Vanilla install 5.5.1-14 seems to not work for me

Search Guard
1

Hello,
I’ve been working with 5.2.2 and that’s going well. Now, I am testing out 5.5.1 and am having some trouble. So, I went back to basics with a vanilla install on my local machine (OSX). With my first attempts with 5.5.1 (before vanilla install), I could not run sgadmin. It would give a timeout exception on the ES log, and something about indices:admin/exists (I lost those logs, but i remember it was not “no permissions”. it was something about being not allowed for “a regular user”). Back to vanilla install. My goal was to successfully run a vanilla sgadmin. I can describe my steps easily, because they are in a script. Please have a look at it.

#!/bin/bash

ELASTIC_HOME=“$(pwd)/elasticsearch-5.5.1”

killall java

rm -rf $ELASTIC_HOME

echo “OINK extracting ES”

tar xf ~/Downloads/elasticsearch-5.5.1*

echo “OINK installing SG plugin”

cd $ELASTIC_HOME

./bin/elasticsearch-plugin install -vb com.floragunn:search-guard-5:5.5.1-14

cd -

echo “OINK running ‘install demo config’”

cd $ELASTIC_HOME/plugins/search-guard-5/tools

chmod +x install_demo_configuration.sh
#the following line is required for base on osx

sed -i ‘s/-D/-d/’ install_demo_configuration.sh

./install_demo_configuration.sh -y

cd -

echo “OINK edit config file”

cd $ELASTIC_HOME/config

sed -i ‘s/http.enabled: true/http.enabled: false/’ elasticsearch.yml

cd -

echo “OINK running ES in BG”

cd $ELASTIC_HOME

exec ./bin/elasticsearch &

cd -

#wait until es started

echo “OINK waiting until ES starts”

RET=1

while [[ RET -ne 0 ]]; do

echo "Stalling for Elasticsearch..."

curl -XGET -k "http://localhost:9200/" >/dev/null 2>&1

RET=$?

sleep 5

done

echo “OINK attempting to run sgadmin”

cd $ELASTIC_HOME/plugins/search-guard-5/tools

./sgadmin_demo.sh

cd -

``

After that is done, I try sgadmin
#./sgadmin.sh -cd $ELASTIC_HOME/plugins/search-guard/sgconfig -ks $ELASTIC_HOME/config/keystore.jks -ts $ELASTIC_HOME/config/truststore.jks -kspass changeit -tspass changeit -icl -nhnv

``

However, I get:

In case of any doubt mail to sales@floragunn.com

···

###################################

Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …

Clustername: searchguard_demo

Clusterstate: GREEN

Number of nodes: 1

Number of data nodes: 1

[2017-08-04T17:36:14,636][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=_sg_internal, roles=] [IndexType [index=searchguard, type=*]] [Action [indices:admin/exists]] [RolesChecked [sg_own_index, sg_public]]

[2017-08-04T17:36:14,640][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {sg_public=[IndexType [index=searchguard, type=]], sg_own_index=[IndexType [index=searchguard, type=]]}

ERR: An unexpected ElasticsearchSecurityException occured: no permissions for indices:admin/exists

Trace:

ElasticsearchSecurityException[no permissions for indices:admin/exists]

at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:147)

at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:168)

at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:142)

``

Please help. I would greatly appreciate it.

2

The problem here is that you use a node certificate when running sgadmin, not an admin certificate

Although that was possible in 5.2.2, it was never officially supported nor documented. Node and admin certificates should be kept separate. If you use the demo installer, the admin certificate is in the kirk.jks keystore. You can also have a look at the generated sgadmin_demo.sh script that is generated when executing install_demo_configuration.

···

On Friday, August 4, 2017 at 5:50:07 PM UTC+2, mcostantini@np6.com wrote:

Hello,
I’ve been working with 5.2.2 and that’s going well. Now, I am testing out 5.5.1 and am having some trouble. So, I went back to basics with a vanilla install on my local machine (OSX). With my first attempts with 5.5.1 (before vanilla install), I could not run sgadmin. It would give a timeout exception on the ES log, and something about indices:admin/exists (I lost those logs, but i remember it was not “no permissions”. it was something about being not allowed for “a regular user”). Back to vanilla install. My goal was to successfully run a vanilla sgadmin. I can describe my steps easily, because they are in a script. Please have a look at it.

#!/bin/bash

ELASTIC_HOME=“$(pwd)/elasticsearch-5.5.1”

killall java

rm -rf $ELASTIC_HOME

echo “OINK extracting ES”

tar xf ~/Downloads/elasticsearch-5.5.1*

echo “OINK installing SG plugin”

cd $ELASTIC_HOME

./bin/elasticsearch-plugin install -vb com.floragunn:search-guard-5:5.5.1-14

cd -

echo “OINK running ‘install demo config’”

cd $ELASTIC_HOME/plugins/search-guard-5/tools

chmod +x install_demo_configuration.sh
#the following line is required for base on osx

sed -i ‘s/-D/-d/’ install_demo_configuration.sh

./install_demo_configuration.sh -y

cd -

echo “OINK edit config file”

cd $ELASTIC_HOME/config

sed -i ‘s/http.enabled: true/http.enabled: false/’ elasticsearch.yml

cd -

echo “OINK running ES in BG”

cd $ELASTIC_HOME

exec ./bin/elasticsearch &

cd -

#wait until es started

echo “OINK waiting until ES starts”

RET=1

while [[ RET -ne 0 ]]; do

echo "Stalling for Elasticsearch..."

curl -XGET -k "[http://localhost:9200/](http://localhost:9200/)" >/dev/null 2>&1

RET=$?

sleep 5

done

echo “OINK attempting to run sgadmin”

cd $ELASTIC_HOME/plugins/search-guard-5/tools

./sgadmin_demo.sh

cd -

``

After that is done, I try sgadmin
#./sgadmin.sh -cd $ELASTIC_HOME/plugins/search-guard/sgconfig -ks $ELASTIC_HOME/config/keystore.jks -ts $ELASTIC_HOME/config/truststore.jks -kspass changeit -tspass changeit -icl -nhnv

``

However, I get:

In case of any doubt mail to sales@floragunn.com

###################################

Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …

Clustername: searchguard_demo

Clusterstate: GREEN

Number of nodes: 1

Number of data nodes: 1

[2017-08-04T17:36:14,636][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=_sg_internal, roles=] [IndexType [index=searchguard, type=*]] [Action [indices:admin/exists]] [RolesChecked [sg_own_index, sg_public]]

[2017-08-04T17:36:14,640][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {sg_public=[IndexType [index=searchguard, type=]], sg_own_index=[IndexType [index=searchguard, type=]]}

ERR: An unexpected ElasticsearchSecurityException occured: no permissions for indices:admin/exists

Trace:

ElasticsearchSecurityException[no permissions for indices:admin/exists]

at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:147)

at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:168)

at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:142)

``

Please help. I would greatly appreciate it.

3

Once again, many thanks and good thinking.

···

On Friday, August 4, 2017 at 5:54:48 PM UTC+2, Jochen Kressin wrote:

The problem here is that you use a node certificate when running sgadmin, not an admin certificate

Although that was possible in 5.2.2, it was never officially supported nor documented. Node and admin certificates should be kept separate. If you use the demo installer, the admin certificate is in the kirk.jks keystore. You can also have a look at the generated sgadmin_demo.sh script that is generated when executing install_demo_configuration.

On Friday, August 4, 2017 at 5:50:07 PM UTC+2, mcost...@np6.com wrote:

Hello,
I’ve been working with 5.2.2 and that’s going well. Now, I am testing out 5.5.1 and am having some trouble. So, I went back to basics with a vanilla install on my local machine (OSX). With my first attempts with 5.5.1 (before vanilla install), I could not run sgadmin. It would give a timeout exception on the ES log, and something about indices:admin/exists (I lost those logs, but i remember it was not “no permissions”. it was something about being not allowed for “a regular user”). Back to vanilla install. My goal was to successfully run a vanilla sgadmin. I can describe my steps easily, because they are in a script. Please have a look at it.

#!/bin/bash

ELASTIC_HOME=“$(pwd)/elasticsearch-5.5.1”

killall java

rm -rf $ELASTIC_HOME

echo “OINK extracting ES”

tar xf ~/Downloads/elasticsearch-5.5.1*

echo “OINK installing SG plugin”

cd $ELASTIC_HOME

./bin/elasticsearch-plugin install -vb com.floragunn:search-guard-5:5.5.1-14

cd -

echo “OINK running ‘install demo config’”

cd $ELASTIC_HOME/plugins/search-guard-5/tools

chmod +x install_demo_configuration.sh
#the following line is required for base on osx

sed -i ‘s/-D/-d/’ install_demo_configuration.sh

./install_demo_configuration.sh -y

cd -

echo “OINK edit config file”

cd $ELASTIC_HOME/config

sed -i ‘s/http.enabled: true/http.enabled: false/’ elasticsearch.yml

cd -

echo “OINK running ES in BG”

cd $ELASTIC_HOME

exec ./bin/elasticsearch &

cd -

#wait until es started

echo “OINK waiting until ES starts”

RET=1

while [[ RET -ne 0 ]]; do

echo "Stalling for Elasticsearch..."

curl -XGET -k "[http://localhost:9200/](http://localhost:9200/)" >/dev/null 2>&1

RET=$?

sleep 5

done

echo “OINK attempting to run sgadmin”

cd $ELASTIC_HOME/plugins/search-guard-5/tools

./sgadmin_demo.sh

cd -

``

After that is done, I try sgadmin
#./sgadmin.sh -cd $ELASTIC_HOME/plugins/search-guard/sgconfig -ks $ELASTIC_HOME/config/keystore.jks -ts $ELASTIC_HOME/config/truststore.jks -kspass changeit -tspass changeit -icl -nhnv

``

However, I get:

In case of any doubt mail to sa...@floragunn.com

###################################

Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …

Clustername: searchguard_demo

Clusterstate: GREEN

Number of nodes: 1

Number of data nodes: 1

[2017-08-04T17:36:14,636][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=_sg_internal, roles=] [IndexType [index=searchguard, type=*]] [Action [indices:admin/exists]] [RolesChecked [sg_own_index, sg_public]]

[2017-08-04T17:36:14,640][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {sg_public=[IndexType [index=searchguard, type=]], sg_own_index=[IndexType [index=searchguard, type=]]}

ERR: An unexpected ElasticsearchSecurityException occured: no permissions for indices:admin/exists

Trace:

ElasticsearchSecurityException[no permissions for indices:admin/exists]

at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:147)

at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:168)

at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:142)

``

Please help. I would greatly appreciate it.