Facing issues with Opendistro Security Plugin

Hello,

I’m a naïve user of Opendistro for ElasticSearch. I had recently installed a 7 Node Elastic Cluster by disabling security ( “opendistro_security.disabled: true” in elasticsearch config file). I was getting “opendistro security not initialized” error when I try to query the cluster earlier so tried disabling security and I was able to query the cluster. Now that I wanted to explore on LDAP and AD integration, in order to run securityadmin script, I tried to change security.disabled to false, but the moment I change, the node is going out of cluster and the securityadmin script is not able to connect to Elastic cluster and timeouts.

I wanted to understand on how to enable the opendistro security setting and integrate with MS AD. Kindly help.

Thanks,
Prakash

Hi @prakash88 The behaviour of node leaving the cluster is expected as there is no security set up on the rest of the nodes, therefore they cannot communicate with this node. The nodes need to share the root-ca.pem file, which is specified in elasticsearch.yml file with option:

opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem

The node certificates specified in the individual nodes can be the same, although obviously recommendation for prod is to use certs specific to the nodes. These certs are specified in the same file using below lines:

opendistro_security.ssl.transport.pemcert_filepath: esnode.pem
opendistro_security.ssl.transport.pemkey_filepath: esnode-key.pem

For testing you can run a docker-compose with odfe and extract the generated admin, node and root certs after default security install.

Most straight forward approach would be to create a new cluster with security enabled.

The complete elasticsearch.yml files on each node should look something like this:

cluster.name: "test_cluster"
network.host: 0.0.0.0
node.name: "odfe-node1"
discovery.seed_hosts: [ "odfe-node1", "odfe-node2"]
cluster.initial_master_nodes: ["odfe-node1","odfe-node2"]
bootstrap.memory_lock: true
######## Start OpenDistro for Elasticsearch Security Demo Configuration ########
# WARNING: revise all the lines below before you go into production
opendistro_security.ssl.transport.pemcert_filepath: esnode.pem
opendistro_security.ssl.transport.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: esnode.pem
opendistro_security.ssl.http.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
opendistro_security.allow_unsafe_democertificates: true
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:
   - CN=kirk,OU=client,O=client,L=test, C=de

opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
opendistro_security.system_indices.enabled: true
opendistro_security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*"]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3
######## End OpenDistro for Elasticsearch Security Demo Configuration ########

If you are using the old cluster the nodes then need to be restarted and should form a cluster.
This cluster can then be integrated with LDAP.