Enable Security with zero downtime

P_Gong · July 17, 2019, 12:09am

We already have an ES cluster running WITHOUT authentication and TLS. We are trying to enable the security feature.
Is it possible to achieve this with zero down time? Two aspects of the problem:

Cluster internal communication. Once xpack.security.transport.ssl.enabled on some nodes are enabled.
Is it still possible for nodes(disabled) to communicate with nodes(enabled)?
If it is not possible, will the cluster be in a consistent state after we rolling upgrade all of the nodes?
Is there way for ES to have one port for http and another port for https? So we can rolling upgrade application to switch to https(from http)?

Thanks a lot!

gabriel_tessier · July 17, 2019, 12:59am

Hi @P_Gong,

According to the documentation you must do a full restart:

Enabling TLS requires a full cluster restart. Nodes that have TLS enabled cannot communicate with nodes that do not have TLS enabled. You must restart all nodes to maintain communication across the cluster.

As the TLS lower version is from version 6.8 I guess that you may upgrade to at least this version...

DavidTurner · July 17, 2019, 7:24am

What @gabriel_tessier says is right, but just to add that this is something we're working on.

P_Gong · July 17, 2019, 4:21pm

Thanks a lot @gabriel_tessier, @DavidTurner

system · August 14, 2019, 4:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.