Can I use role based authentication for free?

In this link https://www.elastic.co/subscriptions I can see that x-pack basic has role-based access control.

How do I set it up? I have read the documentation but I am very confused.
Can I with the basic license setup users and roles in kibana?

If I set "xpack.security.enabled: true" in ES then I can see that I am using a trial version and not the basic license.

Any help will be much appreciated

Make sure you have at least 6.8.0 or 7.1.0.

I am using version 7.1.1

Setting xpack.security.enabled: true should not change the license.
Most likely you activated a trial already and you are still using it?

In Kibana you can stop the trial and revert to a basic license.

This is from the latest documentation

``
xpack.security.enabled
Set to true to enable Elasticsearch security features on the node.

If set to false , which is the default value for basic and trial licenses, security features are disabled. It also affects all Kibana instances that connect to this Elasticsearch instance; you do not need to disable security features in those kibana.yml files. For more information about disabling security features in specific Kibana instances, seeKibana security settings.

Tip

If you have gold or higher licenses, the default value is true ; we recommend that you explicitly add this setting to avoid confusion.

``

How should I interpret that?

I read it as "By default security is disabled for basic and trial licenses". It does not mean that you can't use it. Just that it's not turned on by default. I'm sure this will change in the future.

I have no wasted some more time trying to get security to work with basic license.
If I use trial mode I can run "bin/elasticsearch-setup-passwords interactive" if I use "basic" license the same commands prompt me to install the correct licens or x-pack.

Unexpected response code [403] from calling GET http://172.27.0.2:9200/_security/_authenticate?pretty
It doesn't look like the X-Pack security feature is available on this Elasticsearch node.
Please check if you have installed a license that allows access to X-Pack Security feature.

What is the output of:

GET /
GET /_cat/nodes?v
GET /_cat/health?v
GET /_cat/plugins?v

Can you try running in verbose mode?

bin/elasticsearch-setup-passwords interactive --verbose

That will tell us exactly what response the tool is receiving from Elasticsearch and why that looks like security is not available.

Testing if bootstrap password is valid for http://172.28.0.2:9200/_security/_authenticate?pretty
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "current license is non-compliant for [security]",
"license.expired.feature" : "security"
}
],
"type" : "security_exception",
"reason" : "current license is non-compliant for [security]",
"license.expired.feature" : "security"
},
"status" : 403
}

Unexpected response code [403] from calling GET http://172.28.0.2:9200/_security/_authenticate?pretty
{
"features" : {
"ccr" : {
"available" : false,
"enabled" : true
},
"graph" : {
"available" : false,
"enabled" : true
},
"ilm" : {
"available" : true,
"enabled" : true
},
"logstash" : {
"available" : false,
"enabled" : true
},
"ml" : {
"available" : false,
"enabled" : true
},
"monitoring" : {
"available" : true,
"enabled" : true
},
"rollup" : {
"available" : true,
"enabled" : true
},
"security" : {
"available" : false,
"enabled" : true
},
"sql" : {
"available" : true,
"enabled" : true
},
"watcher" : {
"available" : false,
"enabled" : true
}
}
}

It doesn't look like the X-Pack security feature is available on this Elasticsearch node.
Please check if you have installed a license that allows access to X-Pack Security feature.

ERROR: X-Pack Security is not available.

elasticsearch.yml:

xpack.license.self_generated.type: basic
xpack.security.enabled: true
xpack.security.audit.enabled: false
xpack.monitoring.collection.enabled: false

Dockerfile:

ARG ELK_VERSION
FROM docker.elastic.co/elasticsearch/elasticsearch:${ELK_VERSION}
RUN elasticsearch-plugin install x-pack

That output looks exactly like what you'd get on a version from before security was included in the basic license.

Are you positive that the node listening on 172.28.0.2:9200 is running 7.1.1? It really looks more like 7.0

Can you provide the output of / that @dadoonet requested?

curl "http://172.28.0.2:9200/"
1 Like

You are right! looks like .env are not read
FROM docker.elastic.co/elasticsearch/elasticsearch:${ELK_VERSION}
I then tried with
FROM docker.elastic.co/elasticsearch/elasticsearch:7.1.1

and the output was

[root@9271e2938fa8 elasticsearch]# curl "http://172.29.0.2:9200/"
{
"name" : "9271e2938fa8",
"cluster_name" : "docker-cluster",
"cluster_uuid" : "Z9EG7uCUQtWIbXN0OTB1Hg",
"version" : {
"number" : "7.0.1",
"build_flavor" : "default",
"build_type" : "docker",
"build_hash" : "e4efcb5",
"build_date" : "2019-04-29T12:56:03.145736Z",
"build_snapshot" : false,
"lucene_version" : "8.0.0",
"minimum_wire_compatibility_version" : "6.7.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}

First thanks for helping me out. I am new to docker-compose and I needed to make a clean build after changing version from 7.0 to 7.1.1. It was not enough with up / down

****** SUCCESS *********

Testing if bootstrap password is valid for http://172.30.0.2:9200/_security/_authenticate?pretty
{
  "username" : "elastic",
  "roles" : [
    "superuser"
  ],
  "full_name" : null,
  "email" : null,
  "metadata" : {
    "_reserved" : true
  },
  "enabled" : true,
  "authentication_realm" : {
    "name" : "reserved",
    "type" : "reserved"
  },
  "lookup_realm" : {
    "name" : "reserved",
    "type" : "reserved"
  }
}


Checking cluster health: http://172.30.0.2:9200/_cluster/health?pretty
{
  "cluster_name" : "docker-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 0,
  "active_shards" : 0,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.