My current version of elasticsearch is 1.5.2. I recently installed search-guard with the following command - bin/plugin -i com.floragunn/search-guard/0.5 . Before that I created an index with the following configuration -
curl -XPUT 'http://localhost:9200/searchguard/ac/ac' -d '{
"acl": [
{
"__Comment__": "By default no filters are executed and no filters a by-passed. In such a case an exception is thrown and access will be denied.",
"filters_bypass": [],
"filters_execute": []
},
{
"__Comment__": "For role *admin* all filters are bypassed (so none will be executed). This means unrestricted access.",
"roles": [
"admin"
],
"filters_bypass": ["*"],
"filters_execute": []
}
]
}'
``
Then I made some changes in elasticsearch.yml file and below is it configuration -
##################### Elasticsearch Configuration Example #####################
This file contains an overview of various configuration settings,
targeted at operations staff. Application developers should
consult the guide at http://elasticsearch.org/guide.
···
The installation procedure is covered at
http://elasticsearch.org/guide/en/elasticsearch/reference/current/setup.html.
Elasticsearch comes with reasonable defaults for most settings,
so you can try it out without bothering with configuration.
Most of the time, these defaults are just fine for running a production
cluster. If you’re fine-tuning your cluster, or wondering about the
effect of certain configuration option, please do ask on the
mailing list or IRC channel [Free and Open Search: The Creators of Elasticsearch, ELK & Kibana | Elastic].
Any element in the configuration can be replaced with environment variables
by placing them in ${…} notation. For example:
#node.rack: ${RACK_ENV_VAR}
For information on supported formats and syntax for the config file, see
http://elasticsearch.org/guide/en/elasticsearch/reference/current/setup-configuration.html
################################### Cluster ###################################
Cluster name identifies your cluster for auto-discovery. If you’re running
multiple clusters on the same network, make sure you’re using unique names.
cluster.name: pavan
#################################### Node #####################################
Node names are generated dynamically on startup, so you’re relieved
from configuring them manually. You can tie this node to a specific name:
#node.name: “Franz Kafka”
Every node can be configured to allow or deny being eligible as the master,
and to allow or deny to store the data.
Allow this node to be eligible as a master node (enabled by default):
#node.master: true
Allow this node to store data (enabled by default):
#node.data: true
You can exploit these settings to design advanced cluster topologies.
1. You want this node to never become a master node, only to hold data.
This will be the “workhorse” of your cluster.
#node.master: false
#node.data: true
2. You want this node to only serve as a master: to not store any data and
to have free resources. This will be the “coordinator” of your cluster.
#node.master: true
#node.data: false
3. You want this node to be neither master nor data node, but
to act as a “search load balancer” (fetching data from nodes,
aggregating results, etc.)
#node.master: false
#node.data: false
Use the Cluster Health API [http://localhost:9200/_cluster/health], the
Node Info API [http://localhost:9200/_nodes] or GUI tools
such as http://www.elasticsearch.org/overview/marvel/,
http://github.com/karmi/elasticsearch-paramedic,
http://github.com/lukas-vlcek/bigdesk and
http://mobz.github.com/elasticsearch-head to inspect the cluster state.
A node can have generic attributes associated with it, which can later be used
for customized shard allocation filtering, or allocation awareness. An attribute
is a simple key value pair, similar to node.key: value, here is an example:
#node.rack: rack314
By default, multiple nodes are allowed to start from the same installation location
to disable it, set the following:
#node.max_local_storage_nodes: 1
#################################### Index ####################################
You can set a number of options (such as shard/replica options, mapping
or analyzer definitions, translog settings, …) for indices globally,
in this file.
Note, that it makes more sense to configure index settings specifically for
a certain index, either when creating it or by using the index templates API.
See http://elasticsearch.org/guide/en/elasticsearch/reference/current/index-modules.html and
http://elasticsearch.org/guide/en/elasticsearch/reference/current/indices-create-index.html
for more information.
Set the number of shards (splits) of an index (5 by default):
#index.number_of_shards: 5
Set the number of replicas (additional copies) of an index (1 by default):
#index.number_of_replicas: 1
Note, that for development on a local machine, with small indices, it usually
makes sense to “disable” the distributed features:
#index.number_of_shards: 1
#index.number_of_replicas: 0
These settings directly affect the performance of index and search operations
in your cluster. Assuming you have enough machines to hold shards and
replicas, the rule of thumb is:
1. Having more shards enhances the indexing performance and allows to
distribute a big index across machines.
2. Having more replicas enhances the search performance and improves the
cluster availability.
The “number_of_shards” is a one-time setting for an index.
The “number_of_replicas” can be increased or decreased anytime,
by using the Index Update Settings API.
Elasticsearch takes care about load balancing, relocating, gathering the
results from nodes, etc. Experiment with different settings to fine-tune
your setup.
Use the Index Status API (http://localhost:9200/A/_status) to inspect
the index status.
#################################### Paths ####################################
Path to directory containing configuration (this file and logging.yml):
#path.conf: /path/to/conf
Path to directory where to store index data allocated for this node.
#path.data: /path/to/data
Can optionally include more than one location, causing data to be striped across
the locations (a la RAID 0) on a file level, favouring locations with most free
space on creation. For example:
#path.data: /path/to/data1,/path/to/data2
Path to temporary files:
#path.work: /path/to/work
Path to log files:
#path.logs: /path/to/logs
Path to where plugins are installed:
#path.plugins: /path/to/plugins
#################################### Plugin ###################################
If a plugin listed here is not installed for current node, the node will not start.
#plugin.mandatory: mapper-attachments,lang-groovy
################################### Memory ####################################
Elasticsearch performs poorly when JVM starts swapping: you should ensure that
it never swaps.
Set this property to true to lock the memory:
#bootstrap.mlockall: true
Make sure that the ES_MIN_MEM and ES_MAX_MEM environment variables are set
to the same value, and that the machine has enough memory to allocate
for Elasticsearch, leaving enough memory for the operating system itself.
You should also make sure that the Elasticsearch process is allowed to lock
the memory, eg. by using ulimit -l unlimited.
############################## Network And HTTP ###############################
Elasticsearch, by default, binds itself to the 0.0.0.0 address, and listens
on port [9200-9300] for HTTP traffic and on port [9300-9400] for node-to-node
communication. (the range means that if the port is busy, it will automatically
try the next port).
Set the bind address specifically (IPv4 or IPv6):
#network.bind_host: 192.168.0.1
Set the address other nodes will use to communicate with this node. If not
set, it is automatically derived. It must point to an actual IP address.
#network.publish_host: 192.168.0.1
Set both ‘bind_host’ and ‘publish_host’:
#network.host: 192.168.0.1
Set a custom port for the node to node communication (9300 by default):
#transport.tcp.port: 9300
Enable compression for all communication between nodes (disabled by default):
#transport.tcp.compress: true
Set a custom port to listen for HTTP traffic:
#http.port: 9200
Set a custom allowed content length:
#http.max_content_length: 100mb
Disable HTTP completely:
#http.enabled: false
################################### Gateway ###################################
The gateway allows for persisting the cluster state between full cluster
restarts. Every change to the state (such as adding an index) will be stored
in the gateway, and when the cluster starts up for the first time,
it will read its state from the gateway.
There are several types of gateway implementations. For more information, see
http://elasticsearch.org/guide/en/elasticsearch/reference/current/modules-gateway.html.
The default gateway type is the “local” gateway (recommended):
#gateway.type: local
Settings below control how and when to start the initial recovery process on
a full cluster restart (to reuse as much local data as possible when using shared
gateway).
Allow recovery process after N nodes in a cluster are up:
#gateway.recover_after_nodes: 1
Set the timeout to initiate the recovery process, once the N nodes
from previous setting are up (accepts time value):
#gateway.recover_after_time: 5m
Set how many nodes are expected in this cluster. Once these N nodes
are up (and recover_after_nodes is met), begin recovery process immediately
(without waiting for recover_after_time to expire):
#gateway.expected_nodes: 2
############################# Recovery Throttling #############################
These settings allow to control the process of shards allocation between
nodes during initial recovery, replica allocation, rebalancing,
or when adding and removing nodes.
Set the number of concurrent recoveries happening on a node:
1. During the initial recovery
#cluster.routing.allocation.node_initial_primaries_recoveries: 4
2. During adding/removing nodes, rebalancing, etc
#cluster.routing.allocation.node_concurrent_recoveries: 2
Set to throttle throughput when recovering (eg. 100mb, by default 20mb):
#indices.recovery.max_bytes_per_sec: 20mb
Set to limit the number of open concurrent streams when
recovering a shard from a peer:
#indices.recovery.concurrent_streams: 5
################################## Discovery ##################################
Discovery infrastructure ensures nodes can be found within a cluster
and master node is elected. Multicast discovery is the default.
Set to ensure a node sees N other master eligible nodes to be considered
operational within the cluster. This should be set to a quorum/majority of
the master-eligible nodes in the cluster.
#discovery.zen.minimum_master_nodes: 1
Set the time to wait for ping responses from other nodes when discovering.
Set this option to a higher value on a slow or congested network
to minimize discovery failures:
#discovery.zen.ping.timeout: 3s
For more information, see
http://elasticsearch.org/guide/en/elasticsearch/reference/current/modules-discovery-zen.html
Unicast discovery allows to explicitly control which nodes will be used
to discover the cluster. It can be used when multicast is not present,
or to restrict the cluster communication-wise.
1. Disable multicast discovery (enabled by default):
discovery.zen.ping.multicast.enabled: false
2. Configure an initial list of master nodes in the cluster
to perform discovery when new nodes (master or data) are started:
#discovery.zen.ping.unicast.hosts: [“host1”, “host2:port”]
EC2 discovery allows to use AWS EC2 API in order to perform discovery.
You have to install the cloud-aws plugin for enabling the EC2 discovery.
For more information, see
http://elasticsearch.org/guide/en/elasticsearch/reference/current/modules-discovery-ec2.html
See http://elasticsearch.org/tutorials/elasticsearch-on-ec2/
for a step-by-step tutorial.
GCE discovery allows to use Google Compute Engine API in order to perform discovery.
You have to install the cloud-gce plugin for enabling the GCE discovery.
For more information, see https://github.com/elasticsearch/elasticsearch-cloud-gce.
Azure discovery allows to use Azure API in order to perform discovery.
You have to install the cloud-azure plugin for enabling the Azure discovery.
For more information, see https://github.com/elasticsearch/elasticsearch-cloud-azure.
################################## Slow Log ##################################
Shard level query and fetch threshold logging.
#index.search.slowlog.threshold.query.warn: 10s
#index.search.slowlog.threshold.query.info: 5s
#index.search.slowlog.threshold.query.debug: 2s
#index.search.slowlog.threshold.query.trace: 500ms
#index.search.slowlog.threshold.fetch.warn: 1s
#index.search.slowlog.threshold.fetch.info: 800ms
#index.search.slowlog.threshold.fetch.debug: 500ms
#index.search.slowlog.threshold.fetch.trace: 200ms
#index.indexing.slowlog.threshold.index.warn: 10s
#index.indexing.slowlog.threshold.index.info: 5s
#index.indexing.slowlog.threshold.index.debug: 2s
#index.indexing.slowlog.threshold.index.trace: 500ms
################################## GC Logging ################################
#monitor.jvm.gc.young.warn: 1000ms
#monitor.jvm.gc.young.info: 700ms
#monitor.jvm.gc.young.debug: 400ms
#monitor.jvm.gc.old.warn: 10s
#monitor.jvm.gc.old.debug: 2s
################################## Security ################################
Uncomment if you want to enable JSONP as a valid return transport on the
http server. With this enabled, it may pose a security risk, so disabling
it unless you need it is recommended (it is disabled by default).
#http.jsonp.enable: true
#############################################################################################
SEARCH GUARD
Configuration
#############################################################################################
Note: All waffle related options are only valid if your ES node is running on windows OS
Enable or disable the complete Searchguard plugin functionality
#searchguard.enabled: true
Path where to write/read the searchguard master key file
searchguard.key_path: /home/pavan/Documents/interns2015/elasticsearch-1.5.2
When using DLS or FLS and a get or mget is performed then rewrite it as search request
searchguard.rewrite_get_as_search: true
The index name where Searchguard will store its configuration and various other informations related to Searchguard itself
This index can only be access from localhost
#searchguard.config_index_name: searchguard
Enable or disable HTTP session which caches the authentication and authorization informations in a cookie
#searchguard.http.enable_sessions: false
Enable or disable audit logging
#searchguard.auditlog.enabled: true
If this is true (default is false) then Searchguard will check if elasticsearch is running as root/windows admin and if so then abort.
#searchguard.check_for_root: false
If this is true (default is false) then allow all HTTP REST requests from nodes loopback (e.g. localhost)
#searchguard.allow_all_from_loopback: false
If this is true (default: false) then enable authenticated transports requests (e.g. TransportClient authentication)
This can be done in that way (for example):
TransportClient.get(new GetRequest(“marketing”, “customer”, “tp_3”).putHeader(“searchguard_transport_creds”, “c2FseWg6c2VjcmV0”))
Add a header “searchguard_transport_creds”
base64(username":"password) is the credentials string
base64(spock:secret) → c3BvY2s6c2VjcmV0
#searchguard.transport_auth.enabled: false
#############################################################################################
Transport layer SSL
#############################################################################################
Enable or disable node-to-node ssl encryption
#searchguard.ssl.transport.node.enabled: false
JKS or PKCS12
#searchguard.ssl.transport.node.keystore_type: JKS
Absolute path to the keystore file (this stores the server certificates)
#searchguard.ssl.transport.node.keystore_filepath: null
Keystore password
#searchguard.ssl.transport.node.keystore_password: changeit
Do other nodes have to authenticate themself to the cluster, default is true
#searchguard.ssl.transport.node.enforce_clientauth: true
JKS or PKCS12
#searchguard.ssl.transport.node.truststore_type: JKS
Absolute path to the truststore file (this stores the client certificates)
#searchguard.ssl.transport.node.truststore_filepath: null
Truststore password
#searchguard.ssl.transport.node.truststore_password: changeit
Enforce hostname verification
#searchguard.ssl.transport.node.encforce_hostname_verification: true
If hostname verification specify if hostname should be resolved
#searchguard.ssl.transport.node.encforce_hostname_verification.resolve_host_name: true
#############################################################################################
REST layer SSL
#############################################################################################
Enable or disable rest layer security (https)
#searchguard.ssl.transport.http.enabled: false
JKS or PKCS12
#searchguard.ssl.transport.http.keystore_type: JKS
Absolute path to the keystore file (this stores the server certificates)
#searchguard.ssl.transport.http.keystore_filepath: null
Keystore password
#searchguard.ssl.transport.http.keystore_password: changeit
Do the clients (typically the browser or the proxy) have to authenticate themself to the http server, default is false
#searchguard.ssl.transport.http.enforce_clientauth: false
JKS or PKCS12
#searchguard.ssl.transport.http.truststore_type: JKS
Absolute path to the truststore file (this stores the client certificates)
#searchguard.ssl.transport.http.truststore_filepath: null
Truststore password
#searchguard.ssl.transport.http.truststore_password: changeit
#############################################################################################
X-Forwarded-For (XFF) header
#############################################################################################
X-Forwarded-For (XFF) header
If you have a http proxy in front of elasticsearch you have to configure this options to handle XFF properly
#searchguard.http.xforwardedfor.header: X-Forwarded-For
#searchguard.http.xforwardedfor.trustedproxies: null
#searchguard.http.xforwardedfor.enforce: false
#############################################################################################
Authentication backend
#############################################################################################
Validates the username and credentials
searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackend
#searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.ldap.LDAPAuthenticationBackend
#searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.AlwaysSucceedAuthenticationBackend
#searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.waffle.WaffleAuthenticationBackend
If caching is enabled then the authentication succeed for 24 h since the first successful login without hitting the backend again and again
searchguard.authentication.authentication_backend.cache.enable: false
#############################################################################################
Authorization backend (authorizer)
#############################################################################################
searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.SettingsBasedAuthorizator
#searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.ldap.LDAPAuthorizator
#searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.waffle.WaffleAuthorizator
If caching is enabled then the role informations will be cached for 24 h without hitting the backend again and again
searchguard.authentication.authorizer.cache.enable: false
#############################################################################################
HTTP authentication method
#############################################################################################
Define HTTP authentication method. In future we will here have more like NTLM, SPNEGO/Kerberos and Digest.
searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator
HTTPProxyAuthenticator assume there is kind of proxy in front of elasticsearch which handles the authentication and stores the
username of the authenticated user in a http header
#searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.proxy.HTTPProxyAuthenticator
SSL mutual authentication (works only if searchguard.ssl.transport.http.enabled is ‘true’ with client auth enabled)
#searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.clientcert.HTTPSClientCertAuthenticator
SPNEGO
#searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.spnego.HTTPSpnegoAuthenticator
Absolute file path to jaas login config file
#searchguard.authentication.spnego.login_config_filepath: null
Absolute file path to krb5 config file
#searchguard.authentication.spnego.krb5_config_filepath: null
Name of the login entry in jaas login config file which represents the acceptor (server)
#searchguard.authentication.spnego.login_config_name: com.sun.security.jgss.krb5.accept
Strip the realmname from username (hnelson@EXAMPLE.COM → hnelson)
#searchguard.authentication.spnego.strip_realm: true
Authenticates always a user with username ‘searchguard_unauthenticated_user’
#searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.HTTPUnauthenticatedAuthenticator
Waffle (Windows only, must be used with WaffleAuthorizator)
#searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.waffle.HTTPWaffleAuthenticator
Strip domain name from user (COMPANY\spock → spock)
#searchguard.authentication.waffle.strip_domain: true
#####################################################
Settings based authentication (define users and password directly here in the settings. Note: this is per node)
#searchguard.authentication.settingsdb.user.: password
searchguard.authentication.settingsdb.user.pavan: password
If plain text password should be hashed use this. Supported digests are: SHA1 SHA256 SHA384 SHA512 MD5
#searchguard.authentication.settingsdb.digest: SHA1
#searchguard.authentication.settingsdb.user.michaeljackson: 824d55e7a62b7ca8751dff346ffab845a8f26d08
#####################################################
#####################################################
Settings based authorization (define users and their roles directly here in the settings. Note: this is per node)
#searchguard.authentication.authorization.settingsdb.roles.:
searchguard.authentication.authorization.settingsdb.roles.pavan: [“admin”]
#####################################################
#####################################################
LDAP authentication backend (authenticate users against a LDAP or Active Directory)
The defaults are sufficient for Active Directory
#searchguard.authentication.ldap.host: [“localhost:389”]
#searchguard.authentication.ldap.ldaps.ssl.enabled: false
#searchguard.authentication.ldap.ldaps.starttls.enabled: false
JKS or PKCS12
#searchguard.authentication.ldap.ldaps.truststore_type: JKS
#searchguard.authentication.ldap.ldaps.truststore_filepath: null
#searchguard.authentication.ldap.ldaps.truststore_password: null
#searchguard.authentication.ldap.bind_dn: null
#searchguard.authentication.ldap.password: null
Default is root dse (“”)
#searchguard.authentication.ldap.userbase: “”
Filter to search for users (currently in the whole subtree beneath userbase)
{0} is substituted with the username
#searchguard.authentication.ldap.usersearch: (sAMAccountName={0})
Use this attribute from the user as username (if not set then DN is used)
#searchguard.authentication.ldap.username_attribute: null
#####################################################
#####################################################
LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
The defaults are sufficient for Active Directory
Default is root dse (“”)
#searchguard.authentication.authorization.ldap.rolebase: “”
Filter to search for roles (currently in the whole subtree beneath rolebase)
{0} is substituted with the DN of the user
{1} is substituted with the username
{2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
#searchguard.authentication.authorization.ldap.rolesearch: (member={0})
Specify the name of the attribute which value should be substituted with {2} above
#searchguard.authentication.authorization.ldap.userroleattribute: null
Roles as an attribute of the user entry
#searchguard.authentication.authorization.ldap.userrolename: memberOf
The attribute in a role entry containing the name of that role
#searchguard.authentication.authorization.ldap.rolename: name
Resolve nested roles transitive (roles which are members of other roles and so on …)
#searchguard.authentication.authorization.ldap.resolve_nested_roles: false
#####################################################
#####################################################
HTTP proxy authenticator configuration
Header name which contains the username
#searchguard.authentication.proxy.header:X-Authenticated-User
Array of trusted IP addresses (this are typically your proxy server(s))
#searchguard.authentication.proxy.trusted_ips: null
#####################################################
#####################################################
HTTP SSL mutual authentication configuration
Attribute of that attribute in the certificate dn which holds the username
#searchguard.authentication.https.clientcert.attributename: cn
#####################################################
##############################################################################################
Below here you configure what authenticated and authorized users are allowed to do (or not)#
This maps to the acl defined in the searchguard configuration index
#############################################################################################
Configure the restactionfilter to allow or forbid action
#searchguard.restactionfilter.names: [“readonly”]
#searchguard.restactionfilter.readonly.allowed_actions: [“*SearchAction”, “RestSearchScrollAction”, “RestClearScrollAction”, “RestGetAction”, “RestGetSourceAction”, “*MainAction”, “RestValidateQueryAction”, “RestMoreLikeThisAction”, “RestPercolateAction”]
#searchguard.restactionfilter.readonly.forbidden_actions: […]
Configure the actionrequestfilter to allow or forbid action
searchguard.actionrequestfilter.names: [“readonly”]
searchguard.actionrequestfilter.readonly.allowed_actions: [“indices:data/read/*”, “monitor”]
searchguard.actionrequestfilter.readonly.forbidden_actions: [“cluster:admin*”, “indices:admin*”, “indices:data/write*”]
Configure document level security (dls) filter
Warning: All this (with the exception of “exists”) only works with not_analyzed fields because a term filter is used internally
Free and Open Search: The Creators of Elasticsearch, ELK & Kibana | Elastic
#searchguard.dlsfilter.names: [“a”, “b”, “c”, “d”, “e”, “f”, “g”]
#searchguard.dlsfilter.a: [“exists”,“field”, “false”] # if field exists (or not) match → false means field must exist
#searchguard.dlsfilter.b: [“term”, “field”,“value”, “false”] # if field==value (or not) match
#searchguard.dlsfilter.d: [“user_name”,“field”, “false”] # if field==username (or not) match
#searchguard.dlsfilter.e: [“user_roles”,“field”, “false”] # if field contaions a user role (or not) match
#searchguard.dlsfilter.f: [“ldap_user_attribute”,“field”, “attribute”, “false”] # if field==userldapattribute(attribute) (or not) match
#searchguard.dlsfilter.g: [“ldap_user_roles”,“field”, “attribute”, “false”] # if field contains ldaprole(attribute) (or not) match
Configure the field level security (fls) filter to filter _source
#searchguard.flsfilter.names: [“stripsensitive”]
#searchguard.flsfilter.stripsensitive.source_includes:
#searchguard.flsfilter.stripsensitive.source_excludes: [“sensitive*”, “public.sensitive*.sub”]
NO CHANGES BELOW THIS LINE !
#############################################################################################
Below there is list of all actionsrequests in elasticsearch 1.4 (for reference) .
Do not uncomment them here, they are configured above: searchguard.actionrequestfilter
#############################################################################################
#cluster:monitor/health
#cluster:admin/nodes/restart
#cluster:admin/nodes/shutdown
#cluster:admin/repository/delete
#cluster:admin/repository/get
#cluster:admin/repository/put
#cluster:admin/repository/verify
#cluster:admin/reroute
#cluster:admin/settings/update
#cluster:admin/snapshot/create
#cluster:admin/snapshot/delete
#cluster:admin/snapshot/get
#cluster:admin/snapshot/restore
#cluster:admin/snapshot/status
#cluster:monitor/nodes/hot_threads
#cluster:monitor/nodes/info
#cluster:monitor/nodes/liveness
#cluster:monitor/nodes/stats
#cluster:monitor/state
#cluster:monitor/stats
#cluster:monitor/task
#indices:admin/aliases
#indices:admin/aliases/exists
#indices:admin/aliases/get
#indices:admin/analyze
#indices:admin/cache/clear
#indices:admin/close
#indices:admin/create
#indices:admin/delete
#indices:admin/exists
#indices:admin/flush
#indices:admin/get
#indices:admin/mapping/delete
#indices:admin/mapping/put
#indices:admin/mappings/fields/get
#indices:admin/mappings/get
#indices:admin/open
#indices:admin/optimize
#indices:admin/refresh
#indices:admin/settings/update
#indices:admin/shards/search_shards
#indices:admin/template/delete
#indices:admin/template/get
#indices:admin/template/put
#indices:admin/types/exists
#indices:admin/validate/query
#indices:admin/warmers/delete
#indices:admin/warmers/get
#indices:admin/warmers/put
#indices:data/benchmark/abort
#indices:data/benchmark/start
#indices:data/benchmark/status
#indices:data/read/count
#indices:data/read/exists
#indices:data/read/explain
#indices:data/read/get
#indices:data/read/mget
#indices:data/read/mlt
#indices:data/read/mpercolate
#indices:data/read/msearch
#indices:data/read/mtv
#indices:data/read/percolate
#indices:data/read/script/get
#indices:data/read/scroll
#indices:data/read/scroll/clear
#indices:data/read/search
#indices:data/read/suggest
#indices:data/read/tv
#indices:data/write/bulk
#indices:data/write/delete
#indices:data/write/delete/by_query
#indices:data/write/index
#indices:data/write/script/delete
#indices:data/write/script/put
#indices:data/write/update
#indices:monitor/recovery
#indices:monitor/segments
#indices:monitor/settings/get
#indices:monitor/stats
#############################################################################################
Below there is list of all restactions in elasticsearch 1.4 (for reference) .
Do not uncomment them here, they are configured above: searchguard.restactionfilter
#############################################################################################
#RestMainAction
#RestNodesInfoAction
#RestNodesStatsAction
#RestNodesHotThreadsAction
#RestNodesShutdownAction
#RestNodesRestartAction
#RestClusterStatsAction
#RestClusterStateAction
#RestClusterHealthAction
#RestClusterUpdateSettingsAction
#RestClusterGetSettingsAction
#RestClusterRerouteAction
#RestClusterSearchShardsAction
#RestPendingClusterTasksAction
#RestPutRepositoryAction
#RestGetRepositoriesAction
#RestDeleteRepositoryAction
#RestVerifyRepositoryAction
#RestGetSnapshotsAction
#RestCreateSnapshotAction
#RestRestoreSnapshotAction
#RestDeleteSnapshotAction
#RestSnapshotsStatusAction
#RestIndicesExistsAction
#RestTypesExistsAction
#RestGetIndicesAction
#RestIndicesStatsAction
#RestIndicesStatusAction
#RestIndicesSegmentsAction
#RestGetAliasesAction
#RestAliasesExistAction
#RestIndexDeleteAliasesAction
#RestIndexPutAliasAction
#RestIndicesAliasesAction
#RestGetIndicesAliasesAction
#RestCreateIndexAction
#RestDeleteIndexAction
#RestCloseIndexAction
#RestOpenIndexAction
#RestUpdateSettingsAction
#RestGetSettingsAction
#RestAnalyzeAction
#RestGetIndexTemplateAction
#RestPutIndexTemplateAction
#RestDeleteIndexTemplateAction
#RestHeadIndexTemplateAction
#RestPutWarmerAction
#RestDeleteWarmerAction
#RestGetWarmerAction
#RestPutMappingAction
#RestDeleteMappingAction
#RestGetMappingAction
#RestGetFieldMappingAction
#RestRefreshAction
#RestFlushAction
#RestOptimizeAction
#RestUpgradeAction
#RestClearIndicesCacheAction
#RestIndexAction
#RestGetAction
#RestGetSourceAction
#RestHeadAction
#RestMultiGetAction
#RestDeleteAction
#RestDeleteByQueryAction
#org.elasticsearch.rest.action.count.RestCountAction
#RestSuggestAction
#RestTermVectorAction
#RestMultiTermVectorsAction
#RestBulkAction
#RestUpdateAction
#RestPercolateAction
#RestMultiPercolateAction
#RestSearchAction
#RestSearchScrollAction
#RestClearScrollAction
#RestMultiSearchAction
#RestValidateQueryAction
#RestMoreLikeThisAction
#RestExplainAction
#RestRecoveryAction
Templates API
#RestGetSearchTemplateAction
#RestPutSearchTemplateAction
#RestDeleteSearchTemplateAction
Scripts API
#RestGetIndexedScriptAction
#RestPutIndexedScriptAction
#RestDeleteIndexedScriptAction
Cat API
#RestAllocationAction
#RestShardsAction
#RestMasterAction
#RestNodesAction
#RestIndicesAction
#RestSegmentsAction
Fully qualified to prevent interference with rest.action.count.RestCountAction
#org.elasticsearch.rest.action.cat.RestCountAction
Fully qualified to prevent interference with rest.action.indices.RestRecoveryAction
#org.elasticsearch.rest.action.cat.RestRecoveryAction
#RestHealthAction
#org.elasticsearch.rest.action.cat.RestPendingClusterTasksAction
#RestAliasAction
#RestThreadPoolAction
#RestPluginsAction
#RestFielddataAction
#RestCatAction
``
When I start elasticsearch, I get the following response -
[2015-07-12 14:10:27,828][INFO ][node ] [Typeface] version[1.5.2], pid[4567], build[62ff986/2015-04-27T09:21:06Z]
[2015-07-12 14:10:27,829][INFO ][node ] [Typeface] initializing …
[2015-07-12 14:10:27,989][INFO ][com.floragunn.searchguard.SearchGuardPlugin] Class enhancements for DLS/FLS successful
[2015-07-12 14:10:27,990][INFO ][plugins ] [Typeface] loaded [searchguard, jdbc-1.5.0.5-da4ba96, river-csv], sites
[2015-07-12 14:10:30,146][WARN ][com.floragunn.searchguard.util.SecurityUtil] AES 256 not supported, max key length for AES is 128. To enable AES 256 install ‘Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files’
[2015-07-12 14:10:30,392][WARN ][com.floragunn.searchguard.service.SearchGuardService] script.disable_dynamic has the default value sandbox, consider setting it to false if not needed
[2015-07-12 14:10:30,549][INFO ][node ] [Typeface] initialized
[2015-07-12 14:10:30,550][INFO ][node ] [Typeface] starting …
[2015-07-12 14:10:30,623][INFO ][transport ] [Typeface] bound_address {inet[/0:0:0:0:0:0:0:0:9300]}, publish_address {inet[/192.168.1.7:9300]}
[2015-07-12 14:10:30,636][INFO ][discovery ] [Typeface] pavan/UdgVgXLWQ72XuJGhxdFTHA
[2015-07-12 14:10:33,670][INFO ][cluster.service ] [Typeface] new_master [Typeface][UdgVgXLWQ72XuJGhxdFTHA][pavan-Inspiron-7537][inet[/192.168.1.7:9300]], reason: zen-disco-join (elected_as_master)
[2015-07-12 14:10:33,695][INFO ][http ] [Typeface] bound_address {inet[/0:0:0:0:0:0:0:0:9200]}, publish_address {inet[/192.168.1.7:9200]}
[2015-07-12 14:10:33,697][INFO ][node ] [Typeface] started
[2015-07-12 14:10:34,168][INFO ][gateway ] [Typeface] recovered [2] indices into cluster_state
[2015-07-12 14:10:35,568][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:10:36,561][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:10:37,561][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:10:38,561][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:10:39,561][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:10:40,561][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:10:41,562][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:10:42,562][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:10:43,563][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:10:44,564][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:10:45,564][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:10:46,564][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:10:47,565][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:10:48,566][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:10:49,566][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:10:50,568][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:10:51,568][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:10:52,569][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:10:53,569][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:10:54,570][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:10:55,571][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:10:56,571][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:10:57,571][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
``
Later when I try to query elasticsearch indices through POSTMAN, it asks for Authentication. Even though I enter the correct credentials I get the following error in POSTMAN -
{
“error”: "RuntimeException[java.lang.NullPointerException]; nested: NullPointerException; ",
“status”: 500
}
``
Below will be the response in terminal -
[2015-07-12 14:10:58,403][INFO ][com.floragunn.searchguard.rest.DefaultRestFilter] Authenticated user is User [name=pavan, roles=[role2, role3, admin]]
[2015-07-12 14:10:58,563][WARN ][com.floragunn.searchguard.filter.SearchGuardActionFilter] Cannot determine types for indices:monitor/stats (class org.elasticsearch.action.admin.indices.stats.IndicesStatsRequest) due to types method not found
[2015-07-12 14:10:58,564][ERROR][com.floragunn.searchguard.filter.SearchGuardActionFilter] Error while apply() due to java.lang.NullPointerException for action indices:monitor/stats
java.lang.NullPointerException
at java.util.Objects.requireNonNull(Objects.java:203)
at java.util.Arrays$ArrayList.<init>(Arrays.java:3813)
at java.util.Arrays.asList(Arrays.java:3800)
at com.floragunn.searchguard.filter.SearchGuardActionFilter.apply0(SearchGuardActionFilter.java:187)
at com.floragunn.searchguard.filter.SearchGuardActionFilter.apply(SearchGuardActionFilter.java:89)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165)
at com.floragunn.searchguard.filter.FLSActionFilter.applySecure(FLSActionFilter.java:76)
at com.floragunn.searchguard.filter.AbstractActionFilter.apply(AbstractActionFilter.java:97)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165)
at com.floragunn.searchguard.filter.DLSActionFilter.applySecure(DLSActionFilter.java:73)
at com.floragunn.searchguard.filter.AbstractActionFilter.apply(AbstractActionFilter.java:97)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165)
at com.floragunn.searchguard.filter.RequestActionFilter.applySecure(RequestActionFilter.java:94)
at com.floragunn.searchguard.filter.AbstractActionFilter.apply(AbstractActionFilter.java:97)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:82)
at org.elasticsearch.client.node.NodeIndicesAdminClient.execute(NodeIndicesAdminClient.java:77)
at org.elasticsearch.client.FilterClient$IndicesAdmin.execute(FilterClient.java:120)
at org.elasticsearch.rest.BaseRestHandler$HeadersAndContextCopyClient$IndicesAdmin.execute(BaseRestHandler.java:149)
at org.elasticsearch.client.support.AbstractIndicesAdminClient.stats(AbstractIndicesAdminClient.java:524)
at org.elasticsearch.rest.action.cat.RestIndicesAction$1$1.processResponse(RestIndicesAction.java:83)
at org.elasticsearch.rest.action.cat.RestIndicesAction$1$1.processResponse(RestIndicesAction.java:78)
at org.elasticsearch.rest.action.support.RestActionListener.onResponse(RestActionListener.java:49)
at org.elasticsearch.action.support.TransportAction$ThreadedActionListener$1.run(TransportAction.java:113)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
[2015-07-12 14:10:58,572][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:10:59,572][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:11:00,573][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:11:01,573][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:11:02,574][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:11:03,574][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:11:04,575][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
^X[2015-07-12 14:11:05,575][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
[2015-07-12 14:11:06,576][INFO ][com.floragunn.searchguard.service.SearchGuardConfigService] [Typeface] Security configuration reloaded
^C[2015-07-12 14:11:07,249][INFO ][node ] [Typeface] stopping …
[2015-07-12 14:11:07,301][INFO ][node ] [Typeface] stopped
[2015-07-12 14:11:07,301][INFO ][node ] [Typeface] closing …
[2015-07-12 14:11:07,318][INFO ][node ] [Typeface] closed
``
Can anyone please help me overcome this?