Enabling Authentication and Licensing

Antonio_Marques · April 20, 2021, 3:20pm

Hi Guys from Elastic.
Could you help me to understand

Objective:
Use the security (X-pack) to connect Kibana with our G-SUITE users and inherit groups

We did a test using elastic and kibana ketstore and works fine [basic license without TLS], but as I read, this only will works in cluster mode if we use TLS implementation because we need elastic in production mode (and cluster mode, I think, enable the production mode).

The use of TLS between fluentd -> Elastic -> Kibana is not our idea as this flow will use internal transport. From Kibana to outside, yes SSL is mandatory.

Just 3 simple questions will help me to clarify my mind

Do I need a Platinum or Enterprise Licence if I want to integrate with Google Accounts, right?
If we still using a basic license, TSL must be enabled?
Is possible to turn off the TLS If we buy a Premium license?

I've found an answer from Marius Dragomir [Security must be explicitly enabled when using a [basic] license](Issue 222602) but not all topics were covered.
@Marius_Dragomir maybe you can help me!

Thanks in advance!

Cheers

Antonio Marques

Marius_Dragomir · April 20, 2021, 4:26pm

Hi Antonio,
I can help, of course.

If you're using SSO(like SAML) for Google Accounts, you will need platinum license. I am not aware of an LDAP like offering from Google. That would let you use the Gold license.
You can do this without TLS. We've recently created this doc, which shows some scenarios and how to set them up.
Configure security for the Elastic Stack | Elasticsearch Guide [7.12] | Elastic
For this one I am not sure 100%, there have been some changes recently here, I'm reaching out to the team to get a definitive answer for it.

Marius_Dragomir · April 21, 2021, 12:51pm

I got an update to #3.

The requirement for TLS:
- You have a multi node cluster where nodes do not reside on the same host ( transport layer of elasticsearch is not bound on localhost )
- Security features are enabled ( xpack.security.enabled: true)
- You have any license other than trial
then
Transport layer TLS for elasticsearch needs to be enabled and configured, otherwise elasticsearch nodes will fail to start

So you need all 3 to be forced to use TLS for the ES nodes connections.

Antonio_Marques · April 21, 2021, 1:01pm

@Marius_Dragomir Thanks a lot for your answer and time.
Awesome!

Antonio_Marques · April 21, 2021, 1:05pm

Just to get 100%
I'll need to configure TLS certificates between Elastic nodes and also for Kibana to Elastic and Fluent (in my case) to Elastic too, right ?

Marius_Dragomir · April 22, 2021, 11:53am

Kibana to elastic is http, afaik. The only enforced one is between ES nodes, for the transport layer.

Topic		Replies	Views
Puzzled about message: Configuring TLS will be required to apply a Gold or Platinum license when security is enabled Elasticsearch	4	888	June 5, 2018
TSL/SSL basic license for ES Versions 7+ Elastic Security elastic-stack-security	2	441	January 28, 2021
Cannot install a [GOLD] license unless TLS is configured Elasticsearch	2	1668	November 11, 2018
Do we require licence to enable xpack.security feature Kibana license	5	3206	November 20, 2021
Securt in kibana Elasticsearch elastic-stack-security	2	472	March 9, 2020

Enabling Authentication and Licensing

Related topics