I got the exception when I added kerberos authentication to es

Hello,
My es was running fine, but when I added kerberos authentication and restarted，I got the following error

[2023-09-15T23:09:36,876][WARN ][o.e.x.s.a.s.m.NativeRoleMappingStore] [bsa264] Failed to clear cache for realms [[kerb1]]
org.elasticsearch.ElasticsearchException: Security must be explicitly enabled when using a [trial] license. Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file and restart the node.
        at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.apply(SecurityActionFilter.java:116) ~[?:?]
        at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:151) ~[elasticsearch-7.5.2.jar:7.5.2]
        at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:129) ~[elasticsearch-7.5.2.jar:7.5.2]
        at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:64) ~[elasticsearch-7.5.2.jar:7.5.2]
        at org.elasticsearch.client.node.NodeClient.executeLocally(NodeClient.java:83) ~[elasticsearch-7.5.2.jar:7.5.2]
        at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:72) ~[elasticsearch-7.5.2.jar:7.5.2]
        at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:396) ~[elasticsearch-7.5.2.jar:7.5.2]
        at org.elasticsearch.xpack.core.security.client.SecurityClient.clearRealmCache(SecurityClient.java:133) ~[?:?]
        at org.elasticsearch.xpack.core.ClientHelper.executeAsyncWithOrigin(ClientHelper.java:75) ~[?:?]
        at org.elasticsearch.xpack.security.authc.support.mapper.NativeRoleMappingStore.refreshRealms(NativeRoleMappingStore.java:340) ~[?:?]
        at org.elasticsearch.xpack.security.authc.support.mapper.NativeRoleMappingStore.onSecurityIndexStateChange(NativeRoleMappingStore.java:328) ~[?:?]
        at org.elasticsearch.xpack.security.support.SecurityIndexManager.clusterChanged(SecurityIndexManager.java:236) ~[?:?]
        at org.elasticsearch.cluster.service.ClusterApplierService.lambda$callClusterStateListeners$6(ClusterApplierService.java:527) ~[elasticsearch-7.5.2.jar:7.5.2]
        at java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:948) [?:1.8.0_211]
        at java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:742) [?:1.8.0_211]
        at java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:580) [?:1.8.0_211]
        at org.elasticsearch.cluster.service.ClusterApplierService.callClusterStateListeners(ClusterApplierService.java:523) [elasticsearch-7.5.2.jar:7.5.2]
        at org.elasticsearch.cluster.service.ClusterApplierService.applyChanges(ClusterApplierService.java:498) [elasticsearch-7.5.2.jar:7.5.2]
        at org.elasticsearch.cluster.service.ClusterApplierService.runTask(ClusterApplierService.java:432) [elasticsearch-7.5.2.jar:7.5.2]
        at org.elasticsearch.cluster.service.ClusterApplierService.access$100(ClusterApplierService.java:73) [elasticsearch-7.5.2.jar:7.5.2]
        at org.elasticsearch.cluster.service.ClusterApplierService$UpdateTask.run(ClusterApplierService.java:176) [elasticsearch-7.5.2.jar:7.5.2]
        at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:703) [elasticsearch-7.5.2.jar:7.5.2]
        at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedEsThreadPoolExecutor.java:252) [elasticsearch-7.5.2.jar:7.5.2]
        at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedEsThreadPoolExecutor.java:215) [elasticsearch-7.5.2.jar:7.5.2]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_211]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_211]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_211]

And when I followed the documentation to do "Map Kerberos users to roles",I got the error too.

{"error":{"root_cause":[{"type":"exception","reason":"Security must be explicitly enabled when using a [basic] license. Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file and restart the node."}],"type":"exception","reason":"Security must be explicitly enabled when using a [basic] license. Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file and restart the node."},"status":500}

My elasticsearch.yml :

image1274×782 53.6 KB

The error message tells you what you need to do - you need to enable security by setting xpack.security.enabled to true.

Is it necessary to enable xpack authentication before kerberos authentication? Wouldn't I need both username-password and keytab to access es?

After I added these xpack settings,I started es successfully.But I got the following error when I verified:

image1889×119 13 KB

I have excuted "kinit":

image749×192 7.86 KB

So why? Help me please.

And actually the documentation doesn't mention about setting [xpack.security.enabled],and I can't find the message about the error. But It is mentioned somewhere that kerberos authentication can't be supported in [basic] version,does that cause the error?

And here is the kerberos documentation I refer to, is there more detailed documentation?

Yes, because you cannot have Kerberos Authentication if you don't have authentication. If the Elasticsearch security features have been turned off, then there is no way to configure & use Kerberos - it is part of the security features.

You can configure some parts of Kerberos authentication without enabling all of security, but you eventually run into steps that cannot be completed while security is turned off.

That is correct. At some point you seem to have switched from a trial license to a basic license. Kerberos authentication is not available on a basic license.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.