With the release of Elasticsearch 6.8 / 7.1 we have some questions on the right approach to enabling the base security features on an existing cluster, which we seem unable to find anywhere. Help appreciated, or someone who can point us in the right direction.
Our cluster setup looks like the following:
3 data nodes
3 dedicated master nodes
1 coordinator node / Kibana
We've been running with the security features explicitly disabled until now. I realise the steps looks something like:
Update the config for Elasticsearch / Kibana
Generate certs for the nodes
Doing a restart of each node
Obviously updating any integration to use authentication
What we're not 100% sure about is: can we somehow manage doing only a rolling restart, or do we need a full cluster restart for this operation?
I'm thinking it's impossible without the full restart, since the nodes will start communicating using TLS once it's enabled, and thus needs to be enabled on all nodes in the cluster - but I'm somehow hoping for someone offering a rolling-restart option I've simply overlooked, to avoid downtime
Sadly when enabling TLS it does require a full restart (so the nodes can talk to each other.) Do you plan on using self signed certs, or do you plan on using internally signed certificates? There's a few ways we can go about doing it now. I personally like the certutil with the yaml, and getting it setup that way. It can generate the CSR's or everything. Just remember to be ready for upgrade time.
Thank you for your quick reply, answer, and raising questions I had not yet considered.
After some light reading on the subject, I think the current plan will be using certutil with the yaml configuration option, and having it generate both the CA and the node certificates, since we don't have an organization CA, and the nodes aren't public facing in any way.
Once again thank you - without your questions, our upgrade night would likely have resulted in a few unnecessary hours of reading!
No problem, I'm happy to help, I'm going to send a guide I made awhile ago (some of the commands may call a different item, but it should work for the certs just fine (elastic-certutil versus just certutil)
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.