How to add password authorization

Hi I've setup elk stack version 8.6.0. I've disabled authorization initially because ive installed it using a ansible playbook. by any way can i setup authorization from front end after i access kibana from front end?

Hi @Neelam_Zanvar you need to enable security (xpack.security.enabled: true) on ES and configure a suitable realm for authorization. Refer: Realms | Elasticsearch Guide [8.6] | Elastic

The above two configurations must be done in elasticsearch.yml and cluster must be restarted for taking it into effect.

Hi didn't really understand anything in it. new to elk. I did the installation without any authentication to it. now i want password based authentication. can i do it from the front end like set password or something? if i make these chnages in elasticsearch.yml

# Enable security features
xpack.security.enabled: true

xpack.security.enrollment.enabled: true

# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  enabled: false
  keystore.path: certs/http.p12

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12
# Create a new cluster with the current node only
# Additional nodes can still join the cluster later
#cluster.initial_master_nodes: ["ip-172-31-28-233.ec2.internal"]
discovery.type: single-node
# Allow HTTP API connections from anywhere
# Connections are encrypted and require user authentication
http.host: 0.0.0.0

# Allow other nodes to join the cluster from anywhere
# Connections are encrypted and mutually authenticated
#transport.host: 0.0.0.0
xpack.security.http.ssl.client_authentication: none

kibana service status is active but it's giving error like this

,"message":"Unable to retrieve version information from Elasticsearch nodes. security_exception: [security_exception] Reason: missing authentication credentials for REST request

used the reset password in /usr/share/elastcisearch/bin to set a password for elasticsearch. how to set it up for kibana?kibana frontend isnt coming after setting all security options to true in elasticsearch.yml. it says kibana server is not ready yet.

First off, have you reset the built-in or system user passwords for all users, I believe there are around 6 or probably more. Have you configured Kibana to use the new password to authenticate itself to ES for connection ?
xpack.security.http.ssl settings are only required if you want to enable HTTPS connections to ES in which case, you also need to provide PEM certificate to Kibana for SSL handshake.
Since you have single node cluster, you don't need transport SSL settings since no other ES node is communicating over transport layer.

Once you have your cluster running, only then you can opt for credential based login into Kibana either using Kibana UI's User Management or by configuring some realm like PKI/ LDAP/ etc. in ES to authenticate the users.

I installed it and then set all the security settings in elasticsearch.yml to false.

xpack.security.enabled: false

xpack.security.enrollment.enabled: false

# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  enabled: false
  keystore.path: certs/http.p12

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: false
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12

i am able to access the kibana and es.
but when i set

xpack.security.enabled: true

xpack.security.enrollment.enabled: true

# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  enabled: false
  keystore.path: certs/http.p12

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12

I am getting the error in kibana status that its unable to retrieve version information of es. kibana is active and runnning. on front end i am getting kibana not ready.
what are the changes to be done on kibana side? i did the elasticsearch-reset-password and it is taking new password for es. but when i try to change password for the other users using

/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive

i am getting this error

Failed to authenticate user 'elastic' against http://:9200/_security/_authenticate?pretty
Possible causes include:
 * The password for the 'elastic' user has already been changed on this cluster
 * Your elasticsearch node is running against a different keystore
   This tool used the keystore at /etc/elasticsearch/elasticsearch.keystore

You can use the `elasticsearch-reset-password` CLI tool to reset the password of the 'elastic' user

i have disabled http.ssl in elastic.yml and enabled transport.ssl because if i set it to false es fails saying transport ssl has to be true is xpack.security is true in the logs

as read in the document elasticsearch-setup-passwords is deprecated. so set up password using elasticsearch-reset-password for all the users u said

Changed password for user [apm_system]
Changed password for user [kibana_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]

I am still missing some config on kibana side.
Here is the error in log

"message":"Unable to retrieve version information from Elasticsearch nodes. security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip

fixed it! I set the passwords for all the users. disabled all security settings in elasticsearch.yml except xpack.security. and in kibana.yml i had to uncomment the elasticsearch_user and password and set it to the correct values! Thank you

2 Likes

Well done. In general, for the pass authentication no need for https, which you can set latter or just set HTTPS for Kibana interface.
The least painful approach is to increase security step by step.

1 Like

I am doing the elk installation using a ansible playbook. so will be setting the password also through that only. can you please help me with the command where i can specify the password in the command line? I have used the following command to reset password for all users. I want to do it in a non interactive way and specify password from command itself

/usr/share/elasticsearch/bin/elasticsearch-reset-password --interactive -u elastic

Hi @Neelam_Zanvar , if your built-in user passwords have already been setup, you can just use Change Password API: Change passwords API | Elasticsearch Guide [8.6] | Elastic
If you want to reset the built-in user password from ansible, may be try using a step to execute shell (I had this in Jenkins, probably similar for ansible) and invoke reset-password and supply the value using

./bin/elasticsearch-reset-password -b -u elastic<<API
${NEW_PASSWORD}
API

where NEW_PASSWORD can either be a variable defined in ansible or injected somehow.

So i need to do this for all the users ? Like first reset password for every user and then change it ?

Generally you setup a ES cluster and reset the default password for all built-in users (either using interactive or script), and then other components of stack are added once you have SSL configured, if required.
Initial password reset is only required for all system/built-in users and you don't have to generally change it, unless you follow some password management policy (which is mostly the case in development/ production).

For other users, if license permits, can be managed by other realms like LDAP, Kerberos, etc. If you are using basic license, then only option is to create roles, role mappings and users from Kibana -> User Management option.

It seems for resetting the passwords using ansible, you have raised another topic: Reset password api
And as @Yang_Wang has mentioned, you will require either default generated password or use the CLI.
However, there is another option I'd like to add here (which I used during Jenkins based deployment): add a new superuser using file realm (enabled by default) and use that user to reset the password of built-in users.
To add a new user, please refer here: elasticsearch-users | Elasticsearch Guide [8.6] | Elastic

I was able to figure it out. Thank you for the quick response ! I first reset the password elasticsearch-reset-password using -b flag. Saved the generated password and then used the change password api using uri module of ansible .

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.