Setting up passwords with elasticsearch-setup-passwords interactive

Im having an issue with enabling security on my cluster when Im trying to add the passwords to the bulit in users:

I have 6 nodes

atl-deves01.com
atl-deves02.com
atl-deves03.com
met-deves01.com
met-deves02.com
met-deves03.com

deves01

cluster.name: dev-elastic7

node.name: atl-deves01
node.master: true
node.data: true

path.data: /data_store
path.logs: /var/log/elasticsearch

network.host: 0.0.0.0
http.port: 9500

discovery.seed_hosts: ["atl-deves01", "atl-deves02", "atl-deves03", "atl-devls01", "atl-devls02", "met-deves01", "met-deves02", "met-deves03", "met-devls01", "met-devls02"]

cluster.initial_master_nodes: ["atl-deves01:9500", "met-deves02:9500"]

discovery.zen.minimum_master_nodes: 3
discovery.zen.fd.ping_timeout: 30s
discovery.zen.fd.ping_interval: 3s
discovery.zen.fd.ping_retries: 5

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true

When I type in this command I get this:

Failed to determine the health of the cluster running at http://10.88.0.221:9500
Unexpected response code [503] from calling GET http://10.88.0.221:9500/_cluster/health?pretty
Cause: master_not_discovered_exception

It is recommended that you resolve the issues with your cluster before running elasticsearch-setup-password s.
It is very likely that the password changes will fail when run against an unhealthy cluster.

Do you want to continue with the password setup process [y/N]n

Hi @Archie_Crawford ! Your cluster has not formed successfully and you can't / shouldn't attempt to setup the password of the built-in users until that happens. see Bootstrapping a cluster | Elasticsearch Reference [master] | Elastic

You probably need to change cluster.initial_master_nodes and remove the http port from it. This setting should contain the node name and the port number is not part of the name.

Also, do not set xpack.security.transport.ssl.enabled: true without specifiying what key and certificate should be used for TLS. See this section in our docs Encrypting communications in Elasticsearch | Elasticsearch Reference [master] | Elastic.

When your cluster is healthy , you will be able to run elasticsearch-setup-passwords in one of your 6 nodes and set the password of the built-in users.

Hope this helps!

When I take out xpack.security.transport.ssl.enabled: true then it fails for other reasons :

[1]: Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]

I tired to see if I could add the master nodes in this way and got this error:

bin/elasticsearch -Ecluster.initial_master_nodes=atl-deves01,met-deves02
Exception in thread "main" java.lang.RuntimeException: starting java failed with [1]
output:
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (mmap) failed to map 12884901888 bytes for committing reserved memory.
# An error report file with more information is saved as:
# /var/log/elasticsearch/hs_err_pid178846.log
error:
OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x00000004c0000000, 12884901888, 0) failed; error='Not enough space' (errno=12)
        at org.elasticsearch.tools.launchers.JvmErgonomics.flagsFinal(JvmErgonomics.java:126)
        at org.elasticsearch.tools.launchers.JvmErgonomics.finalJvmOptions(JvmErgonomics.java:88)
        at org.elasticsearch.tools.launchers.JvmErgonomics.choose(JvmErgonomics.java:59)
        at org.elasticsearch.tools.launchers.JvmOptionsParser.jvmOptions(JvmOptionsParser.java:137)
        at org.elasticsearch.tools.launchers.JvmOptionsParser.main(JvmOptionsParser.java:95)

Yes, in order to make use of security, then you need to also enable transport SSL.
However, @ikakavas's point is that you can't simply set enabled: true
Configuring SSL requires additional steps that are explained in the documentation that he linked to.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.