Search guard certificate based user role mapping issue

Hello,

  • Search Guard version: 5

  • Elasticsearch version: 5.6.13

  • Operating system: Ubuntu 16.04/ CentOS 6

  • Search guard edition: Community

  • Java version: 1.8

Issue

The certificate based user role can’t be changed for Java transport client (To restrict java api to delete and write data to Elasticsearch).

  • Node, Client and Admin (.pem and .key) certificate’s were generated using the Offline TLS tool. Updated “elasticsearch.yml” with the content generated in snippet during the creation of certificate.

  • New user were addded to “sg_internal_users.yml” with hashed password. Over the HTTPS (curl -k -u username:password https://localhost:9200) I’m able to alert the user roles and permission to access the Elasticsearch. Using sgadmin I have pushed the configuration changes to search guard.

  • In the case of transport client with search guard, using java API I’m able to perform indexing, search and delete operation in Elasticsearch with the generated certificate’s. I’m using the admin certificate for the following transport client settings

    Settings settings = Settings.builder()

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, “/home/user/sg/certs/example-admin.key”)

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH, “/home/user/sg/certs/example-admin.pem”)

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, “/home/user/sg/certs/root-ca.pem”)

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, false)

.put(“cluster.name”, “sg_test”).build();

  • In order to modify the role of the (example-admin.key) certificate, I have added the certificate DN in “sg_roles_mapping.yml” and provided the permission to only read data from Elasticsearch. Using the sgadmin new configuration changes were updated to search guard.

The roles are not getting updated for the certificate based user, I’m unable to restrict the java client from indexing or deleting data from Elasticsearch.

Please help me to modify the search guard role and permission (certificate based user) for Java transport client.

Thanks.

Can you post you rolesmapping file?

···

Am 31.12.2018 um 17:35 schrieb nisham@factweavers.com:

Hello,

* Search Guard version: 5
* Elasticsearch version: 5.6.13
* Operating system: Ubuntu 16.04/ CentOS 6
* Search guard edition: Community
* Java version: 1.8

**Issue**
The certificate based user role can't be changed for Java transport client (To restrict java api to delete and write data to Elasticsearch).

* Node, Client and Admin (.pem and .key) certificate's were generated using the Offline TLS tool. Updated "elasticsearch.yml" with the content generated in snippet during the creation of certificate.

* New user were addded to "sg_internal_users.yml" with hashed password. Over the HTTPS (curl -k -u username:password https://localhost:9200) I'm able to alert the user roles and permission to access the Elasticsearch. Using sgadmin I have pushed the configuration changes to search guard.

* In the case of transport client with search guard, using java API I'm able to perform indexing, search and delete operation in Elasticsearch with the generated certificate's. I'm using the admin certificate for the following transport client settings

  Settings settings = Settings.builder()
              .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, "/home/user/sg/certs/example-admin.key")
              .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH, "/home/user/sg/certs/example-admin.pem")
              .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, "/home/user/sg/certs/root-ca.pem")
              .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, false)
              .put("cluster.name", "sg_test").build();

* In order to modify the role of the (example-admin.key) certificate, I have added the certificate DN in "sg_roles_mapping.yml" and provided the permission to only read data from Elasticsearch. Using the sgadmin new configuration changes were updated to search guard.

The roles are not getting updated for the certificate based user, I'm unable to restrict the java client from indexing or deleting data from Elasticsearch.

Please help me to modify the search guard role and permission (certificate based user) for Java transport client.

Thanks.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/601f5639-f59b-4a6e-b909-9b0427d79fec%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Please find the attached file.

sg_roles_mapping.yml (1.1 KB)

···

On Tuesday, January 1, 2019 at 7:57:37 PM UTC+5:30, Search Guard wrote:

Can you post you rolesmapping file?

Am 31.12.2018 um 17:35 schrieb nis...@factweavers.com:

Hello,

  • Search Guard version: 5
  • Elasticsearch version: 5.6.13
  • Operating system: Ubuntu 16.04/ CentOS 6
  • Search guard edition: Community
  • Java version: 1.8

Issue
The certificate based user role can’t be changed for Java transport client (To restrict java api to delete and write data to Elasticsearch).

  • Node, Client and Admin (.pem and .key) certificate’s were generated using the Offline TLS tool. Updated “elasticsearch.yml” with the content generated in snippet during the creation of certificate.
  • New user were addded to “sg_internal_users.yml” with hashed password. Over the HTTPS (curl -k -u username:password https://localhost:9200) I’m able to alert the user roles and permission to access the Elasticsearch. Using sgadmin I have pushed the configuration changes to search guard.
  • In the case of transport client with search guard, using java API I’m able to perform indexing, search and delete operation in Elasticsearch with the generated certificate’s. I’m using the admin certificate for the following transport client settings
    Settings settings = Settings.builder()
          .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, "/home/user/sg/certs/example-admin.key")
          .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH, "/home/user/sg/certs/example-admin.pem")
          .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, "/home/user/sg/certs/root-ca.pem")
          .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, false)
          .put("[cluster.name](http://cluster.name)", "sg_test").build();
  • In order to modify the role of the (example-admin.key) certificate, I have added the certificate DN in “sg_roles_mapping.yml” and provided the permission to only read data from Elasticsearch. Using the sgadmin new configuration changes were updated to search guard.

The roles are not getting updated for the certificate based user, I’m unable to restrict the java client from indexing or deleting data from Elasticsearch.

Please help me to modify the search guard role and permission (certificate based user) for Java transport client.

Thanks.


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/601f5639-f59b-4a6e-b909-9b0427d79fec%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Hello,

We had added the below mapping in the config file to enable just readall, the roles mapping file is also attached, any help would be greatly appreciated, Thanks.

sg_readall:

users:

- readall

- 'CN=fw.example.com, OU=Ops, O=“Example Com, Inc.”, DC=example, DC=com’

sg_roles_mapping.yml (1.1 KB)

···

On Wednesday, January 2, 2019 at 9:57:33 AM UTC+5:30, nis...@factweavers.com wrote:

Please find the attached file.

On Tuesday, January 1, 2019 at 7:57:37 PM UTC+5:30, Search Guard wrote:

Can you post you rolesmapping file?

Am 31.12.2018 um 17:35 schrieb nis...@factweavers.com:

Hello,

  • Search Guard version: 5
  • Elasticsearch version: 5.6.13
  • Operating system: Ubuntu 16.04/ CentOS 6
  • Search guard edition: Community
  • Java version: 1.8

Issue
The certificate based user role can’t be changed for Java transport client (To restrict java api to delete and write data to Elasticsearch).

  • Node, Client and Admin (.pem and .key) certificate’s were generated using the Offline TLS tool. Updated “elasticsearch.yml” with the content generated in snippet during the creation of certificate.
  • New user were addded to “sg_internal_users.yml” with hashed password. Over the HTTPS (curl -k -u username:password https://localhost:9200) I’m able to alert the user roles and permission to access the Elasticsearch. Using sgadmin I have pushed the configuration changes to search guard.
  • In the case of transport client with search guard, using java API I’m able to perform indexing, search and delete operation in Elasticsearch with the generated certificate’s. I’m using the admin certificate for the following transport client settings
    Settings settings = Settings.builder()
          .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, "/home/user/sg/certs/example-admin.key")
          .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH, "/home/user/sg/certs/example-admin.pem")
          .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, "/home/user/sg/certs/root-ca.pem")
          .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, false)
          .put("[cluster.name](http://cluster.name)", "sg_test").build();
  • In order to modify the role of the (example-admin.key) certificate, I have added the certificate DN in “sg_roles_mapping.yml” and provided the permission to only read data from Elasticsearch. Using the sgadmin new configuration changes were updated to search guard.

The roles are not getting updated for the certificate based user, I’m unable to restrict the java client from indexing or deleting data from Elasticsearch.

Please help me to modify the search guard role and permission (certificate based user) for Java transport client.

Thanks.


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/601f5639-f59b-4a6e-b909-9b0427d79fec%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Pls post also elasticsearch.yml and sg_config.yml

···

On Wednesday, 9 January 2019 11:14:42 UTC+1, nish… wrote:

Hello,

We had added the below mapping in the config file to enable just readall, the roles mapping file is also attached, any help would be greatly appreciated, Thanks.

sg_readall:

users:

- readall

- 'CN=fw.example.com, OU=Ops, O=“Example Com, Inc.”, DC=example, DC=com’

On Wednesday, January 2, 2019 at 9:57:33 AM UTC+5:30, nis...@factweavers.com wrote:

Please find the attached file.

On Tuesday, January 1, 2019 at 7:57:37 PM UTC+5:30, Search Guard wrote:

Can you post you rolesmapping file?

Am 31.12.2018 um 17:35 schrieb nis...@factweavers.com:

Hello,

  • Search Guard version: 5
  • Elasticsearch version: 5.6.13
  • Operating system: Ubuntu 16.04/ CentOS 6
  • Search guard edition: Community
  • Java version: 1.8

Issue
The certificate based user role can’t be changed for Java transport client (To restrict java api to delete and write data to Elasticsearch).

  • Node, Client and Admin (.pem and .key) certificate’s were generated using the Offline TLS tool. Updated “elasticsearch.yml” with the content generated in snippet during the creation of certificate.
  • New user were addded to “sg_internal_users.yml” with hashed password. Over the HTTPS (curl -k -u username:password https://localhost:9200) I’m able to alert the user roles and permission to access the Elasticsearch. Using sgadmin I have pushed the configuration changes to search guard.
  • In the case of transport client with search guard, using java API I’m able to perform indexing, search and delete operation in Elasticsearch with the generated certificate’s. I’m using the admin certificate for the following transport client settings
    Settings settings = Settings.builder()
          .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, "/home/user/sg/certs/example-admin.key")
          .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH, "/home/user/sg/certs/example-admin.pem")
          .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, "/home/user/sg/certs/root-ca.pem")
          .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, false)
          .put("[cluster.name](http://cluster.name)", "sg_test").build();
  • In order to modify the role of the (example-admin.key) certificate, I have added the certificate DN in “sg_roles_mapping.yml” and provided the permission to only read data from Elasticsearch. Using the sgadmin new configuration changes were updated to search guard.

The roles are not getting updated for the certificate based user, I’m unable to restrict the java client from indexing or deleting data from Elasticsearch.

Please help me to modify the search guard role and permission (certificate based user) for Java transport client.

Thanks.


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/601f5639-f59b-4a6e-b909-9b0427d79fec%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Thanks for the quick response.

I have attached both the files (elasticsearch.yml and sg_config.yml) with this message, please find the same.

elasticsearch.yml (3.79 KB)

sg_config.yml (9.4 KB)

···

On Friday, January 11, 2019 at 3:23:40 AM UTC+5:30, Search Guard wrote:

Pls post also elasticsearch.yml and sg_config.yml

On Wednesday, 9 January 2019 11:14:42 UTC+1, nish… wrote:

Hello,

We had added the below mapping in the config file to enable just readall, the roles mapping file is also attached, any help would be greatly appreciated, Thanks.

sg_readall:

users:

- readall

- 'CN=fw.example.com, OU=Ops, O=“Example Com, Inc.”, DC=example, DC=com’

On Wednesday, January 2, 2019 at 9:57:33 AM UTC+5:30, nis...@factweavers.com wrote:

Please find the attached file.

On Tuesday, January 1, 2019 at 7:57:37 PM UTC+5:30, Search Guard wrote:

Can you post you rolesmapping file?

Am 31.12.2018 um 17:35 schrieb nis...@factweavers.com:

Hello,

  • Search Guard version: 5
  • Elasticsearch version: 5.6.13
  • Operating system: Ubuntu 16.04/ CentOS 6
  • Search guard edition: Community
  • Java version: 1.8

Issue
The certificate based user role can’t be changed for Java transport client (To restrict java api to delete and write data to Elasticsearch).

  • Node, Client and Admin (.pem and .key) certificate’s were generated using the Offline TLS tool. Updated “elasticsearch.yml” with the content generated in snippet during the creation of certificate.
  • New user were addded to “sg_internal_users.yml” with hashed password. Over the HTTPS (curl -k -u username:password https://localhost:9200) I’m able to alert the user roles and permission to access the Elasticsearch. Using sgadmin I have pushed the configuration changes to search guard.
  • In the case of transport client with search guard, using java API I’m able to perform indexing, search and delete operation in Elasticsearch with the generated certificate’s. I’m using the admin certificate for the following transport client settings
    Settings settings = Settings.builder()
          .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, "/home/user/sg/certs/example-admin.key")
          .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH, "/home/user/sg/certs/example-admin.pem")
          .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, "/home/user/sg/certs/root-ca.pem")
          .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, false)
          .put("[cluster.name](http://cluster.name)", "sg_test").build();
  • In order to modify the role of the (example-admin.key) certificate, I have added the certificate DN in “sg_roles_mapping.yml” and provided the permission to only read data from Elasticsearch. Using the sgadmin new configuration changes were updated to search guard.

The roles are not getting updated for the certificate based user, I’m unable to restrict the java client from indexing or deleting data from Elasticsearch.

Please help me to modify the search guard role and permission (certificate based user) for Java transport client.

Thanks.


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/601f5639-f59b-4a6e-b909-9b0427d79fec%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

You should not add the admin_dn (CN=fw.example.com,OU=Ops,O="Example Com, Inc.",DC=Example,DC=com) somewhere
in the sg_roles_mapping.yml file.

To connect via transport client use a other (additional non-admin) client certificate and not the admin certificate (except you
want to deal with the search guard index like sgadmin). Put hte dn of the other client certificate in the sg_roles_mapping.yml file

See:

https://search-guard.com/searchguard-elasicsearch-transport-clients/
https://search-guard.com/transport-client-authentication-authorization/

Also make sure you enable the clientcert_auth_domain

clientcert_auth_domain:
        enabled: true
        order: 2
        http_authenticator:
          type: clientcert
          config:
            username_attribute: null
          challenge: false
        authentication_backend:
          type: noop

···

Am 11.01.2019 um 06:23 schrieb nisham@factweavers.com:

Thanks for the quick response.

I have attached both the files (elasticsearch.yml and sg_config.yml) with this message, please find the same.

On Friday, January 11, 2019 at 3:23:40 AM UTC+5:30, Search Guard wrote:
Pls post also elasticsearch.yml and sg_config.yml

On Wednesday, 9 January 2019 11:14:42 UTC+1, nish... wrote:
Hello,

We had added the below mapping in the config file to enable just readall, the roles mapping file is also attached, any help would be greatly appreciated, Thanks.

sg_readall:
  users:
    - readall
    - 'CN=fw.example.com, OU=Ops, O="Example Com\, Inc.", DC=example, DC=com'

On Wednesday, January 2, 2019 at 9:57:33 AM UTC+5:30, nis...@factweavers.com wrote:
Please find the attached file.

On Tuesday, January 1, 2019 at 7:57:37 PM UTC+5:30, Search Guard wrote:
Can you post you rolesmapping file?

> Am 31.12.2018 um 17:35 schrieb nis...@factweavers.com:
>
> Hello,
>
> * Search Guard version: 5
> * Elasticsearch version: 5.6.13
> * Operating system: Ubuntu 16.04/ CentOS 6
> * Search guard edition: Community
> * Java version: 1.8
>
>
> **Issue**
> The certificate based user role can't be changed for Java transport client (To restrict java api to delete and write data to Elasticsearch).
>
> * Node, Client and Admin (.pem and .key) certificate's were generated using the Offline TLS tool. Updated "elasticsearch.yml" with the content generated in snippet during the creation of certificate.
>
>
> * New user were addded to "sg_internal_users.yml" with hashed password. Over the HTTPS (curl -k -u username:password https://localhost:9200) I'm able to alert the user roles and permission to access the Elasticsearch. Using sgadmin I have pushed the configuration changes to search guard.
>
> * In the case of transport client with search guard, using java API I'm able to perform indexing, search and delete operation in Elasticsearch with the generated certificate's. I'm using the admin certificate for the following transport client settings
>
> Settings settings = Settings.builder()
> .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, "/home/user/sg/certs/example-admin.key")
> .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH, "/home/user/sg/certs/example-admin.pem")
> .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, "/home/user/sg/certs/root-ca.pem")
> .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, false)
> .put("cluster.name", "sg_test").build();
>
> * In order to modify the role of the (example-admin.key) certificate, I have added the certificate DN in "sg_roles_mapping.yml" and provided the permission to only read data from Elasticsearch. Using the sgadmin new configuration changes were updated to search guard.
>
> The roles are not getting updated for the certificate based user, I'm unable to restrict the java client from indexing or deleting data from Elasticsearch.
>
> Please help me to modify the search guard role and permission (certificate based user) for Java transport client.
>
> Thanks.
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/601f5639-f59b-4a6e-b909-9b0427d79fec%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/22b77d2d-612f-44e2-bf91-d98227ddf2e8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
<elasticsearch.yml><sg_config.yml>