Connection error to a secured Elasticsearch: unable to authenticate user

oferbar00 · February 19, 2021, 10:46pm

Hello,

I am trying to create a track from an Elasticsearch node (v7.5.2) that is running on a Windows server 2019 VM and using TLS with basic authentication.

From the rally (v2.0.4) machine I am able to curl to it just fine:

curl -k -H "Authorization:Basic ###############" https://elastic_vm:9200

However, when trying to create a track:

esrally create-track --track=my_track--target-host=elastic_vm:9200 --client-options="use_ssl:true,verify_certs:false,basic_auth_user:'user',basic_auth_password:'password',http_compress:true"

I get the error:

[ERROR] Cannot create-track. AuthenticationException(401, 'security_exception', 'unable to authenticate user [user] for REST request [/]').

What am I still missing?

Thanks!

Wolfram_Haussig · February 20, 2021, 7:16am

Hi,

I think esrally is trying to ping your elasticsearch host by calling https://elastic_vm:9200 . If you have enabled security accessing / requires monitor privileges ( I had the same problem with the .NET NEST client).

Options:

Grant your user monitor privileges (at least cluster:monitor/main)
check if you can disable the ping for esrally

Best regards
Wolfram

oferbar00 · February 20, 2021, 9:42pm

Hi,

Thanks for responding!

I did check the security of the user and it has the 'superuser' role, which includes all access to the cluster.
Regarding esrally ping, I wasn't able to find any reference to that, maybe they use a different term?

Unfortunately, the logs display the same error that I included in this post, so not much help there, unless there is some debug output that can enabled?

Thank you!

Wolfram_Haussig · February 21, 2021, 5:26am

Hi,

This sounds like there is a problem with the esrally configuration and I have no experience with that. I checked the documentation of esrally and found the following hint:

Avoid the characters ' , , and : in user name and password as Rally’s parsing of these options is currently really simple and there is no possibility to escape characters.

Can you check your user and password for this characters?

If this doesn't help maybe you should create an issue with esrally as it does not seem to be an Elasticsearch problem as you can login using curl.

Best regards
Wolfram

oferbar00 · February 21, 2021, 4:07pm

Hi,
Yes, I already verified those characters and they are not part of the user name or password.
There is also an issue opened with ES support and I'm waiting for a reply.

Thanks