Am getting error while running sgadmin.
Elasticsearch version: 7.17
Server OS version: centos
Describe the issue:
WARNING: JAVA_HOME not set, will use /bin/java
Search Guard Admin v7
Will connect to localhost:9300 … done
Connected as CN=admin,OU=IT,O=xxxxx,L=Palo Alto,ST=California,C=US
ERR: CN=admin,OU=IT,O=xxxxx,L=xxxx,ST=California,C=US is not an admin user
Seems you use a client certificate but this one is not registered as admin_dn
Make sure elasticsearch.yml on all nodes contains:
searchguard.authcz.admin_dn:
- "CN=admin,OU=IT,O=xxx,L=Palo Alto,ST=California,C=US"
Steps to reproduce:
1.sh sgadmin.sh -cd …/sgconfig/ -key /elastic/software/elasticsearch-7.17.7/config//certificate/admin-key.pem -cert /elastic/software/elasticsearch-7.17.7/config//certificate/admin.pem -cacert /elastic/software/elasticsearch-7.17.7/config//certificate/root-ca.pem -nhnv -icl
2.
3.
Provide configuration:
searchguard.ssl.transport.pemkey_filepath: /elastic/software/elasticsearch-7.17.7/config/certificate/node1-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: /elastic/software/elasticsearch-7.17.7/config/certificate/root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: /elastic/software/elasticsearch-7.17.7/config/certificate/node1.pem
searchguard.ssl.http.pemkey_filepath: /elastic/software/elasticsearch-7.17.7/config/certificate/node1-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: /elastic/software/elasticsearch-7.17.7/config/certificate/root-ca.pem
searchguard.allow_unsafe_democertificates: false
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:
- CN=admin,OU=IT,O=xxxxx,L=Palo Alto,C=US
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: ["SGS_ALL_ACCESS"]
searchguard.nodes_dn:
- 'CN=bldafinsgt-stg-es1.xxxxx.com,OU=IT,O=xxxx,L=Palo Alto,C=US'
- 'CN=*.vmware.com,OU=IT,O=xxxx,L=Palo Alto,C=US'
- 'CN=bldafinsgt-stg-es1*'
- '/CN=.*regex/'