why search guard can not get Authorization user & password?

Search Guard
1

ES version : 5.6.3

Search guard version: search-guard-5-5.6.3-18

My application uses transport client java api to search es . According this url: Security for Elasticsearch | Using Transport Clients | Search Guard , It works fine .

However, According the article of “the Transport client authentication and authorization(Security for Elasticsearch and Kibana | Transport client authentication and authorization )”, ES only read the user client which is assigned in client certificate, can not read the authorization header’s user and pwd.

my code demo:

try {

		String cur_path=System.getProperty("user.dir");

		System.out.print(cur_path);

		Settings.Builder settingsBuilder =

				  Settings.builder()

				  .put("searchguard.ssl.transport.enabled", true)

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH,cur_path+“\src\test\java\es_login\es_login\hkz123-keystore.jks”)

				  .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, cur_path+"\\src\\test\\java\\es_login\\es_login\\truststore.jks")

				  //.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "changeit")

				  //.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "changeit")

				  .put("searchguard.ssl.transport.enforce_hostname_verification",false)

				  .put("client.transport.sniff", true)

				  .put("cluster.name", "elasticsearch")

				  .put("searchguard.ssl.transport.resolve_hostname", false)

				  .put("path.home",".");

		Settings settings = settingsBuilder.build();

		TransportClient client = new PreBuiltTransportClient(settings,SearchGuardPlugin.class)

				.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName("192.168.2.102"), 9300));

		System.out.println("Basic "+encodeBasicHeader("tca", "tca"));

		client.threadPool().getThreadContext().putHeader("Authorization", "Basic "+encodeBasicHeader("tca", "tca"));

		SearchResponse response = client.prepareSearch("get-together")

								.setQuery(boolQuery()

											.must(matchQuery("tags.keyword","elasticsearch"))

										).setFrom(0).setSize(60).execute().actionGet()

								;

		SearchHits hits = response.getHits();

		for (int i = 0; i < 2; i++) {

		    System.out.println(hits.getAt(i).getSource().get("organizer"));

		}

	} catch (UnknownHostException e) {

		// TODO Auto-generated catch block

		e.printStackTrace();

	}

}

ES log:

[2018-02-06T11:44:27,351][INFO ][c.f.s.c.PrivilegesEvaluator] No cluster-level perm match for User [name=CN=hkz123,OU=client,O=client,L=Test,C=DE, roles=] [IndexType [index=index, type=], IndexType [index=get-together, type=], IndexType [index=horse, type=], IndexType [index=test-index, type=], IndexType [index=myindex, type=], IndexType [index=dangerdata, type=], IndexType [index=new-index, type=], IndexType [index=searchguard, type=], IndexType [index=.kibana, type=*]] [Action [[cluster:monitor/state]]] [RolesChecked [sg_own_index, sg_public]]

[2018-02-06T11:44:27,351][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {}

According the log, Search guard use hkz123 which is client certificate access es, not the tca:tca, Why?

elasticsearch.yml:

######## Start Search Guard Demo Configuration ########

#searchguard.disabled: true

searchguard.ssl.transport.keystore_filepath: node-1-keystore.jks

searchguard.ssl.transport.truststore_filepath: truststore_1.jks

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: node-1-keystore.jks

searchguard.ssl.http.truststore_filepath: truststore_1.jks

searchguard.ssl.http.clientauth_mode: NONE

searchguard.authcz.admin_dn:

  • CN=hkz,OU=client,O=client,L=test, C=de

#searchguard.authcz.impersonation_dn:

“CN=hkz123,OU=client,O=client,L=Test,C=DE”:

- ‘*’

node.max_local_storage_nodes: 3

######## End Search Guard Demo Configuration ########

sg_internal_users.yml:

tca:

hash: $2a$12$G1./WsW7s0dPoJZCH9Bxqe08CgOHtrdZej7yN6iv02bTIRf5UITYG

#password is: admin

CN=hkz123,OU=client,O=client,L=Test,C=DE:

hash: “_transport_only”

sg_roles_mapping.yml:

sg_readall:

users:

  • readall

  • tca

2

Have a look here https://groups.google.com/d/msgid/search-guard/5e2d6f6e-b77a-494a-88d4-4884255bbd2b%40googlegroups.com?utm_medium=email&utm_source=footer and mind the

            StoredContext ctx = client.threadPool().getThreadContext().stashContext();
            try {
                client.threadPool().getThreadContext().putHeader("Authorization", "basic "+encodeBasicHeader("user", "pass"));
                //use tc in context of "user"...

            } finally {
                ctx.close(); //restore original context
            }

pattern

···

Am 06.02.2018 um 07:41 schrieb Huang Angle <angle1b336@gmail.com>:

ES version : 5.6.3
Search guard version: search-guard-5-5.6.3-18

My application uses transport client java api to search es . According this url: Security and Alerting for Elasticsearch and Kibana | Search Guard , It works fine .
However, According the article of "the Transport client authentication and authorization(Security and Alerting for Elasticsearch and Kibana | Search Guard )", ES only read the user client which is assigned in client certificate, can not read the authorization header's user and pwd.

my code demo:
try {
      String cur_path=System.getProperty("user.dir");
      System.out.print(cur_path);
      Settings.Builder settingsBuilder =
            Settings.builder()
            .put("searchguard.ssl.transport.enabled", true)
            
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH,cur_path+"\\src\\test\\java\\es_login\\es_login\\hkz123-keystore.jks")
            .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, cur_path+"\\src\\test\\java\\es_login\\es_login\\truststore.jks")
            
            //.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "changeit")
            //.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "changeit")
            .put("searchguard.ssl.transport.enforce_hostname_verification",false)
            .put("client.transport.sniff", true)
            .put("cluster.name", "elasticsearch")
            .put("searchguard.ssl.transport.resolve_hostname", false)
            .put("path.home",".");
      Settings settings = settingsBuilder.build();
      
      TransportClient client = new PreBuiltTransportClient(settings,SearchGuardPlugin.class)
          .addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName("192.168.2.102"), 9300));
      
      System.out.println("Basic "+encodeBasicHeader("tca", "tca"));
      client.threadPool().getThreadContext().putHeader("Authorization", "Basic "+encodeBasicHeader("tca", "tca"));
      
      SearchResponse response = client.prepareSearch("get-together")
                  .setQuery(boolQuery()
                        .must(matchQuery("tags.keyword","elasticsearch"))
                      ).setFrom(0).setSize(60).execute().actionGet()
                  ;
      SearchHits hits = response.getHits();
      for (int i = 0; i < 2; i++) {
          System.out.println(hits.getAt(i).getSource().get("organizer"));
      }
    } catch (UnknownHostException e) {
      // TODO Auto-generated catch block
      e.printStackTrace();
    }
  }

ES log:
[2018-02-06T11:44:27,351][INFO ][c.f.s.c.PrivilegesEvaluator] No cluster-level perm match for User [name=CN=hkz123,OU=client,O=client,L=Test,C=DE, roles=] [IndexType [index=index, type=*], IndexType [index=get-together, type=*], IndexType [index=horse, type=*], IndexType [index=test-index, type=*], IndexType [index=myindex, type=*], IndexType [index=dangerdata, type=*], IndexType [index=new-index, type=*], IndexType [index=searchguard, type=*], IndexType [index=.kibana, type=*]] [Action [[cluster:monitor/state]]] [RolesChecked [sg_own_index, sg_public]]
[2018-02-06T11:44:27,351][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {}

According the log, Search guard use hkz123 which is client certificate access es, not the tca:tca, Why?
elasticsearch.yml:

######## Start Search Guard Demo Configuration ########
#searchguard.disabled: true
searchguard.ssl.transport.keystore_filepath: node-1-keystore.jks
searchguard.ssl.transport.truststore_filepath: truststore_1.jks
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: node-1-keystore.jks
searchguard.ssl.http.truststore_filepath: truststore_1.jks
searchguard.ssl.http.clientauth_mode: NONE
searchguard.authcz.admin_dn:
   - CN=hkz,OU=client,O=client,L=test, C=de
#searchguard.authcz.impersonation_dn:
# "CN=hkz123,OU=client,O=client,L=Test,C=DE":
# - '*'

node.max_local_storage_nodes: 3
######## End Search Guard Demo Configuration ########

sg_internal_users.yml:

tca:
  hash: $2a$12$G1./WsW7s0dPoJZCH9Bxqe08CgOHtrdZej7yN6iv02bTIRf5UITYG
  #password is: admin

CN=hkz123,OU=client,O=client,L=Test,C=DE:
  hash: "_transport_only"

sg_roles_mapping.yml:

sg_readall:
  users:
    - readall
    - tca

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/5e2d6f6e-b77a-494a-88d4-4884255bbd2b%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

3

I use the pattern to access elasticsearch , but the access es’s user still is the client user who is stored in keystore.jks.
After read the codes in " https://github.com/floragunncom/search-guard/blob/5.6.0/src/test/java/com/floragunn/searchguard/SGTests.java#L1992",I add

.put(“request.headers.sg_impersonate_as”, “admin”) in settings and it work. However , I dont understand ,can anyone explain?

	try {

		String cur_path=System.getProperty("user.dir");

		System.out.print(cur_path);

		Settings.Builder settingsBuilder =

				  Settings.builder()

				  .put("searchguard.ssl.transport.enabled", true)

				  .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH,cur_path+"\\src\\test\\java\\es_login\\es_login\\hkz-keystore.jks")

				  .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, cur_path+"\\src\\test\\java\\es_login\\es_login\\truststore.jks")

				  .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "tca")

				  .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "tca")

				  .put("searchguard.ssl.transport.enforce_hostname_verification",false)

				  .put("client.transport.sniff", true)

				  .put("cluster.name", "elasticsearch")

				  .put("request.headers.sg_impersonate_as", "admin")

				  .put("searchguard.ssl.transport.resolve_hostname", false)

				  .put("path.home",".");

		Settings settings = settingsBuilder.build();

TransportClient client = new PreBuiltTransportClient(settings,SearchGuardPlugin.class)

				.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName("192.168.2.102"), 9300));

StoredContext ctx=client.threadPool().getThreadContext().stashContext();

		try{

			client.threadPool().getThreadContext().putHeader("Authorization", "Basic "+encodeBasicHeader("admin", "admin"));

} finally {

ctx.close(); //restore original context
}

在 2018年2月6日星期二 UTC+8下午6:35:14,Search Guard写道:

···

Have a look here https://groups.google.com/d/msgid/search-guard/5e2d6f6e-b77a-494a-88d4-4884255bbd2b%40googlegroups.com?utm_medium=email&utm_source=footer and mind the

        StoredContext ctx = client.threadPool().getThreadContext().stashContext();

        try {

            client.threadPool().getThreadContext().putHeader("Authorization", "basic "+encodeBasicHeader("user", "pass"));

            //use tc in context of "user"...



        } finally {

            ctx.close(); //restore original context

        }

pattern

Am 06.02.2018 um 07:41 schrieb Huang Angle angle...@gmail.com:

ES version : 5.6.3

Search guard version: search-guard-5-5.6.3-18

My application uses transport client java api to search es . According this url: https://floragunn.com/searchguard-elasicsearch-transport-clients/ , It works fine .

However, According the article of “the Transport client authentication and authorization(https://floragunn.com/transport-client-authentication-authorization/ )”, ES only read the user client which is assigned in client certificate, can not read the authorization header’s user and pwd.

my code demo:

try {

                    String cur_path=System.getProperty("user.dir");

                    System.out.print(cur_path);

                    Settings.Builder settingsBuilder =
                                      Settings.builder()

                                      .put("searchguard.ssl.transport.enabled", true)

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH,cur_path+“\src\test\java\es_login\es_login\hkz123-keystore.jks”)

                                      .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, cur_path+"\\src\\test\\java\\es_login\\es_login\\truststore.jks")

                                      //.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "changeit")

                                      //.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "changeit")

                                      .put("searchguard.ssl.transport.enforce_hostname_verification",false)

                                      .put("client.transport.sniff", true)

                                      .put("[cluster.name](http://cluster.name)", "elasticsearch")

                                      .put("searchguard.ssl.transport.resolve_hostname", false)

                                      .put("path.home",".");

                    Settings settings = settingsBuilder.build();

                    TransportClient client = new PreBuiltTransportClient(settings,SearchGuardPlugin.class)

                                    .addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName("192.168.2.102"), 9300));

                    System.out.println("Basic "+encodeBasicHeader("tca", "tca"));

                    client.threadPool().getThreadContext().putHeader("Authorization", "Basic "+encodeBasicHeader("tca", "tca"));

                    SearchResponse response = client.prepareSearch("get-together")

                                                                    .setQuery(boolQuery()

                                                                                            .must(matchQuery("tags.keyword","elasticsearch"))

                                                                                    ).setFrom(0).setSize(60).execute().actionGet()

                                                                    ;

                    SearchHits hits = response.getHits();    

                    for (int i = 0; i < 2; i++) {    

                        System.out.println(hits.getAt(i).getSource().get("organizer"));    

                    }
            } catch (UnknownHostException e) {

                    // TODO Auto-generated catch block

                    e.printStackTrace();

            }

    }

ES log:

[2018-02-06T11:44:27,351][INFO ][c.f.s.c.PrivilegesEvaluator] No cluster-level perm match for User [name=CN=hkz123,OU=client,O=client,L=Test,C=DE, roles=] [IndexType [index=index, type=], IndexType [index=get-together, type=], IndexType [index=horse, type=], IndexType [index=test-index, type=], IndexType [index=myindex, type=], IndexType [index=dangerdata, type=], IndexType [index=new-index, type=], IndexType [index=searchguard, type=], IndexType [index=.kibana, type=*]] [Action [[cluster:monitor/state]]] [RolesChecked [sg_own_index, sg_public]]

[2018-02-06T11:44:27,351][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {}

According the log, Search guard use hkz123 which is client certificate access es, not the tca:tca, Why?

elasticsearch.yml:

######## Start Search Guard Demo Configuration ########

#searchguard.disabled: true

searchguard.ssl.transport.keystore_filepath: node-1-keystore.jks

searchguard.ssl.transport.truststore_filepath: truststore_1.jks

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: node-1-keystore.jks

searchguard.ssl.http.truststore_filepath: truststore_1.jks

searchguard.ssl.http.clientauth_mode: NONE

searchguard.authcz.admin_dn:

  • CN=hkz,OU=client,O=client,L=test, C=de

#searchguard.authcz.impersonation_dn:

“CN=hkz123,OU=client,O=client,L=Test,C=DE”:

- ‘*’

node.max_local_storage_nodes: 3

######## End Search Guard Demo Configuration ########

sg_internal_users.yml:

tca:

hash: $2a$12$G1./WsW7s0dPoJZCH9Bxqe08CgOHtrdZej7yN6iv02bTIRf5UITYG

#password is: admin

CN=hkz123,OU=client,O=client,L=Test,C=DE:

hash: “_transport_only”

sg_roles_mapping.yml:

sg_readall:

users:

- readall

- tca


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/5e2d6f6e-b77a-494a-88d4-4884255bbd2b%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.