Trying to make the JWT module work by building locally

Elasticsearch version = “6.2.4”

SearchGuard Version = “6.2.4-22.1” // modified in the .pom file to match ES version

JDK = openjdk version “1.8.0_162”

OS = Linux 4.4.0-119-generic #143~14.04.1-Ubuntu SMP Mon Apr 2 18:04:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

I am trying to build the SearchGuard plugin from source it compiles without a problem and I am able to perform a basic auth. Next, I want to test out the JWT auth and I am having issues with that. How do I get the package and install it? I got this JAR from here https://oss.sonatype.org/service/local/repositories/releases/content/com/floragunn/dlic-search-guard-auth-http-jwt/6.0-21.1/dlic-search-guard-auth-http-jwt-6.0-21.1.jar and it still does not work. Everything compiles without a problem and when I send in a JWT it just says Unauthorized.

here is my elasticsearch.yml ( i am just running off of the demo scripts here)

node.name: “elasticsearch”
node.master: true
node.data: true
gateway.recover_after_nodes: 1
gateway.recover_after_time: 10m
gateway.expected_nodes: 1

######## Start Search Guard Demo Configuration ########

WARNING: revise all the lines below before you go into production

searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=de

searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: [“sg_all_access”]
cluster.routing.allocation.disk.threshold_enabled: false
cluster.name: searchguard_demo
network.host: 0.0.0.0
discovery.zen.minimum_master_nodes: 1
node.max_local_storage_nodes: 3
######## End Search Guard Demo Configuration ########

``

General Feedback: Thanks for this excellent plugin :slight_smile: But, its, super-super-super PITA to get it installed and running :frowning:

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version

  • Installed and used enterprise modules, if any

  • JVM version and operating system version

  • Search Guard configuration files

  • Elasticsearch log messages on debug level

  • Other installed Elasticsearch or Kibana plugins, if any

Pls note that the JWT module is a commercial product and you need to obtain a license for it!
What are the changes you made to the SG plugin? Can you share your code or a diff?

···

Am 01.05.2018 um 23:34 schrieb Saksham Ghimire <gsaxam@gmail.com>:

Elasticsearch version = "6.2.4"
SearchGuard Version = "6.2.4-22.1" // modified in the .pom file to match ES version
JDK = openjdk version "1.8.0_162"
OS = Linux 4.4.0-119-generic #143~14.04.1-Ubuntu SMP Mon Apr 2 18:04:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

I am trying to build the SearchGuard plugin from source it compiles without a problem and I am able to perform a basic auth. Next, I want to test out the JWT auth and I am having issues with that. How do I get the package and install it? I got this JAR from here https://oss.sonatype.org/service/local/repositories/releases/content/com/floragunn/dlic-search-guard-auth-http-jwt/6.0-21.1/dlic-search-guard-auth-http-jwt-6.0-21.1.jar and it still does not work. Everything compiles without a problem and when I send in a JWT it just says Unauthorized.

here is my elasticsearch.yml ( i am just running off of the demo scripts here)

node.name: "elasticsearch"
node.master: true
node.data: true
gateway.recover_after_nodes: 1
gateway.recover_after_time: 10m
gateway.expected_nodes: 1

######## Start Search Guard Demo Configuration ########
# WARNING: revise all the lines below before you go into production
searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:
  - CN=kirk,OU=client,O=client,L=test, C=de

searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: ["sg_all_access"]
cluster.routing.allocation.disk.threshold_enabled: false
cluster.name: searchguard_demo
network.host: 0.0.0.0
discovery.zen.minimum_master_nodes: 1
node.max_local_storage_nodes: 3
######## End Search Guard Demo Configuration ########

General Feedback: Thanks for this excellent plugin :slight_smile: But, its, super-super-super PITA to get it installed and running :frowning:

When asking questions, please provide the following information:

* Search Guard and Elasticsearch version
* Installed and used enterprise modules, if any
* JVM version and operating system version
* Search Guard configuration files
* Elasticsearch log messages on debug level
* Other installed Elasticsearch or Kibana plugins, if any

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ddc6339b-cb62-4057-9f7f-44c03621c4a0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.