Native authentication with Basic License

We are building a 3-node elastic cluster v7.1.0 (statefulset), and single-node Kibana (deployment) on Kuberenetes using basic license. Was wondering how can we implement native authentication?

have you taken a look at the documentation at https://www.elastic.co/guide/en/elastic-stack-overview/7.3/native-realm.html

Is there any more concrete question that you have?

Hi Alexander,

I verified the note and understand that native realm is available by default, since I do not have any other realm defined in elasticsearch.yml.
So, I started with adding the following to elasticsearch.yml
xpack.security.enabled: true
xpack.license.self_generated.type: "basic" ##We are going with a Basic(free) License
xpack.security.transport.ssl.enabled: true
After these settings, Kibana and Elastic started prompting for the password.
What additional parameters or configs is required to get the native authentication under basic license?

thanks,
Harry

It sounds to me, as if it is working when you are prompted for a password? I seem to misunderstand something.

How do I setup users? What user/pass information to pass when prompted for the passwords?

There is a full blown tutorial guiding your through the necessary steps to setup stack internal users first (so that all components can talk to each other properly), and then start adding external users to your systems. See https://www.elastic.co/guide/en/elastic-stack-overview/7.3/security-getting-started.html

So, I enabled the settings and the logs for elastic suggested to turn on Transport SSL
ERROR: [1] bootstrap checks failed
[1]: Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]
Included the suggested param, this is the elasticsearch.yml
cluster.name: elastic-cluster-dev
network.host: "0.0.0.0"
bootstrap.memory_lock: false
discovery.zen.ping.unicast.hosts: "[elastic-host1],[elastic-host2],[elastic-host3]"
discovery.zen.minimum_master_nodes: 1
xpack.security.enabled: true
xpack.monitoring.enabled: true
xpack.license.self_generated.type: "basic"
xpack.security.transport.ssl.enabled: true

Logged into the elastic pod (on Kubernetes) and tried to run password setup, but it failed.
[root@elasticsearch-0 elasticsearch]# ./bin/elasticsearch-setup-passwords interactive

Connection failure to: http://xx.xx.xx.xx:9200/_security/_authenticate?pretty failed: Connection refused (Connection refused)

ERROR: Failed to connect to elasticsearch at http://xx.xx.xx.xx:9200/_security/_authenticate?pretty. Is the URL correct and elasticsearch running?
[root@elasticsearch-0 elasticsearch]#

The IP it is trying to connect is for its own pod, if i try to access this URL from chrome, I get the prompt for credential input..

Here is some information on the setup
3 nodes elastic, 1 node kibana (in Kubernetes)
We wanted Kibana to be Auth protected (Basic Auth would work), and we can control connections to elasticsearch via Network Policies on Kubernetes.
In order to setup Native Auth, I followed the following path:

  1. Started with a basic elasticsearch.yml
    xpack.monitoring.enabled: true
    xpack.license.self_generated.type: "basic"

[root@elasticsearch-0 bin]# ./elasticsearch-setup-passwords interactive
Unexpected response code [500] from calling GET http://10.22.55.114:9200/_security/_authenticate?pretty
It doesn't look like the X-Pack security feature is enabled on this Elasticsearch node.
Please check if you have enabled X-Pack security in your elasticsearch.yml configuration file.

ERROR: X-Pack Security is disabled by configuration.
[root@elasticsearch-0 bin]#

  1. Added xpack.security.enabled: true

Complained about
ERROR: [1] bootstrap checks failed
[1]: Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]

  1. Added xpack.security.transport.ssl.enabled: true

Kibana error
{"type":"log","@timestamp":"2019-08-13T14:37:50Z","tags":["error","task_manager"],"pid":1,"message":"Failed to poll for work: [security_exception] missing authentication credentials for REST request [/.kibana_task_manager/_search?

Elastic error:
"at java.lang.Thread.run(Thread.java:835) [?:?]",
"Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure",
"at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]",

At this point, I cannot run elasticsearch-setup-passwords interactive, it gets a connection refused. Because elastic/kibana expect passwords.

how did you setup SSL? Have you generated certificates? See https://www.elastic.co/guide/en/elastic-stack-overview/7.3/encrypting-internode-communications.html

Also, there is a dedicated Elastic Cloud for Kubernetes Operator that has recently been released (with Elasticsearch 7.2 - you might want to try with a more recent version anyway). See https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-quickstart.html

In general I would try to setup Elasticsearch with TLS/Auth without Kubernetes first, see if that is working and then go from there.

Thanks for the reply, Alexander. We verified the operator but it needs some tweaks to get it running on our Kubernetes environment. So, I started by trying it via my existing setup on K8s using the link share by you.
I have generated the ca and certs , and placed those on a persistent volume at path /var/lib/elasticsearch/certs/nodecert.p12 but elastic is failing with the following error:
"Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "/var/lib/elasticsearch/certs/nodecert.p12" "read")",
"at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:?]",
"at java.security.AccessController.checkPermission(AccessController.java:1042) ~[?:?]",

Seems it is expecting files to be present in a specific directory (per your comment on Elasticsearch is not starting owing to wrong file permission). Since I am pulling the images as part of the setup on k8s, i believe it should be /usr/share/elasticsearch/config
Is my understanding correct?

as Elasticsearch is using the java security manager, only a certain set of directories are allowed to be read. One of those is the config directory where you should store your certificates. Others are log/data directories, any other directory cannot be read. The reason for this behaviour is to reduce the impact if anyone finds a way to read arbitrary files using Elasticsearch, as only elasticsearch specific files could be read then.

Thanks Alexander,
I was able to enable Auth following the links you shared. One observation, Elastic hosts were complaining about " java.security.cert.CertificateException: No subject alternative names present while connecting to domain names". So, I turned off the host verification with
xpack.security.transport.ssl.verification_mode: certificate
After the password setup and restarting the elastic cluster, auth started working.
Had to add elastic.user to Kibana keystore for kiabana connectivity.
Thanks for your guidance!

1 Like