I have two ElasticSearch server nodes configuration with "xpack.security.enabled: true"
Created a transport_client role user called "esi".
When the ES server startup everything works fine as a single node, accessing requires username and password.
curl -u esi:'xxxx' -k -sS 'https://xx.xx.xx.xx:9200/_xpack/security/_authenticate?pretty'
{
"username" : "esi",
"roles" : [
"transport_client"
],
"full_name" : null,
"email" : null,
"metadata" : { },
"enabled" : true
}
However as soon as zen-disco-elected-as-master succeeds, the authentication gets disabled. And I can access to the ES without ID/Pass.
curl -k -sS 'https://xx.xx.xx.xx:9200/_xpack/security/_authenticate?pretty'
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "current license is non-compliant for [security]",
"license.expired.feature" : "security"
}
],
"type" : "security_exception",
"reason" : "current license is non-compliant for [security]",
"license.expired.feature" : "security"
},
"status" : 403
}
According to the audit log, the node is using a default_file realm with transport_client role, but after master discovery is done it changes to realm "__attach" with superuser role :
[2020-02-21T00:41:18,561] [ESIB] [transport] [access_granted] origin_type=[rest], origin_address=[xx.xx.xx.xx], principal=[esi], realm=[default_file], roles=[transport_client], action=[cluster:admin/xpack/security/user/authenticate], request=[AuthenticateRequest]
[2020-02-21T00:41:37,830] [ESIB] [transport] [access_granted] origin_type=[rest], origin_address=[xx.xx.xx.xx], principal=[esi], realm=[default_file], roles=[transport_client], action=[cluster:admin/xpack/security/user/authenticate], request=[AuthenticateRequest]
[2020-02-21T00:41:38,112] [ESIB] [transport] [access_granted] origin_type=[local_node], origin_address=[xx.xx.xx.xx], principal=[_xpack_security], realm=[__attach], roles=[superuser], action=[cluster:admin/xpack/security/realm/cache/clear], request=[ClearRealmCacheRequest]
[2020-02-21T00:41:38,117] [ESIB] [transport] [access_granted] origin_type=[local_node], origin_address=[xx.xx.xx.xx], principal=[_xpack_security], realm=[__attach], roles=[superuser], action=[cluster:admin/xpack/security/realm/cache/clear[n]], request=[Node]
In elasticsearch.yml, I have:
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /etc/elasticsearch/key.pem
xpack.security.transport.ssl.certificate: /etc/elasticsearch/cert.pem
xpack.security.transport.ssl.certificate_authorities: [ "/etc/elasticsearch/cacert.crt" ]
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /etc/elasticsearch/key.pem
xpack.security.http.ssl.certificate: /etc/elasticsearch/cert.pem
xpack.security.http.ssl.certificate_authorities: [ "/etc/elasticsearch/cacert.crt" ]
xpack.security.http.ssl.supported_protocols: [ "TLSv1.2" ]
xpack.security.http.ssl.cipher_suites: [ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" ]