Rally should target the same nodes that the actual clients would target in a production scenario; we are benchmarking to simulate real-world scenarios and gather performance insights.
Dedicated master-eligible nodes only have the master role, allowing them to focus on managing the cluster. While master nodes can also behave as coordinating nodes and route search and indexing requests from clients to data nodes, it is better not to use dedicated master nodes for this purpose.
So since you have three dedicated masters your target-hosts should target the other three nodes.
Depending on the realms you've configured (frequently it's just the native realm) you should attach your user credentials as per your example.
Regarding specifying the certificate itself, this depends on whether the Elasticsearch certificate was generated with a Public or Private CA. Frequently a private CA is used, in which case you'll need to present the ca certs by specifying ca_certs:<path_to_pem_file>, see the example under "Enable SSL, verify server certificates using private CA" in the Rally docs under TLS/SSL Examples.
I highly recommend reading the TLS/SSL section in the Rally docs.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.