Xpack security troubles

Mo_the_literate · September 16, 2022, 12:19pm

Hi guys,

I have installed graylog-server 4.3.5-1 on Debian 11.4 as well as elasticsearch 7.17.5

When I run the setup without uncommenting
#xpack.security.enabled: true
I get these here warnings in logs:
Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be accessible to anyone. See (link obfuscated) /guide/en/elasticsearch/reference/7.17/security-minimal-setup.html to enable security."]

So I decided to try to enable xpack security and did the following to try to achieve that:

I uncommented “#xpack.security.enabled: true” in /etc/elasticsearch/elasticsearch.yml

I ran “./bin/elasticsearch-setup-passwords auto” to set passwords for built-in users.

I created the follwing role:

{
“graylog_role” : {
“cluster” : [
“monitor”,
“manage”,
“all”
],
“indices” : [
{
“names” : [
“*”
],
“privileges” : [
“all”
],
“allow_restricted_indices” : false
}
],
“applications” : ,
“run_as” : ,
“metadata” : { },
“transient_metadata” : {
“enabled” : true
}
}
}

and lastly I created the follwing user:

{
“myelasticuser” : {
“username” : “myelasticuser”,
“roles” : [
“graylog_role”
],
“full_name” : “elastic graylog user”,
“email” : “emailaddress@example.com”,
“metadata” : {
“intelligence” : 1
},
“enabled” : true
}
}

Now I get the follwing in logs:

ERROR [VersionProbe] Unable to retrieve version from Elasticsearch node 127.0.0.1:9200: Error response: type: security_exception - reason: action [cluster:monitor/main] is unauthorized for user [myelasticuser] with roles [all,monitor,manage], this action is granted by the cluster privileges [monitor,manage,all]

and nothing works.

Am I missing a step?

tmacgbay · September 19, 2022, 8:29pm

First issue noted right away, Graylog only supports to Elasticsearch 7.10.2. so your 7.17.5 installation may cause all sorts of issues, including possibly the one you are having with configuration. Further, Graylog is moving away from Elasticsearch entirely due to licensing and configuration issues (with anything beyond 7.10.2) and is moving to OpenSearch 1.x (Graylog is not currently compatible with OpenSearch 2.x)

So if at all possible I would start by moving to OpenSearch 1.3 (current in compatibility) and then work on security for your installation from there (I haven’t researched if xpack is the right choice or even possible with Opensearch yet… but I will)

gsmith · September 19, 2022, 11:43pm

Hello,
Adding on to @tmacgbay

In the past when using OpenDistro for Elasticsearch ( i.e., version 7.10) I was able to use the security feature , But with Elastic’s Elasticsearch I was unable to, perhaps it was the settings or license issue.

Mo_the_literate · September 20, 2022, 10:20am

Thank you very much for your extremely useful and knowledgeable reply. We will reconsider our options.

system · October 4, 2022, 10:21am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Securing elasticsearch with auth for graylog Graylog Central (peer support)	4	2587	June 25, 2021
Elasticsearch:8.4.0 and graylog:5.1.1 Graylog Central (peer support) elastic	6	227	August 14, 2024
Elasticsearch user permissions Graylog Central (peer support)	3	796	July 5, 2019
Elasticsearch 7 Support Graylog Central (peer support)	4	3931	December 6, 2019
Graylog not able to communicate secured elasticsearch(Searchguard) Graylog Central (peer support)	5	5859	February 20, 2018

Xpack security troubles

Related topics