TransportClient + ActiveDirectory, having some trouble

My transport client (Java) is not being nice to me with SG. Please help.

I want to pass all the info needed to get assistance, but I’m not sure what that is exactly. I’ll start with what I think is relevant.

The error:

unauthenticated request indices:data/read/get for user User [name=_sg_internal, roles=]

``

My setup:

  • ES and SG 5.2.2 with Enterprise Extension for LDAP/AD (testing)

  • i have several users from my AD (Active Directory) in my sg_roles_mappings.yml file, but I’m focusing on one. It’s called devtest and it’s full DN is under sg_all_access role.

  • devtest is also the authcz.admin in elasticsearch.yml

  • i used the script bundle in SearchGuardSSL to generate keystores. I changed all the example DN to devtests DN.

  • the truststore and keystore files are used both by the ES node and by the TransportClient (which happen to be on same machine for testing).

If there are any configs that you would like to see, please let me know. This error doesn’t produce anything in the ES logs, it seems.

When reading about this error, google showed me the issues / docs about using the http exporter. Rest assured, I have seen those a million times, and also have the setup working (aside from the TransportClient) with ES, SG, x-pack monitoring and kibana. I still may have missed something, but I doubt that it’s any of the basic parts of those docs.

Question: who exactly is sg_internal and why does he/she not have permission to read stuff?

Please and thank you.

Marco.

The _sg_internal user is used on transport layer for inter-node communication.

The issue you are seeing is most likely due to the fact that you use a node certificate for the TransportClient. Because you wrote:

"the truststore and keystore files are used both by the ES node and by the TransportClient "

Node certificates should only be used for “real” nodes, not transport clients. For those you should use a regular client certificate (for example, the “spock” certificate generated by the example PKI scripts).

The transport client needs to identify itself like any other regular user, so you need to set up this user (for example by using the DN of the certificate) and then map it to one or more roles.

There’s a two part article about transport clients on our blog:

https://floragunn.com/searchguard-elasicsearch-transport-clients/

https://floragunn.com/transport-client-authentication-authorization/

The first one described how to authenticate transport clients by their certificate. The second one describes how to add user credentials on a per-request basis. I think you only need the first one for your use case.

You don’t see any error in the log files because from a SG perspective it’s “just” a user making requests without the proper permissions.

Let me know if this helps.

···

On Monday, July 31, 2017 at 12:12:04 PM UTC+2, mcostantini@np6.com wrote:

My transport client (Java) is not being nice to me with SG. Please help.

I want to pass all the info needed to get assistance, but I’m not sure what that is exactly. I’ll start with what I think is relevant.

The error:

unauthenticated request indices:data/read/get for user User [name=_sg_internal, roles=]

``

My setup:

  • ES and SG 5.2.2 with Enterprise Extension for LDAP/AD (testing)
  • i have several users from my AD (Active Directory) in my sg_roles_mappings.yml file, but I’m focusing on one. It’s called devtest and it’s full DN is under sg_all_access role.
  • devtest is also the authcz.admin in elasticsearch.yml
  • i used the script bundle in SearchGuardSSL to generate keystores. I changed all the example DN to devtests DN.
  • the truststore and keystore files are used both by the ES node and by the TransportClient (which happen to be on same machine for testing).

If there are any configs that you would like to see, please let me know. This error doesn’t produce anything in the ES logs, it seems.

When reading about this error, google showed me the issues / docs about using the http exporter. Rest assured, I have seen those a million times, and also have the setup working (aside from the TransportClient) with ES, SG, x-pack monitoring and kibana. I still may have missed something, but I doubt that it’s any of the basic parts of those docs.

Question: who exactly is sg_internal and why does he/she not have permission to read stuff?

Please and thank you.

Marco.

Will try this out very soon. I greatly appreciate the help.

···

On Monday, July 31, 2017 at 3:54:07 PM UTC+2, Jochen Kressin wrote:

The _sg_internal user is used on transport layer for inter-node communication.

The issue you are seeing is most likely due to the fact that you use a node certificate for the TransportClient. Because you wrote:

"the truststore and keystore files are used both by the ES node and by the TransportClient "

Node certificates should only be used for “real” nodes, not transport clients. For those you should use a regular client certificate (for example, the “spock” certificate generated by the example PKI scripts).

The transport client needs to identify itself like any other regular user, so you need to set up this user (for example by using the DN of the certificate) and then map it to one or more roles.

There’s a two part article about transport clients on our blog:

https://floragunn.com/searchguard-elasicsearch-transport-clients/

https://floragunn.com/transport-client-authentication-authorization/

The first one described how to authenticate transport clients by their certificate. The second one describes how to add user credentials on a per-request basis. I think you only need the first one for your use case.

You don’t see any error in the log files because from a SG perspective it’s “just” a user making requests without the proper permissions.

Let me know if this helps.

On Monday, July 31, 2017 at 12:12:04 PM UTC+2, mcost...@np6.com wrote:

My transport client (Java) is not being nice to me with SG. Please help.

I want to pass all the info needed to get assistance, but I’m not sure what that is exactly. I’ll start with what I think is relevant.

The error:

unauthenticated request indices:data/read/get for user User [name=_sg_internal, roles=]

``

My setup:

  • ES and SG 5.2.2 with Enterprise Extension for LDAP/AD (testing)
  • i have several users from my AD (Active Directory) in my sg_roles_mappings.yml file, but I’m focusing on one. It’s called devtest and it’s full DN is under sg_all_access role.
  • devtest is also the authcz.admin in elasticsearch.yml
  • i used the script bundle in SearchGuardSSL to generate keystores. I changed all the example DN to devtests DN.
  • the truststore and keystore files are used both by the ES node and by the TransportClient (which happen to be on same machine for testing).

If there are any configs that you would like to see, please let me know. This error doesn’t produce anything in the ES logs, it seems.

When reading about this error, google showed me the issues / docs about using the http exporter. Rest assured, I have seen those a million times, and also have the setup working (aside from the TransportClient) with ES, SG, x-pack monitoring and kibana. I still may have missed something, but I doubt that it’s any of the basic parts of those docs.

Question: who exactly is sg_internal and why does he/she not have permission to read stuff?

Please and thank you.

Marco.

Yup. That was it. Thanks, Jochen, for all of your wonderful help.

···

On Monday, July 31, 2017 at 4:21:50 PM UTC+2, mcost...@np6.com wrote:

Will try this out very soon. I greatly appreciate the help.

On Monday, July 31, 2017 at 3:54:07 PM UTC+2, Jochen Kressin wrote:

The _sg_internal user is used on transport layer for inter-node communication.

The issue you are seeing is most likely due to the fact that you use a node certificate for the TransportClient. Because you wrote:

"the truststore and keystore files are used both by the ES node and by the TransportClient "

Node certificates should only be used for “real” nodes, not transport clients. For those you should use a regular client certificate (for example, the “spock” certificate generated by the example PKI scripts).

The transport client needs to identify itself like any other regular user, so you need to set up this user (for example by using the DN of the certificate) and then map it to one or more roles.

There’s a two part article about transport clients on our blog:

https://floragunn.com/searchguard-elasicsearch-transport-clients/

https://floragunn.com/transport-client-authentication-authorization/

The first one described how to authenticate transport clients by their certificate. The second one describes how to add user credentials on a per-request basis. I think you only need the first one for your use case.

You don’t see any error in the log files because from a SG perspective it’s “just” a user making requests without the proper permissions.

Let me know if this helps.

On Monday, July 31, 2017 at 12:12:04 PM UTC+2, mcost...@np6.com wrote:

My transport client (Java) is not being nice to me with SG. Please help.

I want to pass all the info needed to get assistance, but I’m not sure what that is exactly. I’ll start with what I think is relevant.

The error:

unauthenticated request indices:data/read/get for user User [name=_sg_internal, roles=]

``

My setup:

  • ES and SG 5.2.2 with Enterprise Extension for LDAP/AD (testing)
  • i have several users from my AD (Active Directory) in my sg_roles_mappings.yml file, but I’m focusing on one. It’s called devtest and it’s full DN is under sg_all_access role.
  • devtest is also the authcz.admin in elasticsearch.yml
  • i used the script bundle in SearchGuardSSL to generate keystores. I changed all the example DN to devtests DN.
  • the truststore and keystore files are used both by the ES node and by the TransportClient (which happen to be on same machine for testing).

If there are any configs that you would like to see, please let me know. This error doesn’t produce anything in the ES logs, it seems.

When reading about this error, google showed me the issues / docs about using the http exporter. Rest assured, I have seen those a million times, and also have the setup working (aside from the TransportClient) with ES, SG, x-pack monitoring and kibana. I still may have missed something, but I doubt that it’s any of the basic parts of those docs.

Question: who exactly is sg_internal and why does he/she not have permission to read stuff?

Please and thank you.

Marco.