Searchguard 36.0.0 actiongroup example fails config-validation in search-guard-7/tools/sgadmin.sh

I am trying out new -vc,--validate-configs <version> flag of sgadmin, but it doesn’t pass the example of Permissions and action groups of version 7.x-36.0.0 from this page.

I am getting following error:

ERR: Seems /elasticsearch/my_repo/sg_action_groups.yml is not in SG 7 format: com.fasterxml.jackson.databind.JsonMappingException: No enum constant com.floragunn.searchguard.sgconf.impl.CType.ACTIONSGROUPS
 at [Source: {"_sg_meta":{"type":"actionsgroups","config_version":2},"MY_ACTION_GROUP":{"reserved":false,"allowed_actions":["indices:data/read/search*","indices:data/read/msearch*","MY_OTHER_ACTION_GROUP"]},"MY_OTHER_ACTION_GROUP":{"reserved":true,"description":"my other action group","type":"index","allowed_actions":["indices:data/read/suggest*"]}}; line: 1, column: 21] (through reference chain: com.floragunn.searchguard.sgconf.impl.SgDynamicConfiguration["_sg_meta"]->com.floragunn.searchguard.sgconf.impl.Meta["type"])

The procedure I followed:

  • mkdir -p /elasticsearch/my_repo
  • create a file called sg_action_groups.yml that contains following yaml:
_sg_meta:
  type: "actionsgroups"
  config_version: 2
  
MY_ACTION_GROUP:
  reserved: false
  allowed_actions:
    - "indices:data/read/search*"
    - "indices:data/read/msearch*"
    - MY_OTHER_ACTION_GROUP
MY_OTHER_ACTION_GROUP:
  reserved: true
  description: "my other action group"
  type: "index"
  allowed_actions:
    - "indices:data/read/suggest*"
  • Run sgafmin config validation
 /elasticsearch/plugins/search-guard-7/tools/sgadmin.sh -vc 7 -cd "/elasticsearch/my_repo"

The full log:

bash-4.4# /elasticsearch/plugins/search-guard-7/tools/sgadmin.sh -vc 7 -cd "/elasticsearch/my_repo"
Search Guard Admin v7
Validate configuration for Version 7
ERR: Seems /elasticsearch/my_repo/sg_action_groups.yml is not in SG 7 format: com.fasterxml.jackson.databind.JsonMappingException: No enum constant com.floragunn.searchguard.sgconf.impl.CType.ACTIONSGROUPS
 at [Source: {"_sg_meta":{"type":"actionsgroups","config_version":2},"MY_ACTION_GROUP":{"reserved":false,"allowed_actions":["indices:data/read/search*","indices:data/read/msearch*","MY_OTHER_ACTION_GROUP"]},"MY_OTHER_ACTION_GROUP":{"reserved":true,"description":"my other action group","type":"index","allowed_actions":["indices:data/read/suggest*"]}}; line: 1, column: 21] (through reference chain: com.floragunn.searchguard.sgconf.impl.SgDynamicConfiguration["_sg_meta"]->com.floragunn.searchguard.sgconf.impl.Meta["type"])
ERR: Seems /elasticsearch/my_repo/sg_internal_users.yml is not in SG 7 format: java.io.FileNotFoundException: /elasticsearch/my_repo/sg_internal_users.yml (No such file or directory)
ERR: Seems /elasticsearch/my_repo/sg_roles.yml is not in SG 7 format: java.io.FileNotFoundException: /elasticsearch/my_repo/sg_roles.yml (No such file or directory)
ERR: Seems /elasticsearch/my_repo/sg_roles_mapping.yml is not in SG 7 format: java.io.FileNotFoundException: /elasticsearch/my_repo/sg_roles_mapping.yml (No such file or directory)
ERR: Seems /elasticsearch/my_repo/sg_config.yml is not in SG 7 format: java.io.FileNotFoundException: /elasticsearch/my_repo/sg_config.yml (No such file or directory)

It seems you have a typo here. It’s:

_sg_meta:
  type: "actiongroups"
  config_version: 2

(“actiongroup”, singular, not “actionsgroups”)

Thanks a lot. :slight_smile: That helped.

I guess this example needs to be updated. https://docs.search-guard.com/latest/action-groups :frowning:

Ah, ok, thanks for pointing this out, this is indeed a typo in the docs then. Will correct this ASAP.

1 Like

Can you help me with another query please?

I am trying to run validate-config for search-guard-6 but it fails for multiple action groups in one yaml file.

My actiongroups yaml:

UNLIMITED:
  - "*"

READ:
  - "indices:data/read*"
  - "indices:admin/mappings/fields/get*"

CLUSTER_COMPOSITE_OPS_RO:
  - "indices:data/read/mget"
  - "indices:data/read/msearch"
  - "indices:data/read/mtv"
  - "indices:data/read/coordinate-msearch*"
  - "indices:admin/aliases/exists*"
  - "indices:admin/aliases/get*"

CLUSTER_KUBEDB_SNAPSHOT:
  - "indices:data/read/scroll*"
  - "cluster:monitor/main"

INDICES_KUBEDB_SNAPSHOT:
  - "indices:admin/get"
  - "indices:monitor/settings/get"
  - "indices:admin/mappings/get"

Getting the error:

bash-4.4# /elasticsearch/plugins/search-guard-7/tools/sgadmin.sh -vc 6 -cd /elasticsearch/my_repo/
Search Guard Admin v7
Validate configuration for Version 6
ERR: Seems /elasticsearch/my_repo/sg_action_groups.yml is not in SG 6 format: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of com.floragunn.searchguard.sgconf.impl.v6.ActionGroupsV6 out of START_ARRAY token
 at [Source: {"UNLIMITED":["*"],"READ":["indices:data/read*","indices:admin/mappings/fields/get*"],"CLUSTER_COMPOSITE_OPS_RO":["indices:data/read/mget","indices:data/read/msearch","indices:data/read/mtv","indices:data/read/coordinate-msearch*","indices:admin/aliases/exists*","indices:admin/aliases/get*"],"CLUSTER_KUBEDB_SNAPSHOT":["indices:data/read/scroll*","cluster:monitor/main"],"INDICES_KUBEDB_SNAPSHOT":["indices:admin/get","indices:monitor/settings/get","indices:admin/mappings/get"]}; line: 1, column: 14] (through reference chain: com.floragunn.searchguard.sgconf.impl.SgDynamicConfiguration["UNLIMITED"])
...

Any idea how to overcome the error?

Yes, this is unclear from the docs as well. The validation for upgrading 6 -> 7 has become more strict. Action groups require the following format:

UNLIMITED:
  permissions:
    - "*"

Sorry for the inconvenience!

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.