin anymore is simply lack of interest versus build, maintenance and QA efforts on our side. We know that some folks use the SSL plugin (only), but the vast majority is using at least the SG community edition. Keeping SG SSL as separate plugin basically doubles the maintenance and QA efforts on our end. Given the insane rate of new Elasticsearch releases, and the few people using SG SSL standalone (as opposed to the community edition) it’s not feasible for us to maintain it as a standalone plugin.
On Thursday, October 11, 2018 at 4:30:17 PM UTC+2, Andy Wick wrote:
On Thursday, October 11, 2018 at 9:56:06 AM UTC-4, Search Guard wrote:
why not compile and package search-guard-ssl for 6.4.2 yourself
I already have enough issues with our own open source project We tell folks to use search guard, and I don’t think it would help anyone if we used our own compiled version unless we publish it. See point one.
If its easy for anyone to compile search-guard-ssl still, is there a reason you don’t want to anymore? It really made things easy and was great!
Thanks,
Andy