My thoughts on installation; Security Plugin

Disclaimer: I have only done one or two “regular” ELK stack installations, so I am not really an “experienced” guy. :slight_smile:

One thing that bothered / confused me during installation of ODfE is the security plugin.

Because you sometimes don’t see these things anymore when you are used to them, I am trying to describe my thought process during installation:

OpenDistro for Elasticsearch Security Demo Installer
** Warning: Do not use on production or public reachable systems **

Uhm? What is going on? I am trying to install this for a production system? How do I do that and why does it do this automatically?

### Success

Ah nice, that was easy.

### Execute this script now on all your nodes and then start all nodes
### Open Distro Security will be automatically initialized.

Wait? I thought this has just been done automatically when the package got installed? Why do I have to run it on all nodes again now? Also what is this script?

### If you like to change the runtime configuration
### change the files in ../securityconfig and execute:

../securityconfig? That does not exist below my current folder.

sudo "/usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh" -cd "/usr/share/elasticsearch/plugins/opendistro_security/securityconfig" -icl -key "/etc/elasticsearch/kirk-key.pem" -cert "/etc/elasticsearch/kirk.pem" -cacert "/etc/elasticsearch/root-ca.pem" -nhnv

Ah, that might explain the folder, but what does it do? Do I have to run it now?

### or run ./securityadmin_demo.sh
### To use the Security Plugin ConfigurationGUI
### To access your secured cluster open https://<hostname>:<HTTP port> and log in with admin/admin.
### (Ignore the SSL certificate warning because we installed self-signed demo certificates)

Hm? Do I run that script To use the Security Plugin ConfigurationGUI or To access your secured cluster… or both?

What does that script do anyway and wasn’t it just run already (see above mentioning of “Demo Installer”)?

admin/admin? Seriously? :frowning: Experience with other software packages shows that people will have installations using this on publicly reachable production servers. No matter how often you tell them to not do that. Please don’t even give them a chance to do so.

Neither of these steps is documented for the installation.

After this I wasn’t sure where to go from here. How do I set up a multi node system with a script that automatically sets up non-production systems without asking me a thing?

I’ll probably figure these things out soon, but at first glace and for my first experience with ODfE it was really confusing…

2 Likes

The reason you shouldnt install it on production server is: default passwords for admin, kibana logstash users and also demo certificates.

If you want to build production cluster you should start with:
-generating your own certificates using for example TLS tools from searchguard page(including admin kirk certs)
-then you should change default passwords for internal users. You can do this before starting cluster( then you should edit default internal_users.yml file) or after: using securityadmin.sh script to pull new internal_users.yml file

Hope that will help you

2 Likes

Thanks for your reply, kazimier.

The main reason for my post was mostly to show how “confusing” the installation was to me and that I didn’t really know where to go from there.

Also - as many examples in real world scenarios show: Don’t ever set up systems with default passwords. People will use these in production systems, because people are lazy, don’t care or simply forget after they played with the demo. The installer script should not do that. Instead add one more step to the installation and explain how to set up a proper system.

1 Like

Hi Balu - this is all good feedback. Documentation can always be improved. Can you please file a PR for security documentation improvements at Issues · opendistro/for-elasticsearch-docs · GitHub.

I am also having issues understanding the Helm install process at a high level.
It seems all of the documentation is targeted towards direct Linux or Docker-Compose installations, so it’s hard to understand what things I should and shouldn’t change.

After thoroughly reading the Helm source, I can see that I should generate some certs and then create secrets that contain them, then configure
elasticsearch.yml and kibana.yml to set the paths and names of the certs that match what the helm charts are hard-coded to use (e.g. elk-transport-*-pem)

I have also managed to add to the kibana.yml my desired OpenId configuration.

My biggest question, though, is : Where, physically, do I define the securityconfig.yml? Does it even need to exist in the Helm chart, or is the helm chart configurations and mounts a replacement for the functionality of the securityadmin.sh script?

If that is the case, where do I define the additional fdunctionality of the security plugin… e.g. the authz/n backend stuff.

1 Like

Somehow I missed the securityConfig mounts in the es-master-sts.yaml file. I see now in the readme that the idea is, in fact, to obviate the need for the securityadmin.sh script or others, and I just need to create the secrets according to the mount paths.

It would be good to specify in the README or other docs that the secret items must be keyed to exactly what is hard-coded in the helm chart.

2 Likes

Hi @rick_asi - thanks for your suggestions to add to security documentation. Can you please file an issue here at Issues · opendistro/for-elasticsearch-docs · GitHub?

I’m stuck on this plugin via helm charts. I’m attempting to use the vanilla certs because right now this is just a POC, to see if I ‘can’ get it working. And right now it’s complaining that I dont have certs. I’ve packaged up these certs in a secret, but I can’t figure out how to mount this volume in the helm chart.