Transport client giving access to all indices.

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version 6.0.0

  • Installed and used enterprise modules, if any No

  • JVM version and operating system version

  • Search Guard configuration files

  • Elasticsearch log messages on debug level

  • Other installed Elasticsearch or Kibana plugins, if any

Hi,

I have installed searchguard 6.0.0 and GUI working successfully. But from java side I am using transport client I have used PKI script and generated certificates.

I am using spock certificate but it is giving access to all indices. Not working as user wise roles and permissions.

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH,“C:\Users\c-kanchanka\Desktop\new_search_guard_file_pki\spock.crtfull.pem”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, “C:\Users\c-kanchanka\Desktop\new_search_guard_file_pki\spock.key.pem”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, “C:\Users\c-kanchanka\Desktop\new_search_guard_file_pki\root-ca.pem”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, “false”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLED, “true”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_ENABLED, “true”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMCERT_FILEPATH, “C:\Users\c-kanchanka\Desktop\new_search_guard_file_pki\spock.crtfull.pem”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMKEY_FILEPATH, “C:\Users\c-kanchanka\Desktop\new_search_guard_file_pki\spock.key.pem”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, “C:\Users\c-kanchanka\Desktop\new_search_guard_file_pki\root-ca.pem”)

and in elastisearch.yml file I have written below entry.

searchguard.ssl.transport.pemcert_filepath: spock.crtfull.pem

searchguard.ssl.transport.pemkey_filepath: spock.key.pem

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: esnode.pem

searchguard.ssl.http.pemkey_filepath: esnode-key.pem

searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem

searchguard.allow_unsafe_democertificates: true

searchguard.allow_default_init_sgindex: true

searchguard.authcz.admin_dn:

  • CN=spock,OU=client,O=client,L=Test,C=DE

Please provide solution to restrict access to all indices.

Thanks,

Ajit

spock is registed as admin certificate

searchguard.authcz.admin_dn:
- CN=spock,OU=client,O=client,L=Test,C=DE

and therefore bypass all permission checks.

See http://docs.search-guard.com/latest/tls-in-production

···

Am 06.02.2018 um 11:19 schrieb Ajit Bhosale <ajeet.bhosale03@gmail.com>:

When asking questions, please provide the following information:

* Search Guard and Elasticsearch version 6.0.0
* Installed and used enterprise modules, if any No
* JVM version and operating system version
* Search Guard configuration files
* Elasticsearch log messages on debug level
* Other installed Elasticsearch or Kibana plugins, if any

Hi,
I have installed searchguard 6.0.0 and GUI working successfully. But from java side I am using transport client I have used PKI script and generated certificates.
I am using spock certificate but it is giving access to all indices. Not working as user wise roles and permissions.

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH,"C:\\Users\\c-kanchanka\\Desktop\\new_search_guard_file_pki\\spock.crtfull.pem")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, "C:\\Users\\c-kanchanka\\Desktop\\new_search_guard_file_pki\\spock.key.pem")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, "C:\\Users\\c-kanchanka\\Desktop\\new_search_guard_file_pki\\root-ca.pem")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, "false")
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLED, "true")
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_ENABLED, "true")
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMCERT_FILEPATH, "C:\\Users\\c-kanchanka\\Desktop\\new_search_guard_file_pki\\spock.crtfull.pem")
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMKEY_FILEPATH, "C:\\Users\\c-kanchanka\\Desktop\\new_search_guard_file_pki\\spock.key.pem")
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, "C:\\Users\\c-kanchanka\\Desktop\\new_search_guard_file_pki\\root-ca.pem")

and in elastisearch.yml file I have written below entry.

searchguard.ssl.transport.pemcert_filepath: spock.crtfull.pem
searchguard.ssl.transport.pemkey_filepath: spock.key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:
- CN=spock,OU=client,O=client,L=Test,C=DE

Please provide solution to restrict access to all indices.

Thanks,
Ajit

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/499ffa92-74fc-4316-9c04-08727bcd43f3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

How can I overcome with this problem. Please let me know How could I enable permissions check at java side using transport client other than adminuser?

···

On Tuesday, February 6, 2018 at 4:08:48 PM UTC+5:30, Search Guard wrote:

spock is registed as admin certificate

searchguard.authcz.admin_dn:

  • CN=spock,OU=client,O=client,L=Test,C=DE

and therefore bypass all permission checks.

See http://docs.search-guard.com/latest/tls-in-production

Am 06.02.2018 um 11:19 schrieb Ajit Bhosale ajeet.b...@gmail.com:

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version 6.0.0
  • Installed and used enterprise modules, if any No
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Hi,

I have installed searchguard 6.0.0 and GUI working successfully. But from java side I am using transport client I have used PKI script and generated certificates.

I am using spock certificate but it is giving access to all indices. Not working as user wise roles and permissions.

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH,“C:\Users\c-kanchanka\Desktop\new_search_guard_file_pki\spock.crtfull.pem”)

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, “C:\Users\c-kanchanka\Desktop\new_search_guard_file_pki\spock.key.pem”)

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, “C:\Users\c-kanchanka\Desktop\new_search_guard_file_pki\root-ca.pem”)

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, “false”)

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLED, “true”)

.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_ENABLED, “true”)

.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMCERT_FILEPATH, “C:\Users\c-kanchanka\Desktop\new_search_guard_file_pki\spock.crtfull.pem”)

.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMKEY_FILEPATH, “C:\Users\c-kanchanka\Desktop\new_search_guard_file_pki\spock.key.pem”)

.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, “C:\Users\c-kanchanka\Desktop\new_search_guard_file_pki\root-ca.pem”)

and in elastisearch.yml file I have written below entry.

searchguard.ssl.transport.pemcert_filepath: spock.crtfull.pem

searchguard.ssl.transport.pemkey_filepath: spock.key.pem

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: esnode.pem

searchguard.ssl.http.pemkey_filepath: esnode-key.pem

searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem

searchguard.allow_unsafe_democertificates: true

searchguard.allow_default_init_sgindex: true

searchguard.authcz.admin_dn:

  • CN=spock,OU=client,O=client,L=Test,C=DE

Please provide solution to restrict access to all indices.

Thanks,

Ajit


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/499ffa92-74fc-4316-9c04-08727bcd43f3%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Thanks, Working fine now for me.

···

On Tuesday, February 6, 2018 at 4:45:39 PM UTC+5:30, Ajit Bhosale wrote:

How can I overcome with this problem. Please let me know How could I enable permissions check at java side using transport client other than adminuser?

On Tuesday, February 6, 2018 at 4:08:48 PM UTC+5:30, Search Guard wrote:

spock is registed as admin certificate

searchguard.authcz.admin_dn:

  • CN=spock,OU=client,O=client,L=Test,C=DE

and therefore bypass all permission checks.

See http://docs.search-guard.com/latest/tls-in-production

Am 06.02.2018 um 11:19 schrieb Ajit Bhosale ajeet.b...@gmail.com:

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version 6.0.0
  • Installed and used enterprise modules, if any No
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Hi,

I have installed searchguard 6.0.0 and GUI working successfully. But from java side I am using transport client I have used PKI script and generated certificates.

I am using spock certificate but it is giving access to all indices. Not working as user wise roles and permissions.

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH,“C:\Users\c-kanchanka\Desktop\new_search_guard_file_pki\spock.crtfull.pem”)

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, “C:\Users\c-kanchanka\Desktop\new_search_guard_file_pki\spock.key.pem”)

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, “C:\Users\c-kanchanka\Desktop\new_search_guard_file_pki\root-ca.pem”)

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, “false”)

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLED, “true”)

.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_ENABLED, “true”)

.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMCERT_FILEPATH, “C:\Users\c-kanchanka\Desktop\new_search_guard_file_pki\spock.crtfull.pem”)

.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMKEY_FILEPATH, “C:\Users\c-kanchanka\Desktop\new_search_guard_file_pki\spock.key.pem”)

.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, “C:\Users\c-kanchanka\Desktop\new_search_guard_file_pki\root-ca.pem”)

and in elastisearch.yml file I have written below entry.

searchguard.ssl.transport.pemcert_filepath: spock.crtfull.pem

searchguard.ssl.transport.pemkey_filepath: spock.key.pem

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: esnode.pem

searchguard.ssl.http.pemkey_filepath: esnode-key.pem

searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem

searchguard.allow_unsafe_democertificates: true

searchguard.allow_default_init_sgindex: true

searchguard.authcz.admin_dn:

  • CN=spock,OU=client,O=client,L=Test,C=DE

Please provide solution to restrict access to all indices.

Thanks,

Ajit


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/499ffa92-74fc-4316-9c04-08727bcd43f3%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.