I have elastic stack.
I need to configure basic security.
When I add xpack.security.enabled: true in elasticsearch.yml it fails to start with message bootstrap check failure [1] of [1]: Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]
When I add xpack.security.transport.ssl.enabled: true it writes to me Failed to determine the health of the cluster running at http://172.29.39.145:9200 Unexpected response code [503] from calling GET http://172.29.39.145:9200/_cluster/health?pretty Cause: master_not_discovered_exception
It covers setting up SSL. There are a few minor tweaks to the configs regarding syntax since it was released, but it should get you where you need to be.
As documented, minimal security is not suitable for production. You should only use it if your cluster is for development purpose, e.g. a single node cluster running locally or all nodes are running locally and bind on localhost.
If your cluster is not suitable for minimal security, you need at least basic security which involves setting up TLS on transport level. This includes configuring xpack.security.transport.ssl.enabled: true as well as generating and configuring relevant CA and certificates for which you can follow the instruction of setting up basic security.
No. The documentations are laid out in a way that stronger security configuration is built on top of previous lesser ones. So if you want basic security, you'd following relevant instruction of minimal security first, then move onto the basic.
Start Elasticsearch again, this will result in each node shutting down again with the error message Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]
So I add the mentioned setting: xpack.security.transport.ssl.enabled: true
Start Elasticsearch again, this will throw this error message:
exception caught on transport layer [Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/10.58.66.139:52938}], closing connection
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: No available authentication scheme etc.
If I ignore this error message and go forward with the instructions by calling elasticsearch-setup-passwords interactive I get an error message saying Failed to determine the health of the cluster running at http://localhost:9203 Unexpected response code [503] from calling GET http://localhost:9203/_cluster/health?pretty Cause: master_not_discovered_exception
Something must be missing in this workflow or did you manage to move forward with this problem @Manol27
Maybe should mention that we're currently running version 7.4.2 of Elasticsearch. Wanted to enable minimal and basic security before moving forward with upgrading to the current version (7.15.1)
Here is also the config on the server where I'm trying to setup passwords:
@Martin_Emanuelsson Since your cluster have multiple nodes running on different hosts, minimal security alone is not going to work for you. Please note the documentation says:
What you need is to following both "minimal security" and "basic security" (in that order) and only restart your cluster at the end of configuring "basic security" (because minimal security alone does not work as you have discovered already)
What your cluster currently missing is TLS related configuration, i.e. TLS certificate, key and CA. You can follow the relevant section in Basic Security. I believe they should work for 7.4.2 as well.
I solve it by removing data folder on each node and run again with only minimal security.
You shouldn't run your cluster before minimal security is on.
You can't generate certificates without minimal security.
OK, the part of not starting the nodes in the cluster before finalizing both minimal and basic security has not been very clear to me, thanks for mentioning that, will give that a try.
But, just to be perfectly clear here. I need to take down all nodes in the cluster, set the xpack.security.enabled-setting to true, setup TLS between the nodes. Then start the nodes to be able to create passwords (part of the minimal security settings)?
Can I generate certificates (call Elasticsearch-certutil) without having Elasticsearch running?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.