Appsearch on unsecure cluster

samiujan · June 20, 2022, 11:57am

Hi

I am trying to set up an unsecured cluster (without auth and TLS) with Appsearch - I can set up an unsecure ES cluster by turning off security in the elasticsearch.yml file using:

xpack.security.enabled: false
xpack.security.transport.ssl.enabled: false
xpack.security.http.ssl.enabled: false

but I get an error saying I need to set my encryption key in Appsearch so I updated enterprise-search.yml and added the following line

secret_management.encryption_keys: [<my key string here>]

Next, I got an error saying

Elasticsearch API key service must be enabled. It is enabled automatically when you configure Elasticsearch to use TLS on the HTTP interface.
Alternatively, you can explicitly enable the setting within Elasticsearch by opening config/elasticsearch.yml and adding:

xpack.security.authc.api_key.enabled: true

Now, when I go back to elasticsearch.yml and add this line, it starts up fine but Appsearch still keeps throwing the same error

I am assuming it's because xpack.security is disabled already so this line doesn't work

I am curious now if it is at all possible to run Appsearch in an unsecure cluster (my cluster is inside a VPC which is secured so I don't need to run it in secure mode)

BR

Sean_Story · June 21, 2022, 7:11pm

Hi @samiujan ,

This is an interesting intersection of configuration between Enterprise Search and Elasticsearch.

Elasticsearch does need to have xpack.security.enabled=true in order for xpack.security.authc.api_key.enabled=true to be respected. And Enterprise Search does need to be able to use API Keys in order to communicate with Elasticsearch. Typically, this would imply that you need to set up SSL for Elasticsearch, as it doesn't make a lot of sense to have xpack.security.enabled=true and then to ignore what actually makes the cluster secure.

However, you're not alone in this usecase. One way to disable this "production" check is to signal to Elasticsearch that this is not a production cluster. If you set discovery.type=single-node and only have a single Elasticsearch node, you effectively tell Elasticsearch to allow you to run with non-production settings without error, which allows you to enable security without configuring SSL.

Another way to signal that this is not a production environment is to use a Trial License. These do expire, so they are not a good long-term workaround.

You can read more about this here: Bootstrap Checks | Elasticsearch Guide [8.2] | Elastic and here: Bootstrap Checks for X-Pack | Elasticsearch Guide [8.2] | Elastic

The final, and best workaround, of course, is to use TLS, regardless of your VPC setup. We recommend always using encryption, and not expecting that one layer of security removes the need for other layers. You can create yourself a self-signed certificate for free. You could also consider using Elastic Cloud to manage your deployment, as it provides TLS out-of-the-box without any extra work needed on your end.

system · July 19, 2022, 7:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.