mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-02-06 21:18:31 +00:00
18103fae7f
The 6.x and 6.0 versions of the documentation show ```yml transport.profiles.client.xpack.security.ssl.client_authentication: no ``` Which results in ``` 2017-11-22T11:13:33,225][ERROR][org.elasticsearch.bootstrap.Bootstrap] Exception java.lang.IllegalStateException: failed to load plugin class [org.elasticsearch.xpack.XPackPlugin] at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:452) ~[elasticsearch-6.0.0.jar:6.0.0] at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:392) ~[elasticsearch-6.0.0.jar:6.0.0] at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:142) ~[elasticsearch-6.0.0.jar:6.0.0] at org.elasticsearch.node.Node.<init>(Node.java:302) ~[elasticsearch-6.0.0.jar:6.0.0] at org.elasticsearch.node.Node.<init>(Node.java:245) ~[elasticsearch-6.0.0.jar:6.0.0] at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.0.0.jar:6.0.0] at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.0.0.jar:6.0.0] at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:322) [elasticsearch-6.0.0.jar:6.0.0] at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:130) [elasticsearch-6.0.0.jar:6.0.0] at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:121) [elasticsearch-6.0.0.jar:6.0.0] at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:69) [elasticsearch-6.0.0.jar:6.0.0] at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:134) [elasticsearch-6.0.0.jar:6.0.0] at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-6.0.0.jar:6.0.0] at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) [elasticsearch-6.0.0.jar:6.0.0] at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) [elasticsearch-6.0.0.jar:6.0.0] Caused by: java.lang.reflect.InvocationTargetException at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?] at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?] at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?] at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_144] at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:443) ~[elasticsearch-6.0.0.jar:6.0.0] ... 14 more Caused by: java.lang.IllegalArgumentException: could not resolve ssl client auth. unknown value [no] at org.elasticsearch.xpack.ssl.SSLClientAuth.parse(SSLClientAuth.java:78) ~[?:?] at org.elasticsearch.xpack.ssl.SSLConfigurationSettings.lambda$null$27(SSLConfigurationSettings.java:183) ~[?:?] at org.elasticsearch.common.settings.Setting.get(Setting.java:352) ~[elasticsearch-6.0.0.jar:6.0.0] at org.elasticsearch.common.settings.Setting.get(Setting.java:346) ~[elasticsearch-6.0.0.jar:6.0.0] at org.elasticsearch.xpack.ssl.SSLConfiguration.<init>(SSLConfiguration.java:80) ~[?:?] at org.elasticsearch.xpack.ssl.SSLService.lambda$loadSSLConfigurations$1(SSLService.java:462) ~[?:?] at java.util.ArrayList.forEach(ArrayList.java:1249) ~[?:1.8.0_144] at org.elasticsearch.xpack.ssl.SSLService.loadSSLConfigurations(SSLService.java:461) ~[?:?] at org.elasticsearch.xpack.ssl.SSLService.<init>(SSLService.java:87) ~[?:?] at org.elasticsearch.xpack.XPackPlugin.<init>(XPackPlugin.java:237) ~[?:?] at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?] at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?] at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?] at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_144] at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:443) ~[elasticsearch-6.0.0.jar:6.0.0] ... 14 more ``` I think the valid value there is `none`, so ```yml transport.profiles.client.xpack.security.ssl.client_authentication: none ``` The tests seem to confirm that https://github.com/elastic/x-pack-elasticsearch/blob/elastic/x-pack-elasticsearch@4860e92d906e046a23aa07b39ee6ef637f011dc1/plugin/src/test/java/org/elasticsearch/xpack/ssl/SSLServiceTests.java#L269 Original commit: elastic/x-pack-elasticsearch@a35b3ac8c9
66 lines
2.9 KiB
Plaintext
66 lines
2.9 KiB
Plaintext
[[separating-node-client-traffic]]
|
|
=== Separating node-to-node and client traffic
|
|
|
|
Elasticsearch has the feature of so called {ref}/modules-transport.html#_tcp_transport_profiles[TCP transport profiles]
|
|
that allows it to bind to several ports and addresses. {security} extends on this
|
|
functionality to enhance the security of the cluster by enabling the separation
|
|
of node-to-node transport traffic from client transport traffic. This is important
|
|
if the client transport traffic is not trusted and could potentially be malicious.
|
|
To separate the node-to-node traffic from the client traffic, add the following
|
|
to `elasticsearch.yml`:
|
|
|
|
[source, yaml]
|
|
--------------------------------------------------
|
|
transport.profiles.client: <1>
|
|
port: 9500-9600 <2>
|
|
xpack.security:
|
|
type: client <3>
|
|
--------------------------------------------------
|
|
<1> `client` is the name of this example profile
|
|
<2> The port range that will be used by transport clients to communicate with
|
|
this cluster
|
|
<3> Categorizes the profile as a `client`. This accounts for additional security
|
|
filters by denying request attempts on for internal cluster operations
|
|
(e.g shard level actions and ping requests) from this profile.
|
|
|
|
If supported by your environment, an internal network can be used for node-to-node
|
|
traffic and public network can be used for client traffic by adding the following
|
|
to `elasticsearch.yml`:
|
|
|
|
[source, yaml]
|
|
--------------------------------------------------
|
|
transport.profiles.default.bind_host: 10.0.0.1 <1>
|
|
transport.profiles.client.bind_host: 1.1.1.1 <2>
|
|
--------------------------------------------------
|
|
<1> The bind address for the network that will be used for node-to-node communication
|
|
<2> The bind address for the network used for client communication
|
|
|
|
If separate networks are not available, then <<ip-filtering, IP Filtering>> can
|
|
be enabled to limit access to the profiles.
|
|
|
|
When using SSL for transport, a different set of certificates can also be used
|
|
for the client traffic by adding the following to `elasticsearch.yml`:
|
|
|
|
[source, yaml]
|
|
--------------------------------------------------
|
|
transport.profiles.client.xpack.security.ssl.truststore:
|
|
path: /path/to/another/truststore
|
|
password: x-pack-test-password
|
|
|
|
transport.profiles.client.xpack.security.ssl.keystore:
|
|
path: /path/to/another/keystore
|
|
password: x-pack-test-password
|
|
--------------------------------------------------
|
|
|
|
To change the default behavior that requires certificates for transport clients,
|
|
set the following value in the `elasticsearch.yml` file:
|
|
|
|
[source, yaml]
|
|
--------------------------------------------------
|
|
transport.profiles.client.xpack.security.ssl.client_authentication: none
|
|
--------------------------------------------------
|
|
|
|
This setting keeps certificate authentication active for node-to-node traffic,
|
|
but removes the requirement to distribute a signed certificate to transport
|
|
clients. Please see the <<transport-client, Transport Client>> section.
|