Enabling TTL & RBAC on an existing cluster with Indexes

gsahu25 · January 17, 2020, 5:37am

Hi,

Below is the scenario.

I have a multi-node Elasticsearch cluster with indices. I want to enable the TTL,RBAC security on it.

If I follow the steps given in the documentation, would that work?
As there are indices already on it, I want to know if any precaution I need to take while working through the steps to enable TTL, RBAC.

Regards,
Gopal

ikakavas · January 17, 2020, 5:58am

Yes

Just keep in mind that now, all your users have access to all the indices. When you enable security, the users that will be authenticating will not by default have access to any indices as you will need to create and assign them roles that give them the required access to indices ( This is what RBAC is ).

gsahu25 · January 20, 2020, 11:22am

Thanks @ikakavas.

After setting up the TLS & RBAC, I am trying with below curl command. But is it giving me error.

curl -X GET --cacert -/etc/elasticsearch/cert/HOST_IP.p12 --user user:pass "https://HOST_IP:9200/_cat/indices?v"

Response:

curl: (77) Problem with the SSL CA cert (path? access rights?)

I even tried with elastic-ca-cert.p12 file, but same error.
I have given full permission to the .p12 files.

I could get response using -k option but I want to use --cacert option.

Regards,
Gopal

ikakavas · January 20, 2020, 11:35am

This is a curl question rather than an Elasticsearch one.

curl can't read CA certificates from PKCS#12 stores so you need to export the CA certificate in PEM format. Try

openssl pkcs12 -in elastic-ca-cert.p12 -cacerts -nokeys | sed '/-----BEGIN CERTIFICATE-----/,$!d' > cacert.crt

and

curl -X GET --cacert <changethis/to/the/path/to/cacert.crt> --user user:pass "https://HOST_IP:9200/_cat/indices?v"

gsahu25 · January 20, 2020, 11:53am

@ikakavas: Should I be generating .cert file from elastic-stack-ca.p12 (generated from elasticsearch-certutil ca - this would mean same .cert file across cluster) or the node specific .p12 files (.cert file for each node)?

Regards,
Gopal

ikakavas · January 20, 2020, 12:02pm

You should be using the same CA for all your nodes in your cluster, so you should have one elastic-ca-cert.p12 file, and it should be enough that curl trusts this CA certificate.

I'm using should as you haven't shared anything with us about your setup, so all we can do is guess

gsahu25 · January 20, 2020, 12:30pm

@ikakavas: I have followed the default steps given in the documentation:

generated CA
generated multiple certificates using IP, moved them to other nodes and placed them on /etc/elasticsearch/certs directory. Given permissions.
added required configurations for TSL and HTTP in elasticsearch.yml file
Generated passwords for built-in users.

With elasticsearch-certutil ca, it generated elastic-stack-ca.p12 file and with elasticsearch-certutil cert, I generated multiple HOST_IP.p12 files for nodes which i moved in step 2 above.

As you have already said there should be one elastic-ca-cert.p12, I believe you are referring to the file generated by elasticsearch-certutil ca.

Correct me if I am wrong here.

I tried with elastic-stack-ca.p12 and it works for me.

Thanks again.

Regards,
Gopal

system · February 17, 2020, 12:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.