Seems you use a client certificate but this one is not registered as admin_dn

Am getting error while running sgadmin.

Elasticsearch version: 7.17

Server OS version: centos

Describe the issue:

WARNING: JAVA_HOME not set, will use /bin/java
Search Guard Admin v7
Will connect to localhost:9300 … done
Connected as CN=admin,OU=IT,O=xxxxx,L=Palo Alto,ST=California,C=US
ERR: CN=admin,OU=IT,O=xxxxx,L=xxxx,ST=California,C=US is not an admin user
Seems you use a client certificate but this one is not registered as admin_dn
Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:
  - "CN=admin,OU=IT,O=xxx,L=Palo Alto,ST=California,C=US"

Steps to reproduce:
1.sh sgadmin.sh -cd …/sgconfig/ -key /elastic/software/elasticsearch-7.17.7/config//certificate/admin-key.pem -cert /elastic/software/elasticsearch-7.17.7/config//certificate/admin.pem -cacert /elastic/software/elasticsearch-7.17.7/config//certificate/root-ca.pem -nhnv -icl
2.
3.

Provide configuration:

searchguard.ssl.transport.pemkey_filepath: /elastic/software/elasticsearch-7.17.7/config/certificate/node1-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: /elastic/software/elasticsearch-7.17.7/config/certificate/root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: /elastic/software/elasticsearch-7.17.7/config/certificate/node1.pem
searchguard.ssl.http.pemkey_filepath: /elastic/software/elasticsearch-7.17.7/config/certificate/node1-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: /elastic/software/elasticsearch-7.17.7/config/certificate/root-ca.pem
searchguard.allow_unsafe_democertificates: false
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:
  - CN=admin,OU=IT,O=xxxxx,L=Palo Alto,C=US
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: ["SGS_ALL_ACCESS"]
searchguard.nodes_dn:
  - 'CN=bldafinsgt-stg-es1.xxxxx.com,OU=IT,O=xxxx,L=Palo Alto,C=US'
  - 'CN=*.vmware.com,OU=IT,O=xxxx,L=Palo Alto,C=US'
  - 'CN=bldafinsgt-stg-es1*'
  - '/CN=.*regex/'

@hello4usharath How many Elasticsearch nodes do you have in your cluster and what is the version of the SG plugin?

@hello4usharath In the Error message you have

CN=admin,OU=IT,O=xxxxx,L=xxxx,ST=California,C=US 

but in elasticsearch.yml

CN=admin,OU=IT,O=xxxxx,L=Palo Alto,C=US

Is the L in the certificate’s DN the same as in admin_dn? (Palo Alto)
Also as per above, you’re missing ST=California in the admin_dn.

Both admin_dn and certificate’s subject have to be an exact match.

[alerting][plugins] Error executing alerting apiKey invalidation task: no permissions for [indices:data/read/search] and User sg_anonymous [backend_roles=[sg_anonymous_backendrole]]: security_exception: [security_exception] Reason: no permissions for [indices:data/read/search] and User sg_anonymous [backend_roles=[sg_anonymous_backendrole]]

[elasticsearch@bldafinsgt-stg-es1 bin]$ curl -k https://blda-stg-es1:9200/_searchguard/authinfo?pretty
{
“user” : “User sg_anonymous [backend_roles=[sg_anonymous_backendrole]]”,
“user_name” : “sg_anonymous”,
“user_requested_tenant” : null,
“remote_address” : “x.x.x.x:53862”,
“backend_roles” : [
“sg_anonymous_backendrole”
],
“custom_attribute_names” : ,
“attribute_names” : ,
“sg_roles” : [
“SGS_OWN_INDEX”,
“sg_anonymous”
],
“sg_tenants” : {
“sg_anonymous” : true
},
“principal” : null,
“peer_certificates” : “0”,
“sso_logout_url” : null
}

@hello4usharath Have you got securityadmin.sh running? Did you fix admin_dn in elasticsearch.yml?
What’s the other error regards? This looks like a separate issue.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.