Hello,
-
Search Guard version: 5
-
Elasticsearch version: 5.6.13
-
Operating system: Ubuntu 16.04/ CentOS 6
-
Search guard edition: Community
-
Java version: 1.8
Issue
The certificate based user role can’t be changed for Java transport client (To restrict java api to delete and write data to Elasticsearch).
-
Node, Client and Admin (.pem and .key) certificate’s were generated using the Offline TLS tool. Updated “elasticsearch.yml” with the content generated in snippet during the creation of certificate.
-
New user were addded to “sg_internal_users.yml” with hashed password. Over the HTTPS (curl -k -u username:password https://localhost:9200) I’m able to alert the user roles and permission to access the Elasticsearch. Using sgadmin I have pushed the configuration changes to search guard.
-
In the case of transport client with search guard, using java API I’m able to perform indexing, search and delete operation in Elasticsearch with the generated certificate’s. I’m using the admin certificate for the following transport client settings
Settings settings = Settings.builder()
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, “/home/user/sg/certs/example-admin.key”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH, “/home/user/sg/certs/example-admin.pem”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, “/home/user/sg/certs/root-ca.pem”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, false)
.put(“cluster.name”, “sg_test”).build();
- In order to modify the role of the (example-admin.key) certificate, I have added the certificate DN in “sg_roles_mapping.yml” and provided the permission to only read data from Elasticsearch. Using the sgadmin new configuration changes were updated to search guard.
The roles are not getting updated for the certificate based user, I’m unable to restrict the java client from indexing or deleting data from Elasticsearch.
Please help me to modify the search guard role and permission (certificate based user) for Java transport client.
Thanks.