Install ES license as config

Looking at the documentation it appears license can only be installed through the license API.

In my use case it would be handy to reference the license as a setting inside elasticsearch.yaml.

Essentially I would like to boot ES with PKI realm only and I don't want to configure any passwords (bin/elasticsearch-setup-passwords). However it appears I need to first configure passwords, install the license and then reboot and use PKI.

Welcome!

What is your use case?

The plan is to run ES/Kibana on Docker/Kubernetes and we would like to automate as much as possible and the other main point is that we would like to not use passwords if possible and instead opt for PKI realm. Reason for the latter being strict rules when it comes to using any passwords that we would like to simply avoid and go for PKI.

So unless I am mistaken when installing and configuring ES, all security related settings (xpack.security.* inside elasticsearch.yml) require valid license upfront. And again I believe in order to install the license we would need to [PUT] /_license which requires a valid user like elastic to have a password. I don't think we can use the bootstrap password for anything like this.

The other way around would be if the bin/elasticsearch-setup-passwords script is able to setup password only for specific user. This would allow us to deal with a single user/password only, again from first paragraph, trying to reduce number of users outside of PKI to the minimum necessary.

Thank you.

There are a number of option that can work here.
Some of your assumptions aren't correct, so this is probably easier than you think it will be.

You should absolutely configure a password for the elastic user, even if you then disable the user. If you do not set a password for elastic then it will use the bootstrap password which is not a good idea for long term security.
You can set a password using the _password API if you don't want to use the elasticsearch-setup-passwords tool, but please do not run your cluster without setting the password for elastic.

No, you don't actually need to do any of that.

What you want to do it:

  • Start the cluster in trial mode by setting xpack.license.self_generated.type: trial in your elaticsearch.yml
  • Enable all your TLS settings, and PKI realm
  • Configure a file-based role mapping for your "administrator" certificate, to grant it an administrative role (e.g. superuser)
  • Start your cluster
  • Use the "administrator" certificate to authenticate, and install your license.
  • Use the "administrator" certificate to authenticate, and set a password on the elastic user, and disable the user (you may wish to disable all builtin users).

And then you're done.

2 Likes

Thank you will give this a go.