My ES cluster is running in production mode(on Kubernetes). It is accessible only within the organization so, for now, there is no need for securing the connection between ES nodes with certificates. While setting up the cluster I just added xpack.security.enabled: true that helped me in setting up a basic Kibana authentication, everything was working as expected until I restarted my data nodes pods and now it showing the following error:
ERROR: [1] bootstrap checks failed
[1]: Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]
The error message is pretty explicit: You must have TLS certificates to use security. Which also makes sense from a security point of view, especially on Kubernetes where you don't have much protection out of the box otherwise.
If you don't want to set up certificates and other stuff on Kubernetes, have a look at the Kubernetes Operator, which does that for you: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-quickstart.html
Related
Am trying to setup the Alert and Actions for ELK. But, getting the error message
You must enable Transport Layer Security.
Have already set up the following parameter in the kibana.yml. As followed:
xpack.encryptedSavedObjects.encryptionKey: "abcdefghijklmnopqrstuvwxyz1234567890"
Pls advise.
Thanks
enter image description here
xpack.encryptedSavedObjects.encryptionKey: "abcdefghijklmnopqrstuvwxyz1234567890"
With only this, you don't enable the transport layer security.
There are two more steps you need to do.
Enable security in Kibana and Elasticsearch. (Relatively easy!)
Encrypt traffic between them. (You might need to get your org-specific certificates if you are not using Self signed1)
When you use the basic and trial licenses ,
Set xpack.security.enabled: true and discovery.type: single-node in elasticsearch.yml file
https://www.elastic.co/guide/en/elasticsearch/reference/6.8/get-started-enable-security.html
and then xpack.encryptedSavedObjects.encryptionKey : A string of 32 or more characters in kibana.yml
https://www.elastic.co/guide/en/kibana/7.16/alert-action-settings-kb.html#general-alert-action-settings
After updating the config file please restart the elastic and kibana .
I have a 3 node Elasticserach cluster, all of them eligible to be elected as master.
I want to implement RBAC for my cluster.
From the Documentation, They suggest the following configuration.
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
I want the xpack security to be enabled without TLS to be enabled. But when I set xpack.security.transport.ssl.enabled to false, I get an error saying it should be enabled if xpack.security.enabled is set to true.
Is it possible to achieve xpack security without enabling TLS?
The reason to disable TLS is to avoid overhead.
From the official documentation:
Clusters that do not have encryption enabled send all data in plain text including passwords. If the Elasticsearch security features are enabled, unless you have a trial license, you must configure SSL/TLS for internode-communication.
So there's no way to enable XPack security while disabling inter-node TLS communication at the same time... unless you have a trial license, which only lasts for 30 days.
The message behind this is that Elastic doesn't allow any production cluster running with security enabled without TLS.
I have installed Elasticsearch 7.1 on Ubuntu. I want to password protect the cluster, so I have set: xpack.security.enabled: true in elasticsearch.yml file. Now when I restart Elasticsearch I get the message:
Transport SSL must be enabled if security is enabled on a [basic]
license. Please set [xpack.security.transport.ssl.enabled] to [true]
or disable security by setting [xpack.security.enabled]
I am using the basic license. I have seen this guide which explains how to use elasticsearch-certutil to install SSL certificates on the nodes.
Questions:
Is it possible to password protect the cluster without setting xpack.security.transport.ssl.enabled to true?
If I have the guide mentioned above and install SSL certifiactes on elasticsearch cluster, do I need any ssl certificate on my webserver? I don't want the communication between the web server and elasticsearch to use SSL.
According to this answer:
For a cluster that is running in production mode with a production
license, once security is enabled, transport TLS/SSL must also be
enabled. On the other hand, if we are running with a trial license,
then transport TLS/SSL is not obligatory.
It's not possible. In production mode, if you want to use any of the xpack security features by enabling (setting xpack.security.enabled: true), then you need to use TLS/SSL certificate.
By default, the web server (and Kibana) can communicate with the cluster without any TLS/SSL certificate (The certificate is used for communication within ES nodes). If you do want to use TLS/SSL between the cluster and your web server, then you need to set xpack.security.http.ssl.enabled which is set to false by default.
I installed Shield in my Elastic Search cluster and configured Kibana to work with it as described: https://www.elastic.co/guide/en/shield/current/kibana.html
No I restart Kibana and get this error:
{"type":"log","#timestamp":"2016-02-15T19:58:22+00:00","tags":["fatal"],"pid":28422,"level":"fatal","message":"HTTPS
is required. Please set server.ssl.key and server.ssl.cert in kiban$
FATAL { [Error: HTTPS is required. Please set server.ssl.key and
server.ssl.cert in kibana.yml.] cause: [Error: HTTPS is required.
Please set server.ssl.key and server.ssl.cert in kibana.yml.],
isOperational: true }
Tutorial above doesn't state that HTTP is mandatory for Kibana to work with Shield but the error does. Any idea whether I can still use Shield with Kibana without setting up SSL?
Unfortunately this is the case in the currently release of Kibana (4.4). In installedPlugins/shield/index.js:38:13 one can conclude that there is no way to get around using HTTPS when this plugin is enabled. If you simply skip the step by removing the Shield plugin for Kibana with bin/kibana plugin --remove shield, Kibana will be usable again with browser authentication, but this is NOT for production purposes IMO.
add this in in kibana.yml, but only do it if you have SSL configured in some other way, eg a load balancer with SSL termination
shield.skipSslCheck: true
The default value of "http.enabled" option in elasticsearch's configuration file is true which means that we can search and admin the cluster from http command, for example:DELETE /index_* request can delete all indexes. But this is not safe when deployment the service to the production environment. How can I fix this problem?
You can either implement shield - this is free if you are paying for one of the Elasticsearch support packages.
Or implement a reverse proxy which checks each request and the user running the request, for example nginx.