Elasticsearch 7.2 on Windows security problem

TLDR; it seems the built-in account set is losing credential setup information under certain conditions, maybe due to incorrect config? See config below. Now for story time...

I have a basic license, single node installation of elasticsearch, being used as a data repository for a python application. I'm very new to elastic in general so don't assume I know what I'm doing with server config. I managed to configure SSL and turn on authentication, but the built-in accounts (especially "elastic") aren't holding their passwords. In fact, once they "let go", I can set them again using the "bin\elasticsearch-setup-passwords" utility (subsequent attempts to use the utility fail with the usual error until the event recurs). There's no entries in the log when this happens, other than a failed elastic login from me attempting and failing a call to learn that the problem has recurred. It doesn't coincide with an elastic service restart, and there are no errors in the elasticsearch.log other than the auth failures.

My guess is that I have done something unexpected with config, or there's something that "should" be obvious to me that I've missed that is somehow causing the basic creds to not persist. What's interesting is that every "loss" of built-in creds seems to coincide with a call from Postman that hangs (never returns, isn't logged, interesting...). I have never seen the behavior when making calls from Python (requests library, not the elastic one).

elasticsearch.yml:

bootstrap.memory_lock: true
cluster.name: elasticsearch
network.host: 0
discovery.seed_hosts: 127.0.0.1
http.port: 443
node.data: true
node.ingest: true
node.master: true
node.max_local_storage_nodes: 1
node.name: data
path.data: C:\ProgramData\Elastic\Elasticsearch\data
path.logs: C:\ProgramData\Elastic\Elasticsearch\logs
transport.tcp.port: 9300
xpack.license.self_generated.type: basic
xpack.security.enabled: true
xpack.security.authc.accept_default_password: false
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs\azure-fqdn-redacted.p12
xpack.security.transport.ssl.truststore.path: certs\azure-fqdn-redacted.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs\azure-fqdn-redacted.p12
xpack.security.http.ssl.truststore.path: certs\azure-fqdn-redacted.p12

I am by no means an ES expert, but if I had to guess, something in Postman may be trucking it over your .security index. See: https://www.elastic.co/guide/en/elastic-stack-overview/current/built-in-users.html

Hope that helps!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.