New to Elasticsearch & Shield. Required to work with version 2.4.6, and cannot currently upgrade to a newer version.
Installed Shield, started a SINGLE NODE Elasticsearch 'cluster' with basic authentication,
added a user (via bin/shield/esusers) with 'admin' privileges and attempted to execute a number of cluster based queries.
The queries produce errors along with the message "cannot poll for user changes since security index [.security] does not exist", in the log output. I believe these issues should not be ignored. I say this because I believe those errors and the missing .security index condition is preventing authorization from occurring when role based PKI authentication (PKI User Authentication | Shield [2.4] | Elastic) is employed rather than basic auth.
The basic auth details are shown below (configuration changes, command lines executed, & log output). I'm hoping someone can help identify why the .security index is not created and how to correct the situation.
Elasticsearch version 2.4.6, Shield version: 2.4.6
./elasticsearch-2.4.6/config/elasticsearch.yml
action.auto_create_index: ".security,.security*,.monitoring*,.waches,.triggered_watches,.watcher-history*,.ml*"
./elasticsearch-2.4.6/config/logging.yml
shield.authc: TRACE
shield.authz: TRACE
shield.transport.tracer: TRACE
./elasticsearch-2.4.6/config/shield/logging.yml
logger:
shield.audit.logfile: TRACE, access_log
additivity:
shield.audit.logfile: true
Start up Elasticsearch with Shield
/scratch/es/elasticsearch/bin/elasticsearch -Dnetwork.host=myHost.xx.xxxx.com --cluster.name kv-es-cluster --node.name myHost
....
[2019-02-19 07:51:48,396][INFO ][node ] [myHost] initialized
[2019-02-19 07:51:48,399][INFO ][node ] [myHost] starting ...
[2019-02-19 07:51:48,721][TRACE][shield.authz.store ] [myHost] attempting to read roles file located at [/scratch/es/elasticsearch/config/shield/roles.yml]
[2019-02-19 07:51:48,761][TRACE][shield.authc.esusers ] [myHost] reading users file [/scratch/es/elasticsearch/config/shield/users]...
[2019-02-19 07:51:48,761][WARN ][shield.authc.esusers ] [myHost] no users found in users file [/scratch/es/elasticsearch/config/shield/users]. use bin/shield/esusers to add users and role mappings
[2019-02-19 07:51:48,762][DEBUG][shield.authc.esusers ] [myHost] realm [esusers] has no users
[2019-02-19 07:51:48,764][TRACE][shield.authc.esusers ] [myHost] reading users_roles file [/scratch/es/elasticsearch/config/shield/users_roles]...
[2019-02-19 07:51:48,765][WARN ][shield.authc.esusers ] [myHost] no entries found in users_roles file [/scratch/es/elasticsearch/config/shield/users_roles]. use bin/shield/esusers to add users and role mappings
....
[2019-02-19 07:51:51,956][DEBUG][shield.authc.esnative ] [myHost] native users store waiting until gateway has recovered from disk
[2019-02-19 07:51:51,957][DEBUG][shield.authz.store ] [myHost] native roles store waiting until gateway has recovered from disk
....
[2019-02-19 07:51:52,034][DEBUG][shield.authc.esnative ] [myHost] security index [.security] does not exist, so service can start
[2019-02-19 07:51:52,034][DEBUG][shield.authz.store ] [myHost] security index [.security] does not exist, so service can start
[2019-02-19 07:51:52,037][TRACE][shield.authc.esnative ] [myHost] cannot poll for user changes since security index [.security] does not exist
....
after a minute or two, the log output repeatedly displays
....
[2019-02-19 07:52:22,041][TRACE][shield.authc.esnative ] [myHost] cannot poll for user changes since security index [.security] does not exist
[2019-02-19 07:52:22,043][TRACE][shield.authz.store ] [myHost] cannot poll for role changes since security index [.security] does not exist
....
Add root user
elasticsearch/bin/shield/esusers useradd root -r admin -p myPasswd
elasticsearch/bin/shield/esusers list
root : admin
....
[2019-02-19 07:54:43,847][INFO ][shield.authc.esusers ] [myHost] users file [/scratch/es/elasticsearch/config/shield/users] changed. updating users... )
[2019-02-19 07:54:43,848][TRACE][shield.authc.esusers ] [myHost] reading users file [/scratch/es/elasticsearch/config/shield/users]...
[2019-02-19 07:54:43,849][TRACE][shield.authc.esusers ] [myHost] invalidating cache for all users in realm [default_file]
[2019-02-19 07:54:43,849][INFO ][shield.authc.esusers ] [myHost] users_roles file [/scratch/es/elasticsearch/config/shield/users_roles] changed. updating users roles...
[2019-02-19 07:54:43,849][TRACE][shield.authc.esusers ] [myHost] reading users_roles file [/scratch/es/elasticsearch/config/shield/users_roles]...
[2019-02-19 07:54:43,850][TRACE][shield.authc.esusers ] [myHost] invalidating cache for all users in realm [default_file]
....
Query the cluster
curl -u root:myPasswd -X GET 'http://myHost:9200/_cat'
Although the query produces expected output, the log shows a stack trace, along with the message indicating 'could not retrieve user[root] because of non-existent .security index'
....
[2019-02-19 07:57:15,509][DEBUG][shield.authc.esnative ] [myHost] user not found in cache, proceeding with normal authentication
[2019-02-19 07:57:15,516][TRACE][shield.authc.esnative ] [myHost] could not retrieve user [root] because security index does not exist
[.security] IndexNotFoundException[no such index]
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndices(IndexNameExpressionResolver.java:151)
....
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
[2019-02-19 07:57:15,531][DEBUG][shield.authc.esusers ] [myHost] user not found in cache, proceeding with normal authentication
[2019-02-19 07:57:15,631][DEBUG][shield.authc.esusers ] [myHost] authenticated user [root], with roles [[admin]]
....
[2019-02-19 07:57:22,045][TRACE][shield.authc.esnative ] [myHost] cannot poll for user changes since security index [.security] does not exist
[2019-02-19 07:57:22,046][TRACE][shield.authz.store ] [myHost] cannot poll for role changes since security index [.security] does not exist
....
Other queries produce similar results (correct output but stack trace in the log because the .security index does not exist).
Any thoughts on what I'm doing wrong in the configuration? Or why the .security index
is not created and how to fix this issue?
Thanks,
Brian