elasticsearch-security-native.yml use http to contact Elasticsearch

Question

elasticsearch-security-native.yml use http to contact Elasticsearch

qguang opened this issue 5 years ago · 4 comments

Describe the feature:
N/A

Elasticsearch version
In Task - elasticsearch-security-native.yml, there are several tasks using http protocol to contact newly set up ElasticSearch. However, if we set xpack.security.enabled: true and configure certificate properly, the newly created ElasticSearch will use https to serve.
The url should be conditional:
url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user
Error as below
TASK [elastic.elasticsearch : List Native Users] ********************************************************************************************************************************************************************************************* fatal: [single_node]: FAILED! => {"changed": false, "content": "", "elapsed": 0, "msg": "Status code was -1 and not [200]: Connection failure: connection was closed before a valid response was received: ''", "redirected": false, "status": -1, "url": "http://localhost:9200/_xpack/security/user"}

Role version: (If using master please specify github sha)

JVM version (java -version):
N/A
OS version (uname -a if on a Unix-like system):
N/A
Description of the problem including expected versus actual behaviour:
N/A
Playbook:
Please specify the full playbook used to reproduce this issue.
N/A
Provide logs from Ansible:
N/A
ES Logs if relevant:
N/A

Answer 1 · 2019-12-21T09:48:47.000Z

Just an update. I made temporary change by

using https
validate_certs: no (due to I use self-signed certificate)
`#Delete all non required users NOT inc. reserved

name: Delete Native Users
uri:
url: https://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item}}
method: DELETE
status_code: 200
user: "{{es_api_basic_auth_username}}"
password: "{{es_api_basic_auth_password}}"
force_basic_auth: yes
validate_certs: no
when: manage_native_users
with_items: "{{ users_to_remove | default([]) }}"`

Answer 2 · 2019-12-23T07:15:26.000Z

Hi @qguang, there is no task hardcoded with http urls in elasticsearch-security-native.yml.
I suspect you are using an old version of this Ansible role which wasn't compatible with TLS and encourage you to update to 7.5.1 version of the role to benefit of TLS.

Answer 3 · 2020-02-04T05:39:57.000Z

Thanks, I downloaded from ansible-galaxy install elastic.elasticsearch.
it must be older version. thanks

Answer 4 · 2020-03-05T08:16:59.000Z

I'm closing the issue since it seem to be solved for you, don't hesitate to reopen it if you have any question.