Unable to Use REST API

Search Guard
1

Hello,

I started using Search Guard 2 with Elastic Search and configured it. The documentation is pretty well.

However, I am unable to figure out how to make use of the REST API.

Below is my elasticsearch.yml config:

cluster.name: es_test

node.name: node-0

network.host: localhost

http.port: 9200

searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks

searchguard.ssl.transport.keystore_password: changeit

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: changeit

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: node-0-keystore.jks

searchguard.ssl.http.keystore_password: changeit

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.http.truststore_password: changeit

searchguard.ssl.http.clientauth_mode: OPTIONAL

searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=DE

SSL configuration and authentication is working fine:

$ curl -k --cert chain.pem --key kirk.key.pem -XGET ‘https://localhost:9200/_searchguard/sslinfo?pretty

{

“principal” : “CN=kirk,OU=client,O=client,L=Test,C=DE”,

“peer_certificates” : “3”,

“ssl_protocol” : “TLSv1.2”,

“ssl_cipher” : “TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256”,

“ssl_openssl_available” : false,

“ssl_openssl_version” : -1,

“ssl_openssl_version_string” : null,

“ssl_openssl_non_available_cause” : “java.lang.ClassNotFoundException: org.apache.tomcat.jni.SSL”,

“ssl_provider_http” : “JDK”,

“ssl_provider_transport_server” : “JDK”,

“ssl_provider_transport_client” : “JDK”

}

But when I try to use the API, I get the below error:

$ curl -k --cert chain.pem --key kirk.key.pem -XGET ‘https://localhost:9200/_searchguard/api/user/kirk?pretty

No handler found for uri [/_searchguard/api/user/kirk?pretty] and method [GET]

Below are the versions:

OS: Ubuntu 14

ElasticSearch: 2.4.1

SG-SSL: 2.4.1.16

SG: 2.4.1.8

I am unable to solve this. Please assist.

Thanks

2

  • Did you download the jar file for the management API and put it in the directory plugins/search-guard-2)

  • Did you restart the nodes after you have put the plugin the directory mentioned above?

  • Does ES start up without errors? Is there anything suspicious in the logfile?

  • Do you see something like “Management API is not free software…” when starting ES? This means the module is installed correctly.

If this does not help, please post your ES logfile on DEBUG level here.

···

Am Mittwoch, 30. November 2016 13:56:04 UTC+1 schrieb Sonny L:

Hello,

I started using Search Guard 2 with Elastic Search and configured it. The documentation is pretty well.

However, I am unable to figure out how to make use of the REST API.

Below is my elasticsearch.yml config:

cluster.name: es_test

node.name: node-0

network.host: localhost

http.port: 9200

searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks

searchguard.ssl.transport.keystore_password: changeit

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: changeit

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: node-0-keystore.jks

searchguard.ssl.http.keystore_password: changeit

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.http.truststore_password: changeit

searchguard.ssl.http.clientauth_mode: OPTIONAL

searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=DE

SSL configuration and authentication is working fine:

$ curl -k --cert chain.pem --key kirk.key.pem -XGET ‘https://localhost:9200/_searchguard/sslinfo?pretty

{

“principal” : “CN=kirk,OU=client,O=client,L=Test,C=DE”,

“peer_certificates” : “3”,

“ssl_protocol” : “TLSv1.2”,

“ssl_cipher” : “TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256”,

“ssl_openssl_available” : false,

“ssl_openssl_version” : -1,

“ssl_openssl_version_string” : null,

“ssl_openssl_non_available_cause” : “java.lang.ClassNotFoundException: org.apache.tomcat.jni.SSL”,

“ssl_provider_http” : “JDK”,

“ssl_provider_transport_server” : “JDK”,

“ssl_provider_transport_client” : “JDK”

}

But when I try to use the API, I get the below error:

$ curl -k --cert chain.pem --key kirk.key.pem -XGET ‘https://localhost:9200/_searchguard/api/user/kirk?pretty

No handler found for uri [/_searchguard/api/user/kirk?pretty] and method [GET]

Below are the versions:

OS: Ubuntu 14

ElasticSearch: 2.4.1

SG-SSL: 2.4.1.16

SG: 2.4.1.8

I am unable to solve this. Please assist.

Thanks

“No handler found for uri [/_searchguard/api/user/kirk?pretty] and method [GET]” usually means that the REST API module, which provides the respective handlers, is not installed properly.

3

Hi Jochen,

I have the same issue: I checked all the points, but nothing shows up in the log (even in debug mode) regarding management API.

4

Currently I have the following in the search-guard-2 plugin directory:

dlic-search-guard-rest-api-2.4-2-jar-with-dependencies.jar
plugin-descriptor.properties
plugin-security.policy
search-guard-2-2.4.1.7.jar
sgconfig
tools

``

5

Now that I checked, there is a message but not in elasticsearch.log. It only shows up on STDOUT/STDERR:

Searchguard Management API is not free software
for commercial use in production.

``

That’s what confused me.

The API is working fine, thanks and sorry for the noise

6

In my case,

This returns nothing:
$ curl -k https://localhost:9200/_searchguard/api/configuration/roles?pretty --cert chain.pem --key sgadmin.key.pem

This returns expected result:
$ curl -k https://localhost:9200/_searchguard/api/configuration/roles?pretty --cert ./chain.pem --key ./sgadmin.key.pem

7

this likely due to curl is compiled with NSS instead of openssl

···

Am 25.01.2017 um 09:30 schrieb Wataru Takase <wataru.takase@kek.jp>:

In my case,

This returns nothing:
$ curl -k https://localhost:9200/_searchguard/api/configuration/roles?pretty --cert chain.pem --key sgadmin.key.pem

This returns expected result:
$ curl -k https://localhost:9200/_searchguard/api/configuration/roles?pretty --cert ./chain.pem --key ./sgadmin.key.pem

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/c1590119-d707-4c8d-95e2-85e7eddd4716%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

8

Hi 亘!

What curl version is this?

Also, can you add -D- to the curl command so we can see the response headers?

curl-D- -k https://…

``

9

$ curl -V
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.19.1 Basic ECC zlib/1.2.7 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz

$ curl -D- -k https://localhost:9200/_searchguard/api/configuration/roles?pretty -cert chain.pem --key sgadmin.key.pem
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm=“Search Guard”
Content-Type: text/plain; charset=UTF-8
Content-Length: 0

$ curl -D- -k https://localhost:9200/_searchguard/api/configuration/roles?pretty --cert ./chain.pem --key ./sgadmin.key.pem
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 2741

. . .

10

Happy that it’s working for you now \o/