Ansible-elasticsearch es_api_basic_auth_username as 'elastic' user

tummulu · December 1, 2020, 4:31am

I am having two issues using this role with es_api_basic_auth_username as 'elastic', when I run it first time it updates the elastic user password but fails to update the reserved user passwords but Elasticsearch service starts but Ansible play fails because of problem updating reserved user passwords. Using curl I can access cluster as elastic user. When I run the same play again I am getting the same problem but this time I am not able to access cluster using elastic user. Gets the security exception.

First time error:

TASK [elastic.elasticsearch : debug message] *******************************************************************************************************
ok: [atltstrao00001.mydomain.com] => {
    "msg": "WARNING: YOU CAN ONLY CHANGE THE PASSWORD FOR RESERVED USERS IN THE NATIVE REALM. ANY ROLE CHANGES WILL BE IGNORED: ['kibana_system', 'logstash_system']"
}

TASK [elastic.elasticsearch : Update Reserved User Passwords] **************************************************************************************
failed: [atltstrao00001.mydomain.com] (item=None) => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}
failed: [atltstrao00001.mydomain.com] (item=None) => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}
fatal: [atltstrao00001.mydomain.com]: FAILED! => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}

NO MORE HOSTS LEFT *********************************************************************************************************************************

PLAY RECAP *****************************************************************************************************************************************
atltstrao00001.cedardoc.com : ok=54   changed=5    unreachable=0    failed=1    skipped=91   rescued=0    ignored=0

Run the same play again I get the above error and issue with elastic user

curl -k -u elastic https://localhost:9200/_cat/nodes?v

{"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [elastic] for REST request [/_cat/nodes?v]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}}],"type":"security_exception","reason":"unable to authenticate user [elastic] for REST request [/_cat/nodes?v]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}}

Here is my playbook, please let me know what is wrong with my config.

--- # elasticsearch test cluster

- hosts: master_node
  roles:
    - role: elastic.elasticsearch
  vars:
    es_heap_size: "1g"
    es_config:
      cluster.name: "test-cluster"
      node.name: "master"
      cluster.initial_master_nodes: ["master"]
      discovery.seed_hosts: ["172.31.120.246:9300"]
      http.port: 9200
      network.host: [_local_,_site_]
      node.data: false
      node.master: true
      bootstrap.memory_lock: false
      xpack.security.authc.realms.file.file1.order: 0
      xpack.security.authc.realms.native.native1.order: 1
    es_api_basic_auth_username: "elastic" # This is the default user created by the installation of elasticsearch
    es_api_basic_auth_password: "XXXXXXX" # This is the default password created by the installation of elasticsearch
    es_enable_http_ssl: true
    es_enable_transport_ssl: true
    es_ssl_keystore: "/home/deployer/elasticsearch/config/certs/master.p12"
    es_ssl_truststore: "/home/deployer/elasticsearch/config/certs/master.p12"
    es_ssl_keystore_password: "XXXXXXX"
    es_ssl_truststore_password: "XXXXXXX"
    es_validate_certs: no
    es_plugins:
     - plugin: ingest-attachment
    es_users:
      native:
        kibana_system:
          password: XXXXXXX_ui
          
        logstash_system:
          password: XXXXXXX_ls

- hosts: data_node_1
  roles:
    - role: elastic.elasticsearch
  vars:
    es_heap_size: "1g"
    es_data_dirs:
      - "/opt/elasticsearch"
    es_config:
      cluster.name: "test-cluster"
      node.name: "node1"
      cluster.initial_master_nodes: ["master"]
      discovery.seed_hosts: ["172.31.120.246:9300"]
      network.host: [_local_,_site_]
      http.port: 9200
      node.data: true
      node.master: false
      bootstrap.memory_lock: false
      xpack.security.authc.realms.file.file1.order: 0
      xpack.security.authc.realms.native.native1.order: 1
    es_api_basic_auth_username: "elastic" # This is the default user created by the installation of elasticsearch
    es_api_basic_auth_password: "XXXXXXX" # This is the default password created by the installation of elasticsearch
    es_enable_http_ssl: true
    es_enable_transport_ssl: true
    es_ssl_keystore: "/home/deployer/elasticsearch/config/certs/node1.p12"
    es_ssl_truststore: "/home/deployer/elasticsearch/config/certs/node1.p12"
    es_ssl_keystore_password: "XXXXXXX"
    es_ssl_truststore_password: "XXXXXXX"
    es_validate_certs: no
    es_plugins:
      - plugin: ingest-attachment
    es_users:
      native:
        kibana_system:
          password: XXXXXXX_ui
          
        logstash_system:
          password: XXXXXXX_ls

tummulu · December 3, 2020, 8:32pm

I am able to resolve the issue, while building the cluster with xpack enabled the first node is set to be master only. My settings are
node.master: true
node.data: false

When the user passwords are getting updated Elasticsearch is not able to create the .security index on the node because node.data is set to false. Changed the setting node.data: true for the first node and that resolved both my issues.

system · December 31, 2020, 8:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.