Shield user across multiple nodes



What is the instruction for installing shields on multi-node cluster?

Long story short, I have a node 1 with shield with username/password, then I am trying to add another node. Shield configuration is exactly the same. Am I supposed to set up same username/password on node 2? I did, and not sure if it's caused by that but I am getting this exception in the log.

[2016-03-04 14:54:40,144][INFO ][rest.suppressed ] /_nodes Params: {}
ElasticsearchSecurityException[missing authentication token for REST request [/_nodes]]

Thanks a lot!

(Mark Walkom) #2

It's the same for a one node cluster a multiple node cluster. Just make sure the plugin is installed before trying to join nodes, and roll the same config out to all nodes.

(Steve Kearns) #3

This means you need to have the same users, roles, and user role mapping files on all nodes in the cluster. This isn't optional - you're not secure unless these files are in sync.

We're adding API-based user configuration to a near-term version, so the user/role config piece will be getting a lot easier soon!


Thanks Mark and Steve for a quick response!

So once I installed Shield on new node, I would run "bin/shield/esusers useradd myUser..." and set up identical username and password, is that correct?

I am also getting this exception as well. Not sure, if it's anything to do with shield though..

[RemoteTransportException[[node-2][myIP:9300][indices:data/write/bulk[s][r]]]; nested: ElasticsearchSecurityException[action [indices:data/write/bulk[s][r]] is unauthorized for user [__marvel_user]]; ]
RemoteTransportException[[node-2][myIP:9300][indices:data/write/bulk[s][r]]]; nested: ElasticsearchSecurityException[action [indices:data/write/bulk[s][r]] is unauthorized for user [__marvel_user]];


(Jay Modi) #5

That is correct or you can copy the files (users, users_roles, and roles.yml) from the existing node to the new node.

Do you have any special marvel configuration in your elasticsearch.yml?

(system) #6