Enabling Authentication and Licensing

Hi Guys from Elastic.
Could you help me to understand

Objective:
Use the security (X-pack) to connect Kibana with our G-SUITE users and inherit groups

We did a test using elastic and kibana ketstore and works fine [basic license without TLS], but as I read, this only will works in cluster mode if we use TLS implementation because we need elastic in production mode (and cluster mode, I think, enable the production mode).

The use of TLS between fluentd -> Elastic -> Kibana is not our idea as this flow will use internal transport. From Kibana to outside, yes SSL is mandatory.

Just 3 simple questions will help me to clarify my mind :slight_smile:

  1. Do I need a Platinum or Enterprise Licence if I want to integrate with Google Accounts, right?
  2. If we still using a basic license, TSL must be enabled?
  3. Is possible to turn off the TLS If we buy a Premium license?

I've found an answer from Marius Dragomir [Security must be explicitly enabled when using a [basic] license](Issue 222602) but not all topics were covered.
@Marius_Dragomir maybe you can help me!

Thanks in advance!

Cheers

Antonio Marques

Hi Antonio,
I can help, of course.

  1. If you're using SSO(like SAML) for Google Accounts, you will need platinum license. I am not aware of an LDAP like offering from Google. That would let you use the Gold license.
  2. You can do this without TLS. We've recently created this doc, which shows some scenarios and how to set them up.
    Configure security for the Elastic Stack | Elasticsearch Guide [7.12] | Elastic
  3. For this one I am not sure 100%, there have been some changes recently here, I'm reaching out to the team to get a definitive answer for it.
1 Like

I got an update to #3.

The requirement for TLS:
- You have a multi node cluster where nodes do not reside on the same host ( transport layer of elasticsearch is not bound on localhost )
- Security features are enabled ( xpack.security.enabled: true)
- You have any license other than trial
then
Transport layer TLS for elasticsearch needs to be enabled and configured, otherwise elasticsearch nodes will fail to start

So you need all 3 to be forced to use TLS for the ES nodes connections.

@Marius_Dragomir Thanks a lot for your answer and time.
Awesome!

Just to get 100%
I'll need to configure TLS certificates between Elastic nodes and also for Kibana to Elastic and Fluent (in my case) to Elastic too, right ?

Kibana to elastic is http, afaik. The only enforced one is between ES nodes, for the transport layer.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.