Hi All,
I struck with suarchguard configuration for cluster environme. Below is my environment
-
Search Guard and Elasticsearch version: 5.5
-
JVM version and operating system version: 1.8
elasticsearch.yml
···
cluster.name: log-collector
path.data: /var/lib/elasticsearch/log-collector
path.logs: /var/log/elasticsearch
node.master: true
node.data: false
bootstrap.memory_lock: true # this one added new
indices.fielddata.cache.size: 40%
indices.breaker.fielddata.limit: 60%
indices.breaker.request.limit: 40%
indices.breaker.total.limit: 70%
bootstrap.system_call_filter: false
network.host: 0.0.0.0
network.publish_host: eth0
######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks
searchguard.ssl.transport.keystore_password: changeit
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: changeit
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: node-0-keystore.jks
searchguard.ssl.http.keystore_password: changeit
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: changeit
searchguard.authcz.admin_dn:
- CN=spock,OU=client,O=client,L=test,C=de
searchguard.nodes_dn:
- CN=node-0-example.com,OU=SSL,O=test,L=test,C=de
######## End Search Guard Demo Configuration ########
“/etc/elasticsearch/elasticsearch.yml” 46L, 2015C
Generated a node certificate using gen_node_cert.sh from PKI scripts… with updated IP configuration
I’ve executed sgadmin
/usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-5/sgconfig -cn log-collector -kspass changeit -ks /etc/elasticsearch/spock-keystore.jks -tspass changeit -ts /etc/elasticsearch/truststore.jks -nhnv --diagnose
I see below error in Master node
[root@LOG-COLLECTOR tools]# ./sgadmin_demo.sh
Search Guard Admin v5
Will connect to 10.207.99.125:9300 … done
LICENSE NOTICE Search Guard
If you use one or more of the following features in production
make sure you have a valid Search Guard license
(See Licensing | Search Guard Community, Enterprise and Compliance Edition)
- Kibana Multitenancy
- LDAP authentication/authorization
- Active Directory authentication/authorization
- REST Management API
- JSON Web Token (JWT) authentication/authorization
- Kerberos authentication/authorization
- Document- and Fieldlevel Security (DLS/FLS)
- Auditlogging
In case of any doubt mail to sales@floragunn.com
###################################
Diagnostic trace written to: /usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin_diag_trace_2017-Oct-30_10-50-35.txt
Contacting elasticsearch cluster ‘log-collector’ and wait for YELLOW clusterstate …
Clustername: log-collector
Clusterstate: YELLOW
Number of nodes: 1
Number of data nodes: 0
searchguard index already exists, so we do not need to create one.
INFO: searchguard index state is YELLOW, it seems you miss some replicas
Populate config from /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/
Will update ‘config’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_config.yml
FAIL: Configuration for ‘config’ failed because of UnavailableShardsException[[searchguard][0] primary shard is not active Timeout: [1m], request: [BulkShardRequest [[searchguard][0]] containing [index {[searchguard][config][0], source[n/a, actual length: [3.1kb], max length: 2kb]}] and a refresh]]
Will update ‘roles’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_roles.yml
FAIL: Configuration for ‘roles’ failed because of UnavailableShardsException[[searchguard][0] primary shard is not active Timeout: [1m], request: [BulkShardRequest [[searchguard][0]] containing [index {[searchguard][roles][0], source[n/a, actual length: [3.4kb], max length: 2kb]}] and a refresh]]
Will update ‘rolesmapping’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_roles_mapping.yml
FAIL: Configuration for ‘rolesmapping’ failed because of UnavailableShardsException[[searchguard][0] primary shard is not active Timeout: [1m], request: [BulkShardRequest [[searchguard][0]] containing [index {[searchguard][rolesmapping][0], source[{“rolesmapping”:“eyJzZ19hbGxfYWNjZXNzIjp7InVzZXJzIjpbImFkbWluIl19LCJzZ19sb2dzdGFzaCI6eyJ1c2VycyI6WyJsb2dzdGFzaCJdfSwic2dfa2liYW5hX3NlcnZlciI6eyJ1c2VycyI6WyJraWJhbmFzZXJ2ZXIiXX0sInNnX2tpYmFuYSI6eyJiYWNrZW5kcm9sZXMiOlsia2liYW5hcm9sZSJdfSwic2dfbW9uaXRvciI6eyJiYWNrZW5kcm9sZXMiOlsia2liYW5hcm9sZSJdfSwic2dfYWxlcnRpbmciOnsiYmFja2VuZHJvbGVzIjpbImtpYmFuYXJvbGUiXX0sInNnX3B1YmxpYyI6eyJ1c2VycyI6WyIqIl19LCJzZ19yZWFkYWxsIjp7InVzZXJzIjpbInJlYWRhbGwiXX0sInNnX293bl9pbmRleCI6eyJ1c2VycyI6WyIqIl19LCJzZ19yb2xlX3N0YXJmbGVldCI6eyJiYWNrZW5kcm9sZXMiOlsic3RhcmZsZWV0IiwiY2FwdGFpbnMiLCJkZWZlY3RvcnMiLCJjbj1sZGFwcm9sZSxvdT1ncm91cHMsZGM9ZXhhbXBsZSxkYz1jb20iXSwiaG9zdHMiOlsiKi5zdGFyZmxlZXRpbnRyYW5ldC5jb20iXSwidXNlcnMiOlsid29yZiIsInJpa2VyIiwidHJvaWQiXX0sInNnX3JvbGVfc3RhcmZsZWV0X2NhcHRhaW5zIjp7ImJhY2tlbmRyb2xlcyI6WyJjYXB0YWlucyJdfSwic2dfcm9sZV9rbGluZ29uczEiOnsiYmFja2VuZHJvbGVzIjpbImtsaW5nb24iXSwiaG9zdHMiOlsiKi5rbGluZ29uZ292LmtsaSJdLCJ1c2VycyI6WyJ3b3JmIl19LCJzZ19raWJhbmFfdGVzdGluZGV4Ijp7InVzZXJzIjpbInRlc3QiXX0sInNnX3JlYWRvbmx5X2Rsc2ZscyI6eyJ1c2VycyI6WyJkbHNmbHN1c2VyIl19fQ==”}]}] and a refresh]]
Someone please help me to understand the problem and certificate generation / configuration.
Thanks in advance