Xpack enabled elastic stack Cluster

Sagar_Mandal · February 1, 2021, 9:15am

Hi Team,

I have a fedora distribution environment setup where I have 1 master node and 2 data node for elastic search and single kibana and logstash in total I've 4 servers where logstash and kibana are in a single server.

I'm aware of single node security with Xpack enabled however I'm confused in a HA cluster where I've master and data nodes.
My question is if I enable X-Pack in my master node by adding

xpack.security.enabled: true

in my elasticsearch.yml file and create passwords for my elastic search application by

bin/elasticsearch-setup-passwords interactive

then how my data nodes are going to discover my master node as my master node is set up with authentication, what changes or authentication I need to add in my data nodes configuration so that they can authenticate each other.

and also if I add my master nodes server IP in kibana.yml then it will authenticate the master node as i give username and password for my master node elasticsearch over there.

This is the main authentication between elasticsearch, i understand i need to enable X-pack in each ES node but i don't get how my ES nodes will authenticate each other.

and how it will reflect in my Kibana. as in my data node, master node is not discoverable so kibana instance is not starting in my browser but it's service is UP and Runnnig.

Will be a great help if anyone could clear my concepts

Thanks and Regards,
Sagar Mandal

ikakavas · February 1, 2021, 7:59pm

Nodes do not authenticate to each other with passwords, they do so with mutual TLS. If you enable security in a cluster, you will need to configure TLS for the transport layer

Assuming that you are talking about the kibana reserved user, the passwords of all reserved users are the same no matter which node performs the authentication.

Read this Add the built-in user to Kibana | Elasticsearch Reference [7.10] | Elastic

In general, it will be helpful if you could read through our docs. The getting started with security will be helpful !

Sagar_Mandal · February 2, 2021, 4:15am

Hi @ikakavas,

Thanks for the documentation and clarification for ES Node communication. However I've a doubt that if we create password in one ES Node then that nodes credentials are only given in kibana ?
also Configuring TLS in ES nodes will help in node communication, even if i create password for one Elasticsearch node.

Regards,
Sagar

ikakavas · February 2, 2021, 10:36am

Can you please rephrase your question? I couldn't get what your doubt is, thanks!

Configuring TLS for the transport layer ( i.e. the communication between ES nodes ) will ensure that a) all communication between your nodes is encrypted, and b) that only legitimate nodes can join your cluster. This has nothing to do with passwords.

Again, passwords are not node specific assuming that we are talking about the builtin users.

Sagar_Mandal · February 3, 2021, 5:57am

@ikakavas Thanks for clearing some doubts, lastly I just wanna ask the authentication in kibana we get is based on Elasticsearch username and it's password so how will we authenticate that
if we are configuring ES nodes with TLS then how will my kibana know that it has to authenticate with ES nodes, is it the same like TLS security.

Thanks in advance

ikakavas · February 25, 2021, 5:04am

All these are covered in the two links I shared with you in our documentation so there is no point in me just copy pasting them here. Please take a look at those and if you still have questions, I'd be happy to help out. It would be great if you make your question more explicit though, thanks!

efaile · February 3, 2021, 12:32pm

I'm new to this stack, but have stood up many platforms over time. I spent a good chunk of my weekend going in circles with a link that points to another section, to another section. Saying go read the docs would be fantastic if there was a logical, user friendly and step by step guide that explained how to essentially step through all the security recommendations that you are met with in this link Elastic (ELK) Stack Security | Elastic and written in a manner that was easy to consume for an engineer new to this stack. And not "this demo is on one node, you will have to do it differently for a multi-node production configuration."

I sincerely hope a product manager reads this feedback - and how we should consider other options to saying "RTFM" to customers asking for our help and actually referencing vendor documentation in the question.

ikakavas · February 3, 2021, 3:04pm

Hi Eva!

Thank you for your feedback. I am sorry that you interpreted my reply to Sagar's question as a "RTFM", I can assure you it was not meant to be as such. If you spend some time around these forums, you'll hopefully realize that community members ( employees in their personal time ) and of course other stack users spend time to understand the problem and suggest valid and helpful solutions, instead of just linking to docs. Sometimes the answer to single questions are in the docs themselves and we all retain the right to spend our time answering another question if a specific one can be answered in the docs.

I can appreciate the frustration that comes along with dealing with a new stack and we take your feedback to heart. If you are willing to start a thread with what they issues you faced are and what information you found lacking, we'll do our best to help you here and maybe adjust our docs in the process for everyone's benefit. For what is worth , Tutorial: Encrypting communications | Elasticsearch Reference [7.10] | Elastic , does have a section about adding nodes with security enabled, hope this helps you move to the right direction for now.