Develop Reference

Can I use Elasticsearch https without cert and authentication

I successfully setup HTTPS for Elasticsearch server. Now I can use curl like curl -u elastic:111111 --cacerts "Path/to/my/cert" https://localhost:9200. How can I setup to use curl without user authentication and cert?
Sorry for my bad English :(

Access Control in Elastic - missing authentication credentials for REST request

I am using Elastic 7.9.2 version and wanted to use security.
so I ran :
bin/elasticsearch-certutil cert -out config/elastic-certificates.p12 -pass ""
and then added
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p1
in config/elasticsearch.yaml
Now when I am running the ES by
bin/elasticsearch
getting below error :
"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials
for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-
8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST
request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-
8\""}},"status":401}root#ip-localhost:/var/log/elasticsearch
Can anyone please help!

Just pass authentication credential with url like below
curl -X GET "http://localhost:9200" -u elastic:pass123

I had security already enabled and user authentication working. Kibana loaded fine.
I have a 3 node cluster and stopped elasticsearch service on each node so I could add transport ssl.
After enabling xpack.security.transport.ssl.enabled and keystore and truststore settings, I got the same ""missing authentication credentials for REST request" error in Kibana. Turns out the error was because I only had one node running and needed a minimum of two. After enabling transport ssl on another node and starting it, kibana worked again.

If you enable security for your cluster you & still got some error with AUTH yours clients, documentation wrote, what you need enable ssl for client optional OR required. Please, read the original topic: https://discuss.elastic.co/t/missing-authentication-for-rest-request/154807/13

You need to pass the credentials with your request with -u username:password

To add the credentials to curl, you need to know them. The root user is elastic, the passwords can be reset using
bin/elasticsearch-setup-passwords auto
Then, you can use
curl -X GET "http://localhost:9200" -u elastic:password_from_console
as written above (go upvote).

GET https://localhost:9200
Authorization: Basic elastic:{your user password}

kcadm created client is always unauthorized

I am trying to automate setting up of a Keycloak server for an application. Part of that is to set up a Keycloak client using the admin CLI:
kcadm.sh create clients -r MyRealm -s clientId=my-client -s enabled=true
That seems to work; I can see the client is present using the admin console. However, if I try to use that client with the Java client (creating a Keycloak object) even a read-only operation fails due to HTTP 401 Unauthorized. What am I doing wrong?

After much experimenting, I discovered the cause of the problem. If you create a client using the UI, the UI sets the client to be public client with direct access grants enabled by default. The admin CLI however does not, and that results in access through the Java client being denied. You must instead explicitly set those when you create the client using the admin CLI:
kcadm.sh create clients -r MyRealm -s clientId=mc-client -s enabled=true -s directAccessGrantsEnabled=true -s publicClient=true

Hashicorp-vault userpass authentication

I am trying to use Hashicorp vault for storing secrets for service accounts username and passwords --- I am following this link https://www.vaultproject.io/docs/auth/userpass.html to create the user name and password.
My question here is that here as per this example I am specifying the password "foo" when i curl this from any ec2 instances, as part of automations, so we want to automated this and codes will come from git:
curl \
--request POST \
--data '{"password": "foo"}' \
http://10.10.218.10:8200/v1/auth/userpass/login/mitchellh
Our policy is that we should NOT store any password in git... How do I run this curl and get authenticated to vault without specify the password for the user? is this possible?

Why you don't want to use aws-auth-method?
Also, if you are sure to want to use password authentication I think you can do something like this:
Generate user/password in the Vault, store user passwords in the Vault and set a policy to allow reading specific user password for specific ec2-instance (EC2 auth method);
In the ec2-instance run consul-template which will authenticate in the Vault with an ec2-instance role;
This consul-template will generate curl command with specific user name and password
Use this command

Elasticsearch Shield Plugin - Users can not be authenticated, even users with Admin Privileges

I'm having an issue with the Shield plugin for Elasticsearch. I have installed elasticsearch so that it runs as a service, and I can see that it is running on port 9200.
If I enter curl http://localhost:9200 in my Mac terminal I get the correct elasticsearch output...
Recently I have been trying to upgrade from basic authentication to shield authentication. I installed shield and license using the following commands:
/usr/share/elasticsearch/bin/plugin install license/latest
/usr/share/elasticsearch/bin/plugin install shield/latest
This successfull installs shield and license plugins. They are contained within my /usr/share/elasticsearch/plugins directory on my Vagrant box.
So, now if I try to use curl -XGET http://localhost:9200 again, I get the following response:
{"error":{"root_cause":[{"type":"security_exception","reason":"missing
authentication token for REST request
[/]","header":{"WWW-Authenticate":"Basic
realm=\"shield\""}}],"type":"security_exception","reason":"missing
authentication token for REST request
[/]","header":{"WWW-Authenticate":"Basic
realm=\"shield\""}},"status":401}
This is good. I can not reach elasticsearch without proper authentication. So now I want to create a user to authenticate to elasticsearch. I use the command:
sudo ./esusers useradd testuser -p password -r admin
This creates a user 'testuser' with password 'password' with admin privileges.
I can verify that this user has been created using the following command:
sudo ./esusers list
This returns:
testuser : admin
So I now try to run the curl command again with this user:
curl -u testuser:password -XGET http://localhost:9200
But I get the same error message as before when I tried without the admin user.
What is the issue here? Why is my admin user not authenticating?

You said that your verified the user is created using sudo ./esusers list but still the curl command fails. Chances are that you are using custom directory for elasticsearch even though the home dir is /usr/share/elasticsearch. And due to this, the esusers creates the users in /etc/elasticsearch/shield/ directory but they need to be copied to the custom dir, in case you are using one.
I know you've solved this differently but I'm answering this in the hope that it helps someone else in future. Can you confirm regarding the custom dir? For e.g in my case, the custom dir was /data/elasticsearch and the home dir was /usr/share/elasticsearch