Authentication fails on a new node in a secure cluster

Hello,

I have an Elasticsearch cluster with 2 nodes, on which I enabled xpack security a while ago (TLS on both transport and HTTP + local authentication).
I want to add a new node to the cluster, I configured the node with the transport and HTTP settings, I added the node in the discovery list on all the nodes.
The node starts correctly but I cannot authenticate on it:

curl https://SOC-V-DEV-ESNODE03:9200/_xpack/security/_authenticate?pretty -u elastic -k
Enter host password for user 'elastic':
{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "failed to authenticate user [elastic]",
        "header" : {
          "WWW-Authenticate" : [
            "Bearer realm=\"security\"",
            "ApiKey",
            "Basic realm=\"security\" charset=\"UTF-8\""
          ]
        }
      }
    ],
    "type" : "security_exception",
    "reason" : "failed to authenticate user [elastic]",
    "header" : {
      "WWW-Authenticate" : [
        "Bearer realm=\"security\"",
        "ApiKey",
        "Basic realm=\"security\" charset=\"UTF-8\""
      ]
    }
  },
  "status" : 401
} 

While running the same query on another node works fine :

curl https://SOC-V-DEV-ESNODE01:9201/_xpack/security/_authenticate?pretty -u elastic -k
Enter host password for user 'elastic':
{
  "username" : "elastic",
  "roles" : [
    "superuser"
  ],
  "full_name" : null,
  "email" : null,
  "metadata" : {
    "_reserved" : true
  },
  "enabled" : true,
  "authentication_realm" : {
    "name" : "reserved",
    "type" : "reserved"
  },
  "lookup_realm" : {
    "name" : "reserved",
    "type" : "reserved"
  }
}

Before you ask, the password I type both time is correct :wink:

Do I have to run the bin/elasticsearch-setup-passwords interactive command on the new node ? The documentation is unclear on this, from my understanding we only have to run it once per cluster.

Antoine

So I found the solution by myself, I share it in case anyone run into the same issue:

  • The first two nodes are running on Docker and have a bootstrap password set with the ELASTIC_PASSWORD variable
  • My new node is not a Docker container (I plan to remove them) and I had not defined the bootstrap password
  • I added the bootstrap password on the new node using the following command bin/elasticsearch-keystore add bootstrap.password
  • After restarting the new node, the authentication is working correctly !
1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.