I am having two issues using this role with es_api_basic_auth_username as 'elastic', when I run it first time it updates the elastic user password but fails to update the reserved user passwords but Elasticsearch service starts but Ansible play fails because of problem updating reserved user passwords. Using curl I can access cluster as elastic user. When I run the same play again I am getting the same problem but this time I am not able to access cluster using elastic user. Gets the security exception.
First time error:
TASK [elastic.elasticsearch : debug message] *******************************************************************************************************
ok: [atltstrao00001.mydomain.com] => {
"msg": "WARNING: YOU CAN ONLY CHANGE THE PASSWORD FOR RESERVED USERS IN THE NATIVE REALM. ANY ROLE CHANGES WILL BE IGNORED: ['kibana_system', 'logstash_system']"
}
TASK [elastic.elasticsearch : Update Reserved User Passwords] **************************************************************************************
failed: [atltstrao00001.mydomain.com] (item=None) => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}
failed: [atltstrao00001.mydomain.com] (item=None) => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}
fatal: [atltstrao00001.mydomain.com]: FAILED! => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}
NO MORE HOSTS LEFT *********************************************************************************************************************************
PLAY RECAP *****************************************************************************************************************************************
atltstrao00001.cedardoc.com : ok=54 changed=5 unreachable=0 failed=1 skipped=91 rescued=0 ignored=0
Run the same play again I get the above error and issue with elastic user
curl -k -u elastic https://localhost:9200/_cat/nodes?v
{"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [elastic] for REST request [/_cat/nodes?v]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}}],"type":"security_exception","reason":"unable to authenticate user [elastic] for REST request [/_cat/nodes?v]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}}
Here is my playbook, please let me know what is wrong with my config.
--- # elasticsearch test cluster
- hosts: master_node
roles:
- role: elastic.elasticsearch
vars:
es_heap_size: "1g"
es_config:
cluster.name: "test-cluster"
node.name: "master"
cluster.initial_master_nodes: ["master"]
discovery.seed_hosts: ["172.31.120.246:9300"]
http.port: 9200
network.host: [_local_,_site_]
node.data: false
node.master: true
bootstrap.memory_lock: false
xpack.security.authc.realms.file.file1.order: 0
xpack.security.authc.realms.native.native1.order: 1
es_api_basic_auth_username: "elastic" # This is the default user created by the installation of elasticsearch
es_api_basic_auth_password: "XXXXXXX" # This is the default password created by the installation of elasticsearch
es_enable_http_ssl: true
es_enable_transport_ssl: true
es_ssl_keystore: "/home/deployer/elasticsearch/config/certs/master.p12"
es_ssl_truststore: "/home/deployer/elasticsearch/config/certs/master.p12"
es_ssl_keystore_password: "XXXXXXX"
es_ssl_truststore_password: "XXXXXXX"
es_validate_certs: no
es_plugins:
- plugin: ingest-attachment
es_users:
native:
kibana_system:
password: XXXXXXX_ui
logstash_system:
password: XXXXXXX_ls
- hosts: data_node_1
roles:
- role: elastic.elasticsearch
vars:
es_heap_size: "1g"
es_data_dirs:
- "/opt/elasticsearch"
es_config:
cluster.name: "test-cluster"
node.name: "node1"
cluster.initial_master_nodes: ["master"]
discovery.seed_hosts: ["172.31.120.246:9300"]
network.host: [_local_,_site_]
http.port: 9200
node.data: true
node.master: false
bootstrap.memory_lock: false
xpack.security.authc.realms.file.file1.order: 0
xpack.security.authc.realms.native.native1.order: 1
es_api_basic_auth_username: "elastic" # This is the default user created by the installation of elasticsearch
es_api_basic_auth_password: "XXXXXXX" # This is the default password created by the installation of elasticsearch
es_enable_http_ssl: true
es_enable_transport_ssl: true
es_ssl_keystore: "/home/deployer/elasticsearch/config/certs/node1.p12"
es_ssl_truststore: "/home/deployer/elasticsearch/config/certs/node1.p12"
es_ssl_keystore_password: "XXXXXXX"
es_ssl_truststore_password: "XXXXXXX"
es_validate_certs: no
es_plugins:
- plugin: ingest-attachment
es_users:
native:
kibana_system:
password: XXXXXXX_ui
logstash_system:
password: XXXXXXX_ls