Enabling authentication for a live cluster

security

(Chris Blackwell) #1

We have a live cluster with platinum level license, but it's running with no authentication. I'd like to enable xpack security, and take advantage of the user/roles & spaces features of kibana to segment access.

Are there any docs setting out this processes, everything i've seen seems to be concerned with setting up a new cluster.


(Albert Zaharovits) #2

Hi Chris,

It is not possible to toggle authentication on a live ES cluster. Nodes need to be restarted for the authentication settings to be picked up. Specifically xpack.security.enabled: true cannot be configured dynamically because secured nodes cannot communicate with non-secured nodes. If you have xpack.security.enabled: true enabled, and you need to configure the authentication realms, then a full cluster restart can be avoided, by changing realm settings on one node at a time and then restarting it.

Let me know if you need more specific details.


(Chris Blackwell) #3

Hi Albert,

I understand that we would need a full cluster restart to apply the setting xpack.security.enabled: true. So some downtime for that would be ok.

I guess what i was hoping to get a better understanding of was what pitfalls we might encounter when migrating to an authenticated setup, and whether there was a correct (or best practice) order to approach such a migration.