When switching on transport TLS as below, the configuration has the side effect of switching on role based access control on the http frontend, which locks me out of my cluster with a request for a basic authentication password:
What actually triggers the behavior you are seeing is
xpack.security.enabled: true
which is missing from the above configuration and it is what enables authentication for the REST API. Have you looked into whether anonymous access satisfies your use case ?
We don't use "xpack.security.enabled: true" because doing so triggers a license error.
We use "xpack.security.transport.ssl.enabled: true" instead, but it seems that this triggers unintended consequences inside elasticsearch, and we have no idea what has now broken as a result.
Unfortunately the docs at https://www.elastic.co/guide/en/elasticsearch/reference/7.5/anonymous-access.html don't fully explain how to configure anonymous access in such a way that all RBAC is off. The docs refer to "role1" and "role2", implying that you have to explicitly specify every role in the server. "Every role" isn't documented in any place I can see, and the next time we do an elasticsearch upgrade we could see new roles appear that have to be explicitly suppressed lest the server suddenly breaks again.
A further issue is resources. If RBAC is initialised, how much CPU and RAM does it take up? We don't want to allocate additional resources to a thing that remains unused.
What I'm looking for is the equivalent of "xpack.rbac.enabled: false".
Annoyingly I didn't cut and paste the exception into the bug report. The exception went away when I removed the "xpack.security.enabled: true" and won't come back.
I am using v6.8.5.
You basically want all your users to do anything so you could add superuser as the role anonymous users get and all your users are superusers.
Maybe this was due to something else ? Or a misconfiguration that has since been resolved ? It will be hard to look into it if this is not reproducible.
If by "this" you mean a documented way to satisfy your use case, I don't believe we cover this somewhere explicitly - and we can change that - but the way is to use anonymous access and give superuser role to all users.
Yes. You don't even need the authz_exception: true part as this is the default value and there will never be some action that superuser can't do so there will never be an authorization exception eitherway
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
