Skip to content

Instantly share code, notes, and snippets.

@pweil-
Last active September 26, 2017 15:05
Show Gist options
  • Save pweil-/4448bbffd0a155d274ec8f50bac6d09c to your computer and use it in GitHub Desktop.
Save pweil-/4448bbffd0a155d274ec8f50bac6d09c to your computer and use it in GitHub Desktop.
---
tOp45vCI:
hash: 1de7B0FRafWkVGOgGLFJ
---
prometheus:
hash: $2a$12$EZGiozL9dmZL0c5UU9yGm.OfhdrVnr1Vv5fmhx8nKWKNT4QxDAkoO
roles:
- sg_role_prometheus
sg_role_kibana:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
indices:
'?kibana':
'*':
- ALL
sg_role_prometheus:
cluster:
- METRICS
# - "*"
# - cluster:monitor/_prometheus/metrics
sg_role_prometheus:
users:
- 'prometheus'
sg_role_kibana:
users:
- 'CN=system.logging.kibana,OU=OpenShift,O=Logging'
sg_role_prometheus:
users:
- 'prometheus'
# ?? - 'system:serviceaccount:{{ openshift_logging_elasticsearch_namespace }}:aggregated-logging-elasticsearch'
sg_role_fluentd:
users:
- 'CN=system.logging.fluentd,OU=OpenShift,O=Logging'
sg_role_curator:
users:
- 'CN=system.logging.curator,OU=OpenShift,O=Logging'
sg_role_admin:
users:
- 'CN=system.admin,OU=OpenShift,O=Logging'
~
~
~
searchguard:
dynamic:
http:
xff:
enabled: true
remoteIpHeader: 'x-forwarded-for'
trustedProxies: '.*'
internalProxies: '.*'
authc:
authentication_domain_proxy:
enabled: true
order: 0
http_authenticator:
challenge: false
type: proxy
config:
user_header: 'x-proxy-remote-user'
authentication_backend:
type: noop
authentication_domain_basic_internal:
enabled: true
order: 1
http_authenticator:
type: clientcert
challenge: false
authentication_backend:
type: noop
prometheus_domain:
enabled: true
order: 2
http_authenticator:
type: basic
challange: true
authentication_backend:
type: intern
$ es_seed_acl
[2017-09-26 15:04:47,607][INFO ][container.run ] Seeding the searchguard ACL index. Will wait up to 604800 seconds.
/usr/share/java/elasticsearch/config
Will connect to localhost:9300 ... done
2017-09-26 15:04:49 INFO SearchGuardSSLPlugin:84 - Search Guard 2 plugin not available
2017-09-26 15:04:49 INFO SearchGuardPlugin:58 - Clustername: elasticsearch
2017-09-26 15:04:49 INFO SearchGuardPlugin:70 - Node [null] is a transportClient: true/tribeNode: false/tribeNodeClient: false
2017-09-26 15:04:49 INFO plugins:180 - [Golden Girl] modules [], plugins [search-guard-ssl, search-guard2], sites []
2017-09-26 15:04:50 INFO DefaultSearchGuardKeyStore:423 - Open SSL not available (this is not an error, we simply fallback to built-in JDK SSL) because of java.lang.ClassNotFoundException: org.apache.tomcat.jni.SSL
2017-09-26 15:04:50 INFO DefaultSearchGuardKeyStore:173 - Config directory is /usr/share/java/elasticsearch/config/, from there the key- and truststore files are resolved relatively
2017-09-26 15:04:50 INFO DefaultSearchGuardKeyStore:142 - sslTransportClientProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]
2017-09-26 15:04:50 INFO DefaultSearchGuardKeyStore:144 - sslTransportServerProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]
2017-09-26 15:04:50 INFO DefaultSearchGuardKeyStore:146 - sslHTTPProvider:null with ciphers []
2017-09-26 15:04:50 INFO DefaultSearchGuardKeyStore:148 - sslTransport protocols [TLSv1.2, TLSv1.1]
2017-09-26 15:04:50 INFO DefaultSearchGuardKeyStore:149 - sslHTTP protocols [TLSv1.2, TLSv1.1]
2017-09-26 15:04:51 INFO transport:99 - [Golden Girl] Using [com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] as transport, overridden by [search-guard-ssl]
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: logging-es
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.searchguard.logging-es-data-master-rjg1okpn index already exists, so we do not need to create one.
Populate config from /opt/app-root/src/sgconfig/
Will update 'config' with /opt/app-root/src/sgconfig/sg_config.yml
SUCC: Configuration for 'config' created or updated
Will update 'roles' with /opt/app-root/src/sgconfig/sg_roles.yml
SUCC: Configuration for 'roles' created or updated
Will update 'rolesmapping' with /opt/app-root/src/sgconfig/sg_roles_mapping.yml
SUCC: Configuration for 'rolesmapping' created or updated
Will update 'internalusers' with /opt/app-root/src/sgconfig/sg_internal_users.yml
SUCC: Configuration for 'internalusers' created or updated
Will update 'actiongroups' with /opt/app-root/src/sgconfig/sg_action_groups.yml
SUCC: Configuration for 'actiongroups' created or updated
Done with success
[2017-09-26 15:05:01,501][INFO ][container.run ] Seeded the searchguard ACL index
bash-4.2$
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment