Severe performance problems caused by SearchGuard

Search Guard
23

Good news.

with hotfix the max indexing was around 290k/s and the cluster remained fast and usable during this.

For reference:
17k/s max before hotfix
310k/s max with searchguard disabled

There was zero performance difference inbetween the Logstash user with 26 individual index permissions and the Logstash user with a single * index permission.

1 Like
24

@nils Hi, which version of SG has already this patch please ? We have same performance issue and I have tried version 53.1 but seems like it wasn’t released there.

11:27:10 ERR: Seems deva/sg_config.yml is not in SG 7 format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field “support_aliases_in_index_privileges” (class com.floragunn.searchguard.sgconf.impl.v7.ConfigV7$Dynamic), not marked as ignorable (17 known properties: “license”, “disable_intertransport_auth”, “http”, “auth_token_provider”, “kibana”, “authz”, “auth_failure_listeners”, “transport_userrname_attribute”, “filtered_alias_mode”, “authc”, “disable_rest_auth”, “respect_request_indices_options”, “multi_rolespan_enabled”, “do_not_fail_on_forbidden”, “field_anonymization_salt2”, “hosts_resolver_mode”, “do_not_fail_on_forbidden_empty”])
11:27:10 at [Source: (String)“{”_sg_meta":{“type”:“config”,“config_version”:2},“sg_config”:{“dynamic”:{“do_not_fail_on_forbidden”:true,“support_aliases_in_index_privileges”:false,“kibana”:{“multitenancy_enabled”:true,“server_username”:“kibana_system”,“index”:“.kibana”},“http”:{“anonymous_auth_enabled”:false},“authc”:{“basic_internal_auth_domain”:{“http_enabled”:true,“transport_enabled”:true,“order”:0,“http_authenticator”:{“type”:“basic”,“challenge”:false},“authentication_backend”:{“type”:“internal”}},“openid_auth_domain”:{“h”[truncated 2957 chars]; line: 1, column: 149] (through reference chain: com.floragunn.searchguard.sgconf.impl.SgDynamicConfiguration[“sg_config”]->com.floragunn.searchguard.sgconf.impl.v7.ConfigV7[“dynamic”]->com.floragunn.searchguard.sgconf.impl.v7.ConfigV7$Dynamic[“support_aliases_in_index_privileges”])

25

Hi Peter,

so far the change has been already released for SG FLX, which is available as beta right now:

For FLX; there is also no configuration option. It is just the new way of handling permissions. A GA version is expected within a couple of weeks.