Does watcher 1.0 support PKI-based authentication like later versions of wathcher do? I see "When you use PKI-based authentication instead of HTTP basic auth, you don’t need to store any authentication information in the watch itself. To use PKI-based authentication, you configure the SSL keystore path and password for Watcher in elasticsearch.yml. If the watcher.http.ssl.keystore.path and watcher.http.ssl.keystore password are not set, the Watcher HTTP client falls back to the Shield settings, shield.ssl.keystore.path and shield.ssl.keystore.password." at https://www.elastic.co/guide/en/watcher/current/actions.html if version 2.4 is selected. (And perhaps it's in the info for other versions as well, I didn't check). But, when I switch to 1.0, the PKI/SSL info is not there.
(Yes, we are going to upgrade. Beginning of the year!)
Also, if 1.0 does support PKI-based auth, is it still workable without shield? We are not using shield. If that combination is possible, then. . . if I have watcher running on the marvel cluster (watching the data sent from the main cluster to the marvel cluster), do I install the cert into the machine store on each marvel node as well as configuring the watcher.http.ssl.truststore.path and watcher.http.ssl.truststore.password values in the .yml on each marvel node?
I just checked, and it looks as if we added the documentation later on, but using those settings should be possible in watcher 1.0 as well.
Also shield was just used as an example to use PKI based auth in the docs. You can use the watcher http client to connect to any PKI based auth as long as the other side is actually checking that cert like shield does.
If you have watcher running on a cluster, that settings and stores needs to be configured and available on all of the nodes.
That leads to another question. I've got a cert installed on each of the marvel nodes (which is where watcher is running), and have the watcher.http.ssl.keystore.path and
watcher.http.ssl.keystore.password values set. And I've restarted elasticsearch on each node on that cluster. The service started fine on each and the watches are executing fine, we're only seeing errors on the webhook action. In the error we're getting back, elasticsearch is referring to http even though the webhook action.port is 443. Curious about that.
especially the xxx:9200:part looks broken, should be http://xxx.xxxx.com:9200/watch_jvmheapusedpercentemail2or similar. Also that URL is still HTTP, so maybe there are some leftovers?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.