sgadmin opens 14 tcp sessions with 50 ms. Please help.

Search Guard
1

Hello,

SG Version:search-guard-6-6.1.1-20.1.zip

ES version:6.1.1

sgadmin.sh opens like 14 TCP sessions within 50 milliseconds (Sends like 14 consecutive Hellos).

Other than pushing the given below config ymls, is there anything else sg_admin does.?

sg_action_groups.yml sg_config.yml sg_internal_users.yml sg_roles.yml sg_roles_mapping.yml

We follow cert-based auth and hence my sg_config.yml looks like this. Is there a way we can push the given below config dynamically?. Roles and users, we have the REST API interface. (REST API usage overview | Security for Elasticsearch | Search Guard). If there is a way to dynamically configure the sg_config.yml, I dont have to invoke sgadmin.sh to push the initial config is the idea. We have our own Java implementation and it is having trouble dealing with 14 consecutive Hellos.

cat sg_config.yml

searchguard:

dynamic:

authc:

clientcert_auth_domain:

http_enabled: true

transport_enabled: false

order: 1

http_authenticator:

type: clientcert

config:

username_attribute: cn #optional, if omitted DN becomes username

challenge: false

authentication_backend:

type: noop

cat /elasticsearch/plugins/search-guard-6/tools/sgadmin.sh

#!/bin/bash

DIR=“$( cd “$( dirname “${BASH_SOURCE[0]}” )” && pwd )”

BIN_PATH=“java”

if [ -z “$JAVA_HOME” ]; then

echo “WARNING: JAVA_HOME not set, will use $(which $BIN_PATH)”

else

BIN_PATH=“$JAVA_HOME/bin/java”

fi

“$BIN_PATH” $JAVA_OPTS -Dorg.apache.logging.log4j.simplelog.StatusLogger.level=OFF -cp “$DIR/…/:$DIR/…/…/…/lib/:$DIR/…/deps/*” com.floragunn.searchguard.tools.SearchGuardAdmin “$@”

thanks.

Jalaja

# netstat -atn | grep 9300 | grep TIME_WAIT

tcp6 0 0 10.0.0.1:52212 10.0.0.1:9300 TIME_WAIT

tcp6 0 0 10.0.0.1:52224 10.0.0.1:9300 TIME_WAIT

tcp6 0 0 10.0.0.1:52210 10.0.0.1:9300 TIME_WAIT

tcp6 0 0 10.0.0.1:52218 10.0.0.1:9300 TIME_WAIT

tcp6 0 0 10.0.0.1:52204 10.0.0.1:9300 TIME_WAIT

tcp6 0 0 10.0.0.1:52214 10.0.0.1:9300 TIME_WAIT

tcp6 0 0 10.0.0.1:52202 10.0.0.1:9300 TIME_WAIT

tcp6 0 0 10.0.0.1:52216 10.0.0.1:9300 TIME_WAIT

tcp6 0 0 10.0.0.1:52222 10.0.0.1:9300 TIME_WAIT

tcp6 0 0 10.0.0.1:52206 10.0.0.1:9300 TIME_WAIT

tcp6 0 0 10.0.0.1:52220 10.0.0.1:9300 TIME_WAIT

tcp6 0 0 10.0.0.1:52194 10.0.0.1:9300 TIME_WAIT

tcp6 0 0 10.0.0.1:52200 10.0.0.1:9300 TIME_WAIT

tcp6 0 0 10.0.0.1:52208 10.0.0.1:9300 TIME_WAIT

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version

  • Installed and used enterprise modules, if any

  • JVM version and operating system version

  • Search Guard configuration files

  • Elasticsearch log messages on debug level

  • Other installed Elasticsearch or Kibana plugins, if any