I have v7.2 of Elasticsearch installed on 3 nodes for years working fine, however creating a new install of v7.2 (swapping server hardware) I am now getting the following issue, but using same configuration. Getting:
Authentication failed using realms [reserved/reserved,file/default_file,native/default_native]. Realms [pki/pki1] were skipped because they are not permitted on the current license
Q1 - Whilst now latest versions of ES seem to have PKI requiring a subscription, does the older v7.2 actually require a subscription? I'm assuming no as it was not required a few years back when our v7.2 Elasticsearch was installed on 3 nodes, and is still running fine...
Q2 - If it is required now, why would installing it now (i.e. version 7.2) be triggering this? Is there a "call home" check? [I do note on these servers we did start by installing v8 before realising we needed to match the versions to version v7.2]
Thanks @TimV - ok if I ask if you/someone knows answers to these:
Q1 - based on the config/usage I have there is that considered PKI?
Q2 - wondering why 4-5 years ago the cluster did run up fine, and still runs? To me this implies it must have been allowable for clusters created at this point in time.
Note: The weird thing is I built the new cluster on the new hardware using the same v7.2 install zip file and config, so trying to understand what is different.
Q3 - I do see the new hardware install has a recent "issue_date" in the license (after doing a GET _license - had to turn off security to let elastic be able to start up so I could run this). I tried a "PUT /_license" from our working test cluster (which is on old hardware) but got "Installing basic licenses is no longer allowed". Is there another approach I could use to "clone" the current cluster across to new hardware? Copy file directories across?
Yes, this is the basic configuration as mentioned in the documentation.
Were you authenticating users using certificates? Is your old cluster still up or can you get some log or evidence that a user can make a request using the pki realm and with a basic license? Like a curl to your elasticsearch using a certificate.
The error you shared is not exactly related to the pki realm, it just says that the authentication failed with all realms and it skipped the configured pki realm because of the license.
It's highly likely the new cluster also starts up fine and runs fine. That warning is not telling you that anything is broken, per se.
It looks like you are entering an incorrect password for one of your users and that is triggering a warning message that a user failed to authenticate, and a possible cause is that you have an unlicensed realm.
If you never entered an incorrect password on your old cluster then you would never see that error.
The most likely explanation is that you have never successfully used PKI authentication (except perhaps when you had a trial license enabled).
Just to confirm you're implying my configuration aligns with the fact that the "basic" license does not cover this?
In fact besides Kibana for admin, the connections are via the NEST library in .NET (using Nest;), however I do note in the config there is DNS/URL to Elastic Search, a Username & Password, and the parameter ""IgnoreCertificateValidation": true".
actually excellent point, I've probably read this as just a PKI issue... I do note that if I comment out all of the "xpack.xxx" lines in the Elasticsearch config the nodes do come up. Also let me (should have put it in before) the first few lines leading up to this log entry:
master node changed....
license [xxxxxxxxxxxxxxxxxxxxxxxxxx] mode [basic] - valid
security index is unavailable. short circuiting retrieval of user [ServiceMonitor]
Authentication to realm default_file failed - Password authentication failed for ServiceMonitor
Authentication failed using realms [reserved/reserved,file/default_file,native/default_native]. Realms [pki/pki1] were skipped because they are not permitted on the current license
No, the setting you had is the basic configuration you need to make PKI authentication work, but for it to really work you would need a paid license, platinum or enterprise.
On a cluster with basic license this setting will just be ignored.
Kibana does not use PKI for authentication, and if when using a client you are using username and password, then you also are not using PKI for authentication.
To use the PKI realm you need a client making requests directly to elasticsearch passing a key and a certificate, if you are passing a username and password, you are using the native realm.
If you never had any client authenticating using just a certificate, then you never used the PKI realm, which is expected since this does not work without a paid license.
This may just be some issue with the configuration or some steps still missing, like the one to setup passwords.
If you just remove the pki line you would probably have the same erros, except the last one would not mention the pki realm anymore.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.