Security Error while integrating SSO with elastic cloud cluster using Terraform

Elastic Stack Elasticsearch
1

I've been trying to provision elastic cluster with SSO configured. As per the latest ec provider documentation we should be able to achieve this in a single workflow. But however, I do see below error while provisioning cluster.

[tiebreaker-0000000002] fatal exception while booting Elasticsearch java.lang.IllegalStateException: security initialization failed at org.elasticsearch.xpack.security.Security.createComponents(Security.java:578) ~[?:?] at org.elasticsearch.node.Node.lambda$new$16(Node.java:721) ~[elasticsearch-8.6.2.jar:?] at org.elasticsearch.plugins.PluginsService.lambda$flatMap$0(PluginsService.java:252) ~[elasticsearch-8.6.2.jar:?] at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273) ~[?:?] at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197) ~[?:?] at java.util.AbstractList$RandomAccessSpliterator.forEachRemaining(AbstractList.java:722) ~[?:?] at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509) ~[?:?] at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) ~[?:?] at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:575) ~[?:?] at java.util.stream.AbstractPipeline.evaluateToArrayNode(AbstractPipeline.java:260) ~[?:?] at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:616) ~[?:?] at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:622) ~[?:?] at java.util.stream.ReferencePipeline.toList(ReferencePipeline.java:627) ~[?:?] at org.elasticsearch.node.Node.(Node.java:736) ~[elasticsearch-8.6.2.jar:?] at org.elasticsearch.node.Node.(Node.java:322) ~[elasticsearch-8.6.2.jar:?] at org.elasticsearch.bootstrap.Elasticsearch$2.(Elasticsearch.java:214) ~[elasticsearch-8.6.2.jar:?] at org.elasticsearch.bootstrap.Elasticsearch.initPhase3(Elasticsearch.java:214) ~[elasticsearch-8.6.2.jar:?] at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:67) ~[elasticsearch-8.6.2.jar:?] Caused by: org.elasticsearch.common.settings.SettingsException: The configuration setting [xpack.security.authc.realms.oidc.oidc1.rp.client_secret] is required at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectRealm.buildRelyingPartyConfiguration(OpenIdConnectRealm.java:256) ~[?:?] at org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectRealm.(OpenIdConnectRealm.java:98) ~[?:?] at org.elasticsearch.xpack.security.authc.InternalRealms.lambda$getFactories$7(InternalRealms.java:169) ~[?:?] at org.elasticsearch.xpack.security.authc.Realms.initRealms(Realms.java:288) ~[?:?] at org.elasticsearch.xpack.security.authc.Realms.(Realms.java:109) ~[?:?] at org.elasticsearch.xpack.security.Security.createComponents(Security.java:686) ~[?:?] at org.elasticsearch.xpack.security.Security.createComponents(Security.java:566) ~[?:?]

But however in my terraform code , I am providing the keystore value as below -

resource "ec_deployment_elasticsearch_keystore" "client_secret" {
deployment_id = ec_deployment.test_deployment.id
setting_name = "xpack.security.authc.realms.oidc.oidc1.rp.client_secret"
value = ""
}

And here's elasticsearch.yaml file content :
xpack:
security:
authc:
realms:
oidc:
oidc1:
order: 2
rp.client_id: "<>"
rp.response_type: "code"
rp.requested_scopes: ["openid", "email", "groups", "profile"]
rp.redirect_uri: "${kibana_url}/api/security/oidc/callback"
op.issuer: "<>"
op.authorization_endpoint: "<>"
op.token_endpoint: "<>"
op.userinfo_endpoint: "<>"
op.endsession_endpoint: "<>"
op.jwkset_path: "<>"
claims.principal: "user"
claim_patterns.principal: "^([^@]+)$"
claims.groups: "groups"

Any help would be appreciated.

Thanks,
Sai

2

Hi @Saicharan_M Welcome to the community.

Can you format your code and logs please using the </> button and make sure you yml is properly formatted it.

Would you perhaps share your tf configuration?

Which documentation shows a single flow... is it this. I think that assume all the values are in the es.yml

What I do think I am reading from the errors is that the deployment is trying to use the keystore / get values before the keystore is ready...

I suspect you may need to create the deployment with the keystore and then apply the SAML config.

However I am not a TF expert but that is what I read from the logs

1 Like
3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.