Shield is not working!

security

(Sukesh) #1

i installed shield , restarted the ES and did all what ever procedure is mention https://www.elastic.co/guide/en/shield/current/getting-started.html in this link..but if anybody pointing my ES with my IP address in kibana they can able view my indices .it is not restricting even though i created admin user for that.i enabled the message authentication ,auditing etc. How to over this problem? is it really a problem or else i am doing any mistake ??


(Sukesh) #2

when i am starting elastic search after installing shield plugin throwing error like

[2016-07-19 13:09:46,667][WARN ][bootstrap ] jvm uses the client
vm, make sure to run java with the server vm for best performance by adding - server to the command line
[2016-07-19 13:09:46,851][INFO ][node ] [Shellshock] version
[2.3.1], pid[45724], build[bd98092/2016-04-04T12:25:05Z]
[2016-07-19 13:09:46,851][INFO ][node ] [Shellshock] initial
izing ...
[2016-07-19 13:09:47,286][INFO ][plugins ] [Shellshock] modules
[reindex, lang-expression, lang-groovy], plugins [license, shield], sites []
[2016-07-19 13:09:47,305][INFO ][env ] [Shellshock] using [
1] data paths, mounts [[Data Disk (D:)]], net usable_space [147.3gb], net total_
space [154.2gb], spins? [unknown], types [NTFS]
[2016-07-19 13:09:47,306][INFO ][env ] [Shellshock] heap si
ze [989.8mb], compressed ordinary object pointers [unknown]
[2016-07-19 13:09:47,569][INFO ][http ] [Shellshock] Using [
org.elasticsearch.http.netty.NettyHttpServerTransport] as http transport, overri
dden by [shield]
[2016-07-19 13:09:47,697][INFO ][transport ] [Shellshock] Using [
org.elasticsearch.shield.transport.ShieldServerTransportService] as transport se
rvice, overridden by [shield]
[2016-07-19 13:09:47,698][INFO ][transport ] [Shellshock] Using [
org.elasticsearch.shield.transport.netty.ShieldNettyTransport] as transport, ove
rridden by [shield]
[2016-07-19 13:09:50,587][INFO ][node ] [Shellshock] initial
ized
[2016-07-19 13:09:50,588][INFO ][node ] [Shellshock] startin
g ...
[2016-07-19 13:09:50,804][INFO ][shield.transport ] [Shellshock] publish
_address {10.211.225.237:9301}, bound_addresses {[::]:9301}
[2016-07-19 13:09:50,808][INFO ][discovery ] [Shellshock] elastic
search/elqVLxk9Q2KrBQzXad6kXw
[2016-07-19 13:09:54,911][INFO ][discovery.zen ] [Shellshock] failed
to send join request to master [{Water Wizard}{pPTh_MXiQlO9ugVNGpJKvA}{10.211.22
5.237}{10.211.225.237:9300}], reason [RemoteTransportException[[Water Wizard][10
.211.225.237:9300][internal:discovery/zen/join]]; nested: IllegalStateException[
failure when sending a validation request to node]; nested: RemoteTransportExcep
tion[[Shellshock][10.211.225.237:9301][internal:discovery/zen/join/validate]]; n
ested: ElasticsearchSecurityException[missing authentication token for action [i nternal:discovery/zen/join/validate]]; ]
[2016-07-19 13:09:58,968][INFO ][discovery.zen ] [Shellshock] failed
to send join request to master [{Water Wizard}{pPTh_MXiQlO9ugVNGpJKvA}{10.211.22
5.237}{10.211.225.237:9300}], reason [RemoteTransportException[[Water Wizard][10
.211.225.237:9300][internal:discovery/zen/join]]; nested: IllegalStateException[
failure when sending a validation request to node]; nested: RemoteTransportExcep
tion[[Shellshock][10.211.225.237:9301][internal:discovery/zen/join/validate]]; n
ested: ElasticsearchSecurityException[missing authentication token for action [i nternal:discovery/zen/join/validate]]; ]
[2016-07-19 13:10:03,033][INFO ][discovery.zen ] [Shellshock] failed
to send join request to master [{Water Wizard}{pPTh_MXiQlO9ugVNGpJKvA}{10.211.22
5.237}{10.211.225.237:9300}], reason [RemoteTransportException[[Water Wizard][10
.211.225.237:9300][internal:discovery/zen/join]]; nested: IllegalStateException[
failure when sending a validation request to node]; nested: RemoteTransportExcep
tion[[Shellshock][10.211.225.237:9301][internal:discovery/zen/join/validate]]; n
ested: ElasticsearchSecurityException[missing authentication token for action [i nternal:discovery/zen/join/validate]]; ]
[2016-07-19 13:10:14,261][INFO ][discovery.zen ] [Shellshock] failed


(Mark Walkom) #3

Providing your configs would be helpful.


(Sukesh) #4

======================== Elasticsearch Configuration =========================

NOTE: Elasticsearch comes with reasonable defaults for most settings.

Before you set out to tweak and tune the configuration, make sure you

understand what are you trying to accomplish and the consequences.

The primary way of configuring a node is via this file. This template lists

the most important settings you may want to configure for a production cluster.

Please see the documentation for further information on configuration options:

http://www.elastic.co/guide/en/elasticsearch/reference/current/setup-configuration.html

---------------------------------- Cluster -----------------------------------

Use a descriptive name for your cluster:

cluster.name: my-application

------------------------------------ Node ------------------------------------

Use a descriptive name for the node:

node.name: node-1

Add custom attributes to the node:

node.rack: r1

----------------------------------- Paths ------------------------------------

Path to directory where to store the data (separate multiple locations by comma):

path.data: /path/to/data

Path to log files:

path.logs: /path/to/logs

path.repo: ["D:/elasticsearch-2.3.1/repo/my_backup"]

----------------------------------- Memory -----------------------------------

Lock the memory on startup:

bootstrap.mlockall: true

Make sure that the ES_HEAP_SIZE environment variable is set to about half the memory

available on the system and that the owner of the process is allowed to use this limit.

Elasticsearch performs poorly when the system is swapping the memory.

---------------------------------- Network -----------------------------------

Set the bind address to a specific IP (IPv4 or IPv6):

network.host: 0.0.0.0

Set a custom port for HTTP:

http.port: 9200

For more information, see the documentation at:

http://www.elastic.co/guide/en/elasticsearch/reference/current/modules-network.html

--------------------------------- Discovery ----------------------------------

Pass an initial list of hosts to perform discovery when new node is started:

The default list of hosts is ["127.0.0.1", "[::1]"]

discovery.zen.ping.unicast.hosts: ["host1", "host2"]

Prevent the "split brain" by configuring the majority of nodes (total number of nodes / 2 + 1):

discovery.zen.minimum_master_nodes: 3

For more information, see the documentation at:

http://www.elastic.co/guide/en/elasticsearch/reference/current/modules-discovery.html

---------------------------------- Gateway -----------------------------------

Block initial recovery after a full cluster restart until N nodes are started:

gateway.recover_after_nodes: 3

For more information, see the documentation at:

http://www.elastic.co/guide/en/elasticsearch/reference/current/modules-gateway.html

---------------------------------- Various -----------------------------------

Disable starting multiple nodes on a single system:

node.max_local_storage_nodes: 1

Require explicit names when deleting indices:

action.auto_create_index: .security
shield.audit.enabled: true

action.destructive_requires_name: true


(Mark Walkom) #5

Please format that with the code button! It's impossible to read.


(Sukesh) #6

hey ,i dont know how to do in code button i just tried like this ,is this okay

http://www.elastic.co/guide/en/elasticsearch/reference/current/setup-configuration.html

---------------------------------- Cluster -----------------------------------

Use a descriptive name for your cluster:

cluster.name: my-application

------------------------------------ Node ------------------------------------

Use a descriptive name for the node:

node.name: node-1

Add custom attributes to the node:

node.rack: r1

----------------------------------- Paths ------------------------------------

Path to directory where to store the data (separate multiple locations by comma):

path.data: /path/to/data

Path to log files:
path.logs: /path/to/logs

path.repo: ["D:/elasticsearch-2.3.1/repo/my_backup"]

----------------------------------- Memory -----------------------------------

Lock the memory on startup:

bootstrap.mlockall: true

Make sure that the ES_HEAP_SIZE environment variable is set to about half the memory
available on the system and that the owner of the process is allowed to use this limit.

Elasticsearch performs poorly when the system is swapping the memory.

---------------------------------- Network -----------------------------------

Set the bind address to a specific IP (IPv4 or IPv6):

network.host: 0.0.0.0

Set a custom port for HTTP:

http.port: 9200

For more information, see the documentation at:
http://www.elastic.co/guide/en/elasticsearch/reference/current/modules-network.html

--------------------------------- Discovery ----------------------------------

Pass an initial list of hosts to perform discovery when new node is started:
The default list of hosts is ["127.0.0.1", "[::1]"]

discovery.zen.ping.unicast.hosts: ["host1", "host2"]

Prevent the "split brain" by configuring the majority of nodes (total number of nodes / 2 + 1):

discovery.zen.minimum_master_nodes: 3

For more information, see the documentation at:
http://www.elastic.co/guide/en/elasticsearch/reference/current/modules-discovery.html

---------------------------------- Gateway -----------------------------------

Block initial recovery after a full cluster restart until N nodes are started:

gateway.recover_after_nodes: 3

For more information, see the documentation at:
http://www.elastic.co/guide/en/elasticsearch/reference/current/modules-gateway.html

---------------------------------- Various -----------------------------------

Disable starting multiple nodes on a single system:

node.max_local_storage_nodes: 1

Require explicit names when deleting indices:

action.auto_create_index: .security
shield.audit.enabled: true

action.destructive_requires_name: true


(Mark Walkom) #7

It's the </> button.


(Sukesh) #9

I am sorry mark , we should not share config file as per my superior's order ! is there any way to solve this ?


(Anna) #10

I know this is probably too late. But I do not see this property in your elasticsearch.yml:

shield.enabled: true


(system) #11