Basic Authentication not working/unclear in readme

Question

Basic Authentication not working/unclear in readme

rdvansloten opened this issue 5 years ago · 4 comments

Attempting to install a cluster using authentication, but the readme is very unclear or what to set. Taking the vars listed in the readme just keeps failing. I've seen a similar issue on here, but his request wasn't replied to and auto-closed.

Is es_api_basic_auth_username and es_api_basic_auth_password creating credentials, or does it require existing ones? It's very confusing.

Elasticsearch version

Role version: 50321df

OS version: Linux elastic01 5.0.0-1027-azure #29~18.04.1-Ubuntu SMP Mon Nov 25 21:18:57 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Description of the problem including expected versus actual behaviour:

Playbook:
Please specify the full playbook used to reproduce this issue.

- hosts: master_nodes
  roles:
    - role: elastic.elasticsearch
  vars:
    es_heap_size: "{{ heap_size }}"
    es_config:
      cluster.name: "{{ cluster_name }}"
      cluster.initial_master_nodes: "elastic01:9300"
      discovery.seed_hosts: "elastic01:9300"
      http.port: 9200
      node.data: false
      node.master: true
      bootstrap.memory_lock: false
      network.host: somehost
    es_plugins:
     - plugin: ingest-attachment
    es_xpack_features: ["alerting","monitoring","graph","security","ml"]
    es_api_basic_auth_username: myuser
    es_api_basic_auth_password: somepassword
    es_version: 7.5.1
    es_users:
      native:
        myuser:
          password: somepassword
          roles:
            - admin

Provide logs from Ansible:

TASK [elastic.elasticsearch : List Native Users] **************************************************************************************
fatal: [52.174.17.225]: FAILED! => {"changed": false, "content": "{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"failed to authenticate user [myuser]\",\"header\":{\"WWW-Authenticate\":\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"}}],\"type\":\"security_exception\",\"reason\":\"failed to authenticate user [myuser]\",\"header\":{\"WWW-Authenticate\":\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"}},\"status\":401}", "content_length": "345", "content_type": "application/json; charset=UTF-8", "elapsed": 0, "json": {"error": {"header": {"WWW-Authenticate": "Basic realm=\"security\" charset=\"UTF-8\""}, "reason": "failed to authenticate user [myuser]", "root_cause": [{"header": {"WWW-Authenticate": "Basic realm=\"security\" charset=\"UTF-8\""}, "reason": "failed to authenticate user [myuser]", "type": "security_exception"}], "type": "security_exception"}, "status": 401}, "msg": "Status code was 401 and not [200]: HTTP Error 401: Unauthorized", "redirected": false, "status": 401, "url": "http://localhost:9200/_security/user", "www_authenticate": "Basic realm=\"security\" charset=\"UTF-8\""}

Answer 1 · 2020-01-31T14:04:01.000Z

Hi @rdvansloten,
es_api_basic_auth_username and es_api_basic_auth_passwordvariables are creating credentials.

You don't need to set es_users.native.myuser for this user.

This configuration should work:

- hosts: master_nodes
  roles:
    - role: elastic.elasticsearch
  vars:
    es_heap_size: "{{ heap_size }}"
    es_config:
      cluster.name: "{{ cluster_name }}"
      cluster.initial_master_nodes: "elastic01:9300"
      discovery.seed_hosts: "elastic01:9300"
      http.port: 9200
      node.data: false
      node.master: true
      bootstrap.memory_lock: false
      network.host: somehost
    es_plugins:
     - plugin: ingest-attachment
    es_xpack_features: ["alerting","monitoring","graph","security","ml"]
    es_api_basic_auth_username: myuser
    es_api_basic_auth_password: somepassword
    es_version: 7.5.1

Answer 2 · 2020-04-30T14:47:00.000Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Answer 3 · 2020-05-06T12:20:46.000Z

I'm closing this issue and we'll track the authentication doc improvements in #662.

Answer 4 · 2020-06-10T08:44:32.000Z

after testing many times on building a ES cluster, I found that the es_api_basic_auth_username should be set as a fixed value elastic. otherwise, the installation will fail.
https://github.com/elastic/ansible-elasticsearch/blob/master/tasks/xpack/security/elasticsearch-security.yml#L33

Also, based on the official document, the SSL/TLS for internode-communication is required if you would like to turn on XPack security. There is no way to set basic auth only without turning TLS on.
so the configs will look like:

es_enable_xpack: true
es_xpack_features:
  - security
es_enable_transport_ssl: true

# and of course the variables below have to be set properly
es_ssl_verification_mode: "certificate"
es_ssl_certificate_path: "/etc/elasticsearch"
es_ssl_keystore: "<proper_value_here>"
es_ssl_truststore: "<proper_value_here>"
es_ssl_keystore_password: "<proper_value_here>"
es_ssl_truststore_password: "<proper_value_here>"

The ES version I'm working on was es_version: 6.8.