Search Guard
menu
securityalertingpricingdownloadblogresourcesaboutcontact us
Home >Resources >Blog >Handling Configuration Variables in Search Guard FLX

Handling Configuration Variables in Search Guard FLX

Jochen Kressin
Tags: Search Guard FLXTechnology

Configuration Variables Handling so Far

The configuration files for Search Guard would in most cases also contain sensitive information. For example passwords, certificates, system user names and so on. So far the only way to avoid having this data in configuration files in plaintext was to use environment variables.
You can replace the plaintext passwords by variables in any configuration file.
ldap:
  http_enabled: true
    ...
    config:
      hosts:
        - ${env.LDAP_HOST:-ldapdev.example.com}
      bind_dn: ${env.LDAP_BIND_DN}
      password: ${env.LDAP_BIND_DN_PASSWORD}
      ...
Here, the sensitive LDAP connection settings have been replaced with variables. The syntax is:
${env.<variable name>}

or

${env.<variable name>:-<default value>}
You can substitute any setting in any Search Guard configuration file with variables.
When uploading the files with sgadmin, the variables can be replaced in two ways:

Substitution by sgadmin

Before uploading the files to your Elasticsearch cluster, sgadmin will scan the files for variables, and then substitute them by environment variables. This means the environment variables need to be set on the machine where sgadmin is executed, e.g.:
export LDAP_HOST="ldapprod.example.com"
export LDAP_BIND_DN="cn=admin,ou=people,dc=example,dc=com"
export LDAP_BIND_DN_PASSWORD="mypassword"
This means you have to configure the variables only on the machine where you run sgadmin. As a downside, if you want to run it from any other machine, you have to make sure the environment variables match. Also, the content of the variables cannot be changed at runtime.

Substitution by Elasticsearch Nodes

You can also configure the environment variables on each Elasticsearch nodes. In this case, sgadmin will upload the configuration files with the variables, and the Search Guard plugin takes care of the substitution before the configuration is applied.
The downside of this approach is that you need to keep the environment variables on all nodes in sync.
For a complete reference please refer to our documentation.

A Better Approach in FLX: Configuration Variables

Search Guard FLX ships with a built-in configuration variables store. With this, you can create, change and delete variables and secrets centrally on your Elasticsearch cluster. The variables are then applied whenever the configuration is modified/reloaded.
Search Guard stores the variables, which can optionally be encrypted, in a protected index. This is much like the Search Guard configuration index. You can only access this index with an admin certificate. Regular users are never able to access this index directly.
Managing secrets is easy, you can use the new sgtcl, a replacement for the older sgadmin, for it.
First, connect to your cluster by specifying the admin TLS certificate:
$ ./sgctl.sh connect localhost 
  --ca-cart /path/to/root-ca.pem 
  --cert /path/to/admin-cert.pem 
  --key /path/to/admin-cert-private-key.pem`
Next, add a new configuation variable. In our case it is the password for connecting to the LDAP server:
./sgctl.sh add-var ldap_bind_dn_password mypassword --encrypt
Since we are adding senstive information here, we chose to encrypt the variable. This way, Search Guard never stores the password in cleartext. Even if you create a backup of the configuration, the variable value will be encrypted.
You can change existing variables like:
/sgctl.sh update-var ldap_bind_dn_password mynewpassword --encrypt
Or, delete a variable completely:
/sgctl.sh dlete-var ldap_bind_dn_password
You can then reference this variable in any configuration file:
auth_domains:
- type: basic/ldap
  ldap.idp.password: '#{var:ldap_bind_dn_password}'
  ...
The variable substitution is executed each time the Search Guard configuration index is reloaded. This is the case
    when a node restarts
    when any Search Guard configuration changes
    when a configuration variable is added, changed or deleted

Creating Backups

If you want to create a backup of all configuration variables, you can use the sgctl get-config command.
$ ./sgctl.sh get-config
The backup of your security configuration also includes the variables in the file sgconfigvars.yml.

Summary

The apporach we used in Search Guard was based on substituting configuration variables with environment variables. This works well, but also had one major drawback: Your security configuration was dependant on your system infrastructure.
With our new Variables Store you can now manage your sensitive configuration variables in a central place: Your Elasticsearch cluster. Search Guard FLX will protect this index from unauthorized access and makes sure any changes are available on all nodes instantly. If you want to rotate any secret or key, just update the configuration variable. Done. Pretty neat, right?
Published: 2022-08-09
share
linkedIn icon
y icon
Questions? Drop us a line!
Country *
your message
newsletter
This form collects your name and email. Please take a look in our privacy policy for a better understanding on how we protect and manage your submitted data.
Other posts you may like
When Single Sign On is not enough: Supporting ...
Jochen Kressin || 2022-08-10
In this post we have a look at how to set up Kibana with multiple authentication types: OIDC and the internal user database. ...
read morearrow icon
Search Guard vs. Search Guard FLX
Jochen Kressin || 2023-04-19
We explore the differences and similarities of Search Guard and Search Guard FLX and outline how to migrate to Search Guard FLX. ...
read morearrow icon
Handling Configuration Variables in Search ...
Jochen Kressin || 2022-08-09
This article will show you how you can use the new configuration variables feature in FLX to separately store secrets and get rid of any sensitive infor ...
read morearrow icon
arrow iconback to blog
follow us
twitter iconfacebook iconlinkedIn iconyoutube icon
Search Guard Newsletter
For the latest product developments, new versions and cybersecurity news, sign up to our newsletter.
security
What it is
How it works
Certifications
Compliance
alerting
What it is
Connectors
Escalation model
license
Standard editions
Feature breakdown
Academic edition
Custom edition
resources
Documentation
Source Code
FAQ
Community forum
TLS certificate generator
Blog
Presentations
White papers
Compliance
company
Who we are
Partners
Integrators
Data protection
Imprint
Public key & security

© 2022 floragunn GmbH - All Rights Reserved

Search Guard is a trademark of floragunn GmbH, registered in the U.S. and in other countries. Elasticsearch, Kibana, Logstash, and Beats are trademarks of Elasticsearch BV, registered in the U.S. and in other countries. Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
Lower your TCOOlder Versions Support