You are looking at the documentation of a prior release. To read the documentation of the latest release, please
visit here.
New to KubeDB? Please start here.
Search Guard(®) is an Elasticsearch plugin that offers encryption, authentication, and authorization. It supports fine grained role-based access control to clusters, indices, documents and fields.
Search Guard relies heavily on the use of TLS, both for the REST and the transport layer of Elasticsearch. TLS is configured in the elasticsearch.yml
file of Elasticsearch installation.
Following keys are used to configure location of keystore and truststore files.
Transport layer TLS
Name | Description |
---|---|
searchguard.ssl.transport.keystore_filepath | Path to the keystore file, relative to the config/ directory (mandatory) |
searchguard.ssl.transport.keystore_password | Keystore password |
searchguard.ssl.transport.truststore_filepath | Path to the truststore file, relative to the config/ directory (mandatory) |
searchguard.ssl.transport.truststore_password | Truststore password |
REST layer TLS
Name | Description |
---|---|
searchguard.ssl.http.enabled | Whether to enable TLS on the REST layer or not |
searchguard.ssl.http.keystore_filepath | Path to the keystore file, relative to the config/ directory (mandatory) |
searchguard.ssl.http.keystore_password | Keystore password |
searchguard.ssl.http.truststore_filepath | Path to the truststore file, relative to the config/ directory (mandatory) |
searchguard.ssl.http.truststore_password | Truststore password |
Note: KubeDB Elasticsearch is configured with keystore and truststore files in JKS format
Admin certificates are regular client certificates that have elevated rights to perform administrative tasks. You need an admin certificate to
change the Search Guard configuration via the sgadmin command line tool. Admin certificates are configured in elasticsearch.yml
by simply stating their DN(s).
searchguard.authcz.admin_dn:
- CN=sgadmin, O=Elasticsearch Operator
With TLS client authentication enabled, REST clients can send a TLS certificate with the HTTP request to provide identity information to Search Guard.
Note: Search Guard accepts TLS client certificates if they are sent, but does not enforce them.