Shield does not work - no credentials checked



I've just installed shield plugin (2.0) according to the documentation:

-stopped all nodes
-installed shield on all nodes
-started all nodes
-added an admin user using esusers

I also verified it as per documentation:

[2015-12-11 03:07:45,133][INFO ][http                     ] [XXXX] Using [org.elasticsearch.http.netty.NettyHttpServerTransport] as http transport, overridden by [shield]
[2015-12-11 03:07:45,358][INFO ][transport                ] [XXXX] Using [org.elasticsearch.shield.transport.ShieldServerTransportService] as transport service, overridden by [shield]
[2015-12-11 03:07:45,358][INFO ][transport                ] [XXXX] Using [org.elasticsearch.shield.transport.netty.ShieldNettyTransport] as transport, overridden by [shield]

However, the cluster is still fully open, I can still send requests without the need for username and password. Logstash is also sending data to Elasticsearch without authentication! What am I missing here?

(Tanguy) #2


Can you check that the plugin is correctly loaded on every nodes? You should see something like:

[INFO ][plugins                  ] [Lunatica] loaded [license, shield], sites []

Also take care that you don't have the setting shield.enabled: false somewhere in your configuration.


Checked, plugin is installed on all nodes and not disabled on any of them.

(Tanguy) #4

Did you copy the shield configuration files on all the nodes?

Shield is supposed to protect your cluster as soon as it is installed (along with license plugin). An unprotected cluster often means that the plugin has not been correctly installed or you're targeting another cluster.

Can you please give the output of

curl 'http://localhost:9200/_nodes?pretty&filter_path=**.plugins'


Here you go:
(cannot add it here)


I have a basic license for the time being, is it because of that? Shield works with Trial license so I thought it should work with basic license too. Maybe it actually doesnt?


Yeah it turns out that shield does not work with basic license.

(Tanguy) #8

Happy you found the issue!


Thank you for your help.

(Sukesh) #10

Hi , when i use curl 'http://localhost:9200/_nodes?pretty&filter_path=**.plugins'
it showing message like

"nodes": {
"hygxwzmJRtOMOQdxKpjEhg": {
"plugins": []
"0NK6gF1rQFa7DDw4LJC3yw": {
"plugins": []

shield is still not working ,not restricting unknown users

(Jay Modi) #11

Did you install a basic license? What does curl 'http://localhost:9200/_license' show?

(Sukesh) #12

i dont know what is basic license ! when i run the command curl 'http://localhost:9200/_license'
in kibana it is showing like

"error": {
"root_cause": [
"type": "illegal_argument_exception",
"reason": "No feature for name [_license]"
"type": "illegal_argument_exception",
"reason": "No feature for name [_license]"
"status": 400

but if try like GET /_nodes/_license it is showing like

"cluster_name": "elasticsearch",
"nodes": {}

(Sukesh) #13

How to check basic or not in kibana?

(Steve Kearns) #14

Hi Sukesh,

Did you restart your elasticsearch nodes after installing the license and Shield plugins? It looks like you may not have the plugins installed.


(Sukesh) #15

hi Steve , i restarted the elastic search and service also several times ! no i installed plugins properly in offline mode ,and it was created the license file and plugin file in D:\elasticsearch-2.3.1\plugins location

(Steve Kearns) #16

Hi Sukesh,

From your first post, it looks like the instance of Elasticsearch that is running doesn't have the plugins installed.

Can you stop Elasticsearch, and verify that no other instances are still running? If Kibana/Sense are still working, then there is another instance of ES still running and it needs to be stopped first.


(Sukesh) #17

yeah Steve , i stopped and started again , but same nothing difference.

(Steve Kearns) #18

How did you verify that no other instances were still running?

(Sukesh) #19

i checked in task manager in windows ,elastic search service status is stopped and no other elastic search is running .in that way i checked

(system) #20