How can I prevent other elasticsearch nodes from joining my cluster. Let's say I initiate a single node elastic cluster like this:
(Notice I am using letsencrypt ssl certificates)
cluster.initial_master_nodes: ["node1"]
cluster.name: my-application
node.name: node1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: node1.example.com
http.port: 9200
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
enabled: true
key: letsencrypt/certs/node1.example.com/privkey.pem
certificate: letsencrypt/certs/node1.example.com/cert.pem
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
key: letsencrypt/certs/node1.example.com/privkey.pem
certificate: letsencrypt/certs/node1.example.com/cert.pem
http.host: 0.0.0.0
I find that any one can join my cluster by simply starting up a new elastic instance with this elasticsearch.yml
file:
discovery.seed_hosts: ["node1.evermight.com"]
cluster.name: my-application
node.name: node2
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: node2.example.com
http.port: 9200
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
enabled: true
key: letsencrypt/certs/node2.example.com/privkey.pem
certificate: letsencrypt/certs/node2.example.com/cert.pem
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
key: letsencrypt/certs/node2.example.com/privkey.pem
certificate: letsencrypt/certs/node2.example.com/cert.pem
http.host: 0.0.0.0
It seems like node2 doesn't need to do any kind of authentication or verification with node1. So for now, I'm only using a firewall to whitelist IP addresses of machines that I will allow to join my elastic cluster.
Is there another way to prevent other nodes from joining my elasticsearch cluster?
Additional Notes: I noticed that if node1 uses autogenerated self signed certificates, then no other nodes can join the cluster. The only way for other nodes to join the cluster would be for the other nodes to first run ./bin/elasticsearch-reconfigure-node --enrollment-token <token issued by node1>
.
Which if were to guess...my guess is that running ./bin/elasticsearch-reconfigure-node
on node2 causes node2 to some way to download intermediate ssl certificates from node1. Therefore, node1 and node2 only trust each other based the trust of intermediate ssl certificate authorities.
And how it relates to my above situation...by using Let's Encrypt SSL for both node 1 and node 2, both certificates are already verified and have trusted CA, so node 1 will automatically allow node 2 to join.
Is it something like that?