Uninstall SearchGuard?

Hi guys,
I will be doing further testing with SearchGuard, but this time on a real cluster. The cluster is not a production cluster, but in any case, I’ve been asked to research the SearchGuard removal procedure. Even in a successful case, I will need to remove SearchGuard. However, I cannot find any docs on this. Is it a simple, manual procedure?

Thanks,

Marco.

At the moment you need to remove Search Guard manually by:

  • Deleting or removing the plugins/search-guard-5 folder

  • Delete or comment the Search Guard configuration from elasticsearch.yml

A full cluster restart is required.

Background: Since transport traffic is TLS encrypted (mandatory), you can’t perform a rolling restart. The nodes running without Search Guard can’t tak TLS anymore, thus you would end up with a split cluster (TLS/Non-TLS).

The configuration entries from elasticsearch.yml need to be removed or commented since Elasticsearch refuses to start when there are configuration entries present not defined by any installed plugin.

We will work on the first issue for SG6, the latter is an Elasticsearch requirement where we can’t do much about.

Once Search Guard is removed and your cluster is not protected anymore, you will also have access to the Search Guard configuration index in case you need to delete it as well. If you want to backup the Search Guard configuration, you can use the -r/–retrieve switch in sgadmin, which dumps the currently active configuration to your file system.

···

On Tuesday, July 25, 2017 at 3:46:58 PM UTC+2, mcostantini@np6.com wrote:

Hi guys,
I will be doing further testing with SearchGuard, but this time on a real cluster. The cluster is not a production cluster, but in any case, I’ve been asked to research the SearchGuard removal procedure. Even in a successful case, I will need to remove SearchGuard. However, I cannot find any docs on this. Is it a simple, manual procedure?

Thanks,

Marco.

Thanks, that is all perfectly sufficient. However, I am curious, aren’t SG indices created in the cluster? If so, should I remove those manually as well?

Marco.

···

On Tuesday, July 25, 2017 at 3:53:16 PM UTC+2, Jochen Kressin wrote:

At the moment you need to remove Search Guard manually by:

  • Deleting or removing the plugins/search-guard-5 folder
  • Delete or comment the Search Guard configuration from elasticsearch.yml

A full cluster restart is required.

Background: Since transport traffic is TLS encrypted (mandatory), you can’t perform a rolling restart. The nodes running without Search Guard can’t tak TLS anymore, thus you would end up with a split cluster (TLS/Non-TLS).

The configuration entries from elasticsearch.yml need to be removed or commented since Elasticsearch refuses to start when there are configuration entries present not defined by any installed plugin.

We will work on the first issue for SG6, the latter is an Elasticsearch requirement where we can’t do much about.

Once Search Guard is removed and your cluster is not protected anymore, you will also have access to the Search Guard configuration index in case you need to delete it as well. If you want to backup the Search Guard configuration, you can use the -r/–retrieve switch in sgadmin, which dumps the currently active configuration to your file system.

On Tuesday, July 25, 2017 at 3:46:58 PM UTC+2, mcost...@np6.com wrote:

Hi guys,
I will be doing further testing with SearchGuard, but this time on a real cluster. The cluster is not a production cluster, but in any case, I’ve been asked to research the SearchGuard removal procedure. Even in a successful case, I will need to remove SearchGuard. However, I cannot find any docs on this. Is it a simple, manual procedure?

Thanks,

Marco.

Absolutely correct, that’s why I wrote

“Once Search Guard is removed and your cluster is not protected anymore, you will also have access to the Search Guard configuration index in case you need to delete it as well. If you want to backup the Search Guard configuration, you can use the -r/–retrieve switch in sgadmin, which dumps the currently active configuration to your file system.”

So, you can choose to delete the index to leave no trace of Search Guard on your cluster. If you plan to re-install Search Guard afterwards you can also leave the SG index on your cluster. It’s totally up to you.

The default index name is simply “searchguard”.

···

On Tuesday, July 25, 2017 at 4:29:51 PM UTC+2, mcostantini@np6.com wrote:

Thanks, that is all perfectly sufficient. However, I am curious, aren’t SG indices created in the cluster? If so, should I remove those manually as well?

Marco.

On Tuesday, July 25, 2017 at 3:53:16 PM UTC+2, Jochen Kressin wrote:

At the moment you need to remove Search Guard manually by:

  • Deleting or removing the plugins/search-guard-5 folder
  • Delete or comment the Search Guard configuration from elasticsearch.yml

A full cluster restart is required.

Background: Since transport traffic is TLS encrypted (mandatory), you can’t perform a rolling restart. The nodes running without Search Guard can’t tak TLS anymore, thus you would end up with a split cluster (TLS/Non-TLS).

The configuration entries from elasticsearch.yml need to be removed or commented since Elasticsearch refuses to start when there are configuration entries present not defined by any installed plugin.

We will work on the first issue for SG6, the latter is an Elasticsearch requirement where we can’t do much about.

Once Search Guard is removed and your cluster is not protected anymore, you will also have access to the Search Guard configuration index in case you need to delete it as well. If you want to backup the Search Guard configuration, you can use the -r/–retrieve switch in sgadmin, which dumps the currently active configuration to your file system.

On Tuesday, July 25, 2017 at 3:46:58 PM UTC+2, mcost...@np6.com wrote:

Hi guys,
I will be doing further testing with SearchGuard, but this time on a real cluster. The cluster is not a production cluster, but in any case, I’ve been asked to research the SearchGuard removal procedure. Even in a successful case, I will need to remove SearchGuard. However, I cannot find any docs on this. Is it a simple, manual procedure?

Thanks,

Marco.

!!! Apologies for missing that. Thank you.

···

On Tuesday, July 25, 2017 at 4:33:51 PM UTC+2, Jochen Kressin wrote:

Absolutely correct, that’s why I wrote

“Once Search Guard is removed and your cluster is not protected anymore, you will also have access to the Search Guard configuration index in case you need to delete it as well. If you want to backup the Search Guard configuration, you can use the -r/–retrieve switch in sgadmin, which dumps the currently active configuration to your file system.”

So, you can choose to delete the index to leave no trace of Search Guard on your cluster. If you plan to re-install Search Guard afterwards you can also leave the SG index on your cluster. It’s totally up to you.

The default index name is simply “searchguard”.

On Tuesday, July 25, 2017 at 4:29:51 PM UTC+2, mcost...@np6.com wrote:

Thanks, that is all perfectly sufficient. However, I am curious, aren’t SG indices created in the cluster? If so, should I remove those manually as well?

Marco.

On Tuesday, July 25, 2017 at 3:53:16 PM UTC+2, Jochen Kressin wrote:

At the moment you need to remove Search Guard manually by:

  • Deleting or removing the plugins/search-guard-5 folder
  • Delete or comment the Search Guard configuration from elasticsearch.yml

A full cluster restart is required.

Background: Since transport traffic is TLS encrypted (mandatory), you can’t perform a rolling restart. The nodes running without Search Guard can’t tak TLS anymore, thus you would end up with a split cluster (TLS/Non-TLS).

The configuration entries from elasticsearch.yml need to be removed or commented since Elasticsearch refuses to start when there are configuration entries present not defined by any installed plugin.

We will work on the first issue for SG6, the latter is an Elasticsearch requirement where we can’t do much about.

Once Search Guard is removed and your cluster is not protected anymore, you will also have access to the Search Guard configuration index in case you need to delete it as well. If you want to backup the Search Guard configuration, you can use the -r/–retrieve switch in sgadmin, which dumps the currently active configuration to your file system.

On Tuesday, July 25, 2017 at 3:46:58 PM UTC+2, mcost...@np6.com wrote:

Hi guys,
I will be doing further testing with SearchGuard, but this time on a real cluster. The cluster is not a production cluster, but in any case, I’ve been asked to research the SearchGuard removal procedure. Even in a successful case, I will need to remove SearchGuard. However, I cannot find any docs on this. Is it a simple, manual procedure?

Thanks,

Marco.