Shield on Containerized Elasticsearch *RESOLVED*

security

(Adam Kunicki) #1

Hi, I'd like to try out shield and installed it in a docker container running es 1.7.1, however authentication always fails. Anyone else run into this?

I've verified that a user exists and has the admin role.

esusers useradd admin -r admin -p password
# esusers list
admin          : admin

# curl -uadmin:password localhost:9200
{"error":"AuthenticationException[unable to authenticate user [admin] for REST request [/]]","status":401}

ES Logs:

^[[O[2015-08-25 21:04:57,496][INFO ][node                     ] [Theresa Cassidy] version[1.7.1], pid[1], build[b88f43f/2015-07-29T09:54:16Z]
[2015-08-25 21:04:57,500][INFO ][node                     ] [Theresa Cassidy] initializing ...
[2015-08-25 21:04:57,615][INFO ][plugins                  ] [Theresa Cassidy] loaded [license, shield], sites [head]
[2015-08-25 21:04:57,643][INFO ][env                      ] [Theresa Cassidy] using [1] data paths, mounts [[/usr/share/elasticsearch/data (/dev/sda1)]], net usable_space [16.6gb], net total_space [18.1gb], types [ext4]
[2015-08-25 21:04:57,919][INFO ][transport                ] [Theresa Cassidy] Using [org.elasticsearch.shield.transport.ShieldServerTransportService] as transport service, overridden by [shield]
[2015-08-25 21:04:57,920][INFO ][transport                ] [Theresa Cassidy] Using [org.elasticsearch.shield.transport.netty.ShieldNettyTransport] as transport, overridden by [shield]
[2015-08-25 21:04:57,920][INFO ][http                     ] [Theresa Cassidy] Using [org.elasticsearch.shield.transport.netty.ShieldNettyHttpServerTransport] as http transport, overridden by [shield]
[2015-08-25 21:05:00,468][INFO ][node                     ] [Theresa Cassidy] initialized
[2015-08-25 21:05:00,468][INFO ][node                     ] [Theresa Cassidy] starting ...
[2015-08-25 21:05:00,816][INFO ][shield.transport         ] [Theresa Cassidy] bound_address {inet[/0:0:0:0:0:0:0:0:9300]}, publish_address {inet[/172.17.0.18:9300]}
[2015-08-25 21:05:00,841][INFO ][discovery                ] [Theresa Cassidy] elasticsearch/T_8-EMKQR7u6HF2dK3YPpQ
[2015-08-25 21:05:04,613][INFO ][cluster.service          ] [Theresa Cassidy] new_master [Theresa Cassidy][T_8-EMKQR7u6HF2dK3YPpQ][5fa13efdf042][inet[/172.17.0.18:9300]], reason: zen-disco-join (elected_as_master)
[2015-08-25 21:05:04,640][INFO ][http                     ] [Theresa Cassidy] bound_address {inet[/0:0:0:0:0:0:0:0:9200]}, publish_address {inet[/172.17.0.18:9200]}
[2015-08-25 21:05:04,641][INFO ][node                     ] [Theresa Cassidy] started
[2015-08-25 21:05:04,644][INFO ][gateway                  ] [Theresa Cassidy] recovered [0] indices into cluster_state
[2015-08-25 21:05:04,647][INFO ][shield.license           ] [Theresa Cassidy] enabling license for [shield]
[2015-08-25 21:05:04,648][INFO ][license.plugin.core      ] [Theresa Cassidy] license for [shield] - valid
[2015-08-25 21:05:04,655][ERROR][shield.license           ] [Theresa Cassidy]
#
# Shield license will expire on [Thursday, September 24, 2015]. Cluster health, cluster stats and indices stats operations are
# blocked on Shield license expiration. All data operations (read and write) continue to work. If you
# have a new license, please update it. Otherwise, please reach out to your support contact.
#

Turns out that the "official" elasticsearch image keeps configs in /usr/share/elasticsearch/config but the shield plugin expects configs in /etc/elasticsearch (even when installed with -Des.path.conf=/usr/share/elasticsearch) so my solution was to symlink the real shield configs into /etc/elasticsearch/shield from /usr/share/elasticsearch/config/shield since shield complains if the configs are in a different directory.


(Adam Kunicki) #2

As a follow up, I can tell you that the standalone tarball version of 1.7.1 works fine for me, but the official docker container (with plugin added) does not.


(Mark Walkom) #3

That may the official Docker container but it's not managed by us.

Did you follow all the installation instructions?


(Adam Kunicki) #4

Gotcha, didn't realize Docker was actually maintaining those. I'll be sure to post an update if I do get it working, meanwhile the instructions work fine for the official distribution from Elastic :smile:


(system) #5