Can't connect to the cluster to activate the licence when updating API User Password
HugoPuntos opened this issue · 17 comments
Hi,
I think there is an issue to activate the licence when overriding the password for the elastic user by setting a value to native_users[es_api_basic_auth_username].password.
Before I go any further, I want to remind the task orders for the xpart part:
--> main.yml
----> elasticsearch-xpack.yml --> elasticsearch-security.yml --> elasticsearch-security-file.yml
----> elasticsearch-xpack-activation.yml
----> elasticsearch-security-native.yml
First time the playbook is run, it works because the task overriding the password of the elastic user is played after the one that activates the licence.
The second time the playbook is run, the elastic password has changed (https://github.com/elastic/ansible-elasticsearch/blob/master/tasks/xpack/security/elasticsearch-security-native.yml#L52) and it's not possible for user to connect to the cluster with the keystore password (https://github.com/elastic/ansible-elasticsearch/blob/master/tasks/xpack/security/elasticsearch-xpack-activation.yml#L2).
I think es_api_basic_auth_username should be set to native_users[es_api_basic_auth_username].password as it's done in https://github.com/elastic/ansible-elasticsearch/blob/master/tasks/xpack/security/elasticsearch-security-native.yml#L64.
Before doing anything to fix this issue, I would like to have some kind of a confirmation that it's not the expected behaviour, I may be missing something.
Thanks for your help,
That's a good point, in the tests the es_api_basic_auth_password is altered to match the new value:
We could use a block/rescue to handle the error and try with the the native password...
TASK [elasticsearch : Activate ES trial license (with security authentication)] ***
fatal: [localhost]: FAILED! => {"changed": false, "content": "{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"failed to authenticate user [elastic]\",\"header\":{\"WWW-Authenticate\":\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"}}],\"type\":\"security_exception\",\"reason\":\"failed to authenticate user [elastic]\",\"header\":{\"WWW-Authenticate\":\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"}},\"status\":401}", "content_length": "345", "content_type": "application/json; charset=UTF-8", "elapsed": 0, "json": {"error": {"header": {"WWW-Authenticate": "Basic realm=\"security\" charset=\"UTF-8\""}, "reason": "failed to authenticate user [elastic]", "root_cause": [{"header": {"WWW-Authenticate": "Basic realm=\"security\" charset=\"UTF-8\""}, "reason": "failed to authenticate user [elastic]", "type": "security_exception"}], "type": "security_exception"}, "status": 401}, "msg": "Status code was 401 and not [200, 403]: HTTP Error 401: Unauthorized", "redirected": false, "status": 401, "url": "http://localhost:9200/_license/start_trial?acknowledge=true", "www_authenticate": "Basic realm=\"security\" charset=\"UTF-8\""}
TASK [elasticsearch : Activate ES trial license (with native security authentication)] ***
ok: [localhost]
TASK [elasticsearch : Trial license] *******************************************
ok: [localhost] => {
"msg": {
"changed": false,
"content": "{\"acknowledged\":true,\"trial_was_started\":false,\"error_message\":\"Operation failed: Trial was already activated.\"}",
"content_length": "112",
"content_type": "application/json; charset=UTF-8",
"elapsed": 0,
"failed": false,
"json": {
"acknowledged": true,
"error_message": "Operation failed: Trial was already activated.",
"trial_was_started": false
},
"msg": "HTTP Error 403: Forbidden",
"redirected": false,
"status": 403,
"url": "http://localhost:9200/_license/start_trial?acknowledge=true"
}
}This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
still valid
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
still valid
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
still valid
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
still valid
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
still valid
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
still valid
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
still valid
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This issue has been automatically closed because it has not had recent activity since being marked as stale.