Searchguard index says it has zero documents

We run the newest version of the elastic stack with Search Guard (6.7.1), and it works. I found that the searchguard index appears to be empty, i.e., searchguard/_count returns zero, even to the user with sg_all_access privileges. I guess this is not true but only appears to be zero?

Correct. The SG configuration index is protected by our plugin, so no regular user can view or change it’s content. A regular user is also not allowed to perform any index operations like closing or freezing the index. Making it invisible completely is not really possible, but the index will appear empty.

The sg_all_access role grants the user access to all indices and data in the cluster, but does not give the user any elevated privileges to view or change the SG index.

For that we have the concept of the TLS admin certificate:

When using an admin certificate you are basically acting as a root user, bypassing any SG security checks. In other words, the only way to view the contents of the SG configuration index is to use the TLS admin certificate.

1 Like

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.