Elasticsearch 8 : Secure by default?

There are some large, important changes to the security features in Elasticsearch 8. There is plenty more to uncover in later betas, but here’s what I’ve looked at so far.

RBAC enabled by default

Elasticsearch user authentication and authorisation using RBAC has always been opt-in by default, using the xpack.security.enabled configuration setting. It’s no surprise that there have been cases where badly configured Elasticsearch clusters have ended up being internet-facing, and exposed their entire contents without anyone needing to authenticate with the cluster.

I’ve always felt that a node that’s bound to a non-loopback address must have security enabled in order to start up. TLS should probably be required as well, but there are (fairly) acceptable reasons this could be left disabled.

A new Elasticsearch 8 cluster will - by default, and under most conditions - enable security and set a default password for the elastic superuser and kibana_system user. This happens even when Elasticsearch is bound to a loopback address like localhost. When starting a new cluster, you’ll see the generated passwords in the Elasticsearch output:

-----------------------------------------------------------------

Password for the elastic user is: 7=LUUxCMpRoRV+ZUXM05

Password for the kibana_system user is: 7JP9eLOA9t4S-CR8Jy6l

Please note these down as they will not be shown again.


You can use 'bin/elasticsearch-reset-elastic-password' at any time
in order to reset the password for the elastic user.

You can use 'bin/elasticsearch-reset-kibana-system-password' at any time
in order to reset the password for the kibana_system user.

-----------------------------------------------------------------

You’ll now need to include a valid username and password in all requests:

> curl http://localhost:9200
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request ...
> curl -u elastic:7=LUUxCMpRoRV+ZUXM05 http://localhost:9200
{
  "name" : "Georges-MBP.localdomain",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "0lgKEgwKR5G9tg88vR45iQ",
  "version" : {
    "number" : "8.0.0-alpha2",
    ...

Reading through the pull request, there seem to be a lot of ‘ifs and buts’ to how this default configuration is applied.

The generated password can be changed using elasticsearch-reset-elastic-password. The help (--help) isn’t very useful yet, but the documentation has a bit more information. You can use it to set reset the password to one of your choosing by using the -i (interactive) flag.

> bin/elasticsearch-reset-elastic-password -u elastic -i
This tool will reset the password of the [elastic] user.
You will be prompted to enter the password.
Please confirm that you would like to continue [y/N]y


Enter password for [elastic]: 
Re-enter password for [elastic]: 
Password for the [elastic] user successfully reset.

elasticsearch-setup-passwords deprecated (coming in Beta 1)

The elasticsearch-setup-passwords tool has been deprecated in Elasticsearch 8 and may be removed in a future release. The reasoning can be seen in the PR but boils down to the fact that “Security [is] ON by default” and a password is created automatically.

There are some good comments about the fact that the new CLI doesn’t actually support all (or even most) of the features the old CLI provided.

The default passwords can be changed using the REST API or Kibana.

TLS auto-configuration (coming in Beta 1)

Anyone who has enabled TLS on their cluster will be well aware of how fiddly it can be. Elastic have worked to configure and enable TLS by default in Elasticsearch 8.

This feature isn’t in Alpha 2 but has been merged into master and should be in Beta 1. I’ll give it a try when that drops.

Built with Hugo
Theme based on Stack originally designed by Jimmy, forked by George Bridgeman