In this article, we look at the new Search Guard Control command line tool that ships with Search Guard FLX and demonstrate how easy it has become to configure security for Elasticsearch.
The Story so Far: sgadmin
Since the very first release for Elasticsearch 2, Search Guard shipped with a command line tool called sgadmin. You would use sgadmin to upload your security configuration to the cluster and to perform maintenance tasks. The tool hopefully served you well over the course of time, but with the arrival of Search Guard FLX, it was about time to rethink our approach to how security settings should be managed.
TLS admin certificates are at the center of security configuration
TLS Admin Certificates
TLS admin certificates are at the center of the Search Guard security configuration. Whenever you want to make any changes, like changing a role or adding a user, you need to use a TLS admin certificate. Regular users are not allowed to change any security settings at all.
We made the deliberate decision to use TLS certificates instead of a simple root user with a username and password. From a security perspective, this provides a greater level of security. However, it also has some practical annoyances.
sgadmin Usage
Nearly all sgadmin calls require you to use a TLS admin certificate. This means that you have to specify the root CA, the Admin certificate and key, and information about your cluster location for every call. A typical call might look like this:
Meet sgctl, our new shiny administration tool for Search Guard FLX.
If you work with sgadmin a lot, this can become a bit annoying. If, for example, you want to move some configuration from staging to production, you need to remember all these settings for both systems.
Meet sgctl, our new shiny administration tool for Search Guard FLX.
sgctl: Connection Profiles
With sgctl, we took a different approach and separated the connection settings from the actual commands you want to execute.
When you first connect to your cluster, you still need to provide the TLS certificates as before. Note the explicit connect command: sgctl will store the connection settings for this host in the .searchguard directory inside your home directory.
Any subsequent command will automatically use this connection profile. No need to specify all the connection details anymore. Say you want to fetch the current security configuration of your connected cluster, you just need to:
copy
$ ./sgctl.sh get-config -o sg-config
Where -o specifies the output directory. Likewise, adding a new user to the internal user database is now as simple as:
copy
$ /sgctl.sh add-user userName --password
This allows you to manage different connection profiles, e.g. one for staging and one for production.
Moving Security Configuration From Staging to Production
Let's say you worked on your security configuration on your staging system. You tested everything and now it's time to move to production.
This can now be accomplished by these four simple commands: