Shield not respecting CONF_DIR

security

(Jared Kauppila) #1

So I'm running Elasticsearch on Windows and I am separating the Elasticsearch node configuration from Elasticsearch itself with the following structure:

D:\elasticsearch\elasticsearch-2.3.0\

  • This is where Elasticsearch lives and we utilize the \plugins directory since they're version-specific.

D:\elasticsearch\elasticsearch-node\

  • Within here, we use \config, \data, \logs, and \work

I am configuring the following environment variables on the server:

setx JAVA_HOME "D:\java\jre8"
setx DATA_DIR "D:\elasticsearch-node\data"
setx LOG_DIR "D:\elasticsearch-node\logs"
setx CONF_DIR "D:\elasticsearch-node\config"
setx ES_MIN_MEM "8g"
setx ES_MAX_MEM "8g"

When installing Shield, it is tossing the /shield configuration folder within D:\elasticsearch\elasticsearch-2.3.0\config rather than my defined D:\elasticsearch-node\config as overridden with the environment variable.

It appears that Elasticsearch itself is looking for the Shield configuration within %CONF_DIR%, but when running esusers to add an initial admin, it is getting written to D:\elasticsearch\elasticsearch-2.3.0\config

I believe to correct this, you would just need to check for the environment variable and add an additional value to the ES_PARAMS within .in.bat for Shield.

if "%CONF_DIR%" == "" set CONF_DIR=%ES_HOME%\config
set ES_PARAMS=-Des.path.home="%ES_HOME%" -Des.default.path.conf="%CONF_DIR%"

(Nicolas Seyvet) #2

Hi,

On linux, the user running "esusers" commands seem to matter. When the user has the wrong access right, then the error message points to a faulty directory error like:

ERROR: The configuration directory [/etc/elasticsearch/shield] does not exist. The esusers tool expects Shield configuration files in that location.
The plugin may not have been installed with the correct configuration path. If [/usr/share/elasticsearch/config/shield] exists, please copy the shield directory to [/etc/elasticsearch]

Changing user to an admin level user like root, then the message disappears.

See Shield Authentication Error

But yes it seems shield ignores where the rest of the CONFIG_DIR is and elects its own location, /etc/elasticsearch on linux.


(Jay Modi) #3

Thank you for the feedback on the issues you've found with the esusers tool. I have opened issues for both problems


(Peter Dyson) #4

Hi Jay,

Did you have github links for those issues?

Thanks.


(system) #5