Catch 22 with creating passwords

Elastic Stack Elasticsearch
1

Running Elastic 7.12 Basic (I assume)

I'm stuck in a Catch 22 - when I enable x-pack security I cannot connect to elastic for setting passwords. When I disable x-pack security, and go to set passwords, it tells me security is not enabled on this system

when I do this:

#xpack.security.enabled: true
#xpack.security.transport.ssl.enabled: true

I can run elastic without authentication
but I want/need to run in secure mode

if I enable or uncomment the above and run bin/elasticsearch-setup-passwords interactive, it says it cannot connect to elastic

can anyone assist me on this? Thanks!

2

Hi
You need to set up built-in users passwords

4

The default username is elastic and password is changeme . You can check if authentication is enabled by running the same command you ran to check if Elasticsearch is working.

5

If I set xpack.security.enabled: true - I cannot use my cluster
If I set xpack.security.enabled: false - I cannot set any passwords
To tell you the truth. I have not even gotten into how to use authenticated users yet
so what's the command for testing if elastic is running while xpack is enabled?

6

enable xpack and login with elastic:changeme.
Did it work?

7

also, In order to successfully start elastic with xpack security enabled, I needed to add xpack.security.transport.ssl.enabled: true

could it be that I MUST have an ssl cert in place in order to connect to elastic?

8

How do I get prompted for a login?

9

I just tried to load the url for Kibana and get:

{"statusCode":401,"error":"Unauthorized","message":"missing authentication credentials for REST request [/.kibana_7.12.0/_search?from=0&rest_total_hits_as_int=true&size=1000]: security_exception"}

with xpack enabled

Thank you for your help BTW!

10

I suggest you start from the beginning.

This is my setting for x-pack (in dev machine)

discovery.type: single-node
xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: full 
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/certs/DEV00V01.p12 
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/certs/DEV00V01.p12

Not sure what's going on with your settings.

1 Like
11

I have the second 2 lines of your config and this:
discovery.zen.ping.unicast.hosts: ["192.168.0.4", "192.168.0.2", "192.168.0.3"]

12

ssl enabled if you want secure login to kibana. i.e https

13

yes I have ssl enabled, but no cert yet

14

@ricwhitney

Here is a step by step through that I wrote for a single secured Elasticsearch node with Kibana. It has worked for others.

I am not sure what configuration state you are in, but I would probably start over.

15

I'll take a Look at your guide.
I just started this morning
I had a successful cluster running yesterday (and can again by commenting the xpack stuff)
1 master node and two data nodes

16

Just be carefull as you are not running single node. Don't add this.

# Add the rest of these settings at the bottom of the file
discovery.type: single-node
17

Thanks, I figured I should not

18

Also did you see this? Trouble with the setup-password command. I am not sure which error you were getting.

Yes I would set up all the certs etc before you try to run the setup-passwords command... My walk through should have the correct "Meta Process" you will just need to make sure you do it all correct on all 3 nodes. setup-passwords is only run once though (in case that was not clear)

19

setup-passwords only once - on the master only? or once each on the three servers?

20

Once for the cluster.... Assuming you have a fully formed cluster.

On the master should be fine.

BTW 1 master + 2 Data ... Me I would do 3 Master / Data... more resilient, that is just my perspective.

1 Like
21

Thank you and Thanks for the perspective