It seems to me user could access search guard configuration, suppose the elasticsearch instance is at 127.0.0.1:9200
“curl -XGET http://user:name@127.0.0.1:9200/_nodes?pretty” returns all information about search guard, including a list of username/password configured in searchguard.authentication.settingsdb.user.*
it’s odd because then user1 could know user2’s password or any other user’s password, is this the intended behavior?
you can use searchguard.authentication.settingsdb.digest to avoid plain text passwords for now.
Next version will separate this usernames and passwords from the elasticsearch.yml file cause its also odd that you have to restart cluster nodes if the password change 
Am Dienstag, 23. Juni 2015 11:54:24 UTC+2 schrieb Lingxiao Xia:
It seems to me user could access search guard configuration, suppose the elasticsearch instance is at 127.0.0.1:9200
“curl -XGET http://user:name@127.0.0.1:9200/_nodes?pretty” returns all information about search guard, including a list of username/password configured in searchguard.authentication.settingsdb.user.*
it’s odd because then user1 could know user2’s password or any other user’s password, is this the intended behavior?
Hello!
But what about LDAP connection?
Unfortunately LDAP bind password also shown to every user.
вторник, 23 июня 2015 г., 21:34:40 UTC+3 пользователь in...@search-guard.com написал:
Next version will separate this usernames and passwords from the elasticsearch.yml file cause its also odd that you have to restart cluster nodes if the password change
Am Dienstag, 23. Juni 2015 11:54:24 UTC+2 schrieb Lingxiao Xia:
It seems to me user could access search guard configuration, suppose the elasticsearch instance is at 127.0.0.1:9200
“curl -XGET http://user:name@127.0.0.1:9200/_nodes?pretty” returns all information about search guard, including a list of username/password configured in searchguard.authentication.settingsdb.user.*
it’s odd because then user1 could know user2’s password or any other user’s password, is this the intended behavior?
you can use searchguard.authentication.settingsdb.digest to avoid plain text passwords for now.
and “truststore_password” also shown
среда, 9 сентября 2015 г., 18:07:59 UTC+3 пользователь grizz...@gmail.com написал:
Hello!
But what about LDAP connection?
Unfortunately LDAP bind password also shown to every user.
вторник, 23 июня 2015 г., 21:34:40 UTC+3 пользователь in...@search-guard.com написал:
Next version will separate this usernames and passwords from the elasticsearch.yml file cause its also odd that you have to restart cluster nodes if the password change
Am Dienstag, 23. Juni 2015 11:54:24 UTC+2 schrieb Lingxiao Xia:
It seems to me user could access search guard configuration, suppose the elasticsearch instance is at 127.0.0.1:9200
“curl -XGET http://user:name@127.0.0.1:9200/_nodes?pretty” returns all information about search guard, including a list of username/password configured in searchguard.authentication.settingsdb.user.*
it’s odd because then user1 could know user2’s password or any other user’s password, is this the intended behavior?
you can use searchguard.authentication.settingsdb.digest to avoid plain text passwords for now.