After an Elasticsearch with X-Pack (basically a security plugin for Elasticsearch which requires a valid support subscription) was upgraded from 6.8.6 to 7.15.0, Elasticsearch failed to start. The ES logs showed the following error:
Caused by: java.lang.IllegalArgumentException: Incorrect realm settings found. Realm settings have been changed to include the type as part of the setting key.
For example 'xpack.security.authc.realms.file.my_file.order'
Found invalid config: xpack.security.authc.realms.ldap1.type, xpack.security.authc.realms.ldap1.bind_password, xpack.security.authc.realms.ldap1.order, xpack.security.authc.realms.ldap1.bind_dn, xpack.security.authc.realms.ldap1.url, xpack.security.authc.realms.ldap1.unmapped_groups_as_roles
Please see the breaking changes documentation.
at org.elasticsearch.xpack.security.Security.validateRealmSettings(Security.java:1067) ~[?:?]
at org.elasticsearch.xpack.security.Security.runStartupChecks(Security.java:415) ~[?:?]
at org.elasticsearch.xpack.security.Security.<init>(Security.java:402) ~[?:?]
at org.elasticsearch.xpack.security.Security.<init>(Security.java:392) ~[?:?]
at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:78) ~[?:?]
at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:480) ~[?:?]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:751) ~[elasticsearch-7.15.0.jar:7.15.0]
at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:695) ~[elasticsearch-7.15.0.jar:7.15.0]
at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:496) ~[elasticsearch-7.15.0.jar:7.15.0]
at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:158) ~[elasticsearch-7.15.0.jar:7.15.0]
at org.elasticsearch.node.Node.<init>(Node.java:367) ~[elasticsearch-7.15.0.jar:7.15.0]
at org.elasticsearch.node.Node.<init>(Node.java:288) ~[elasticsearch-7.15.0.jar:7.15.0]
at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:219) ~[elasticsearch-7.15.0.jar:7.15.0]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:219) ~[elasticsearch-7.15.0.jar:7.15.0]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:399) ~[elasticsearch-7.15.0.jar:7.15.0]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:167) ~[elasticsearch-7.15.0.jar:7.15.0]
... 6 more
The error is caused by a breaking change in Elasticsearch 7.x, compared to the previous release 6.x. The relevant part says:
As a consequence of the change to Realm settings, the getRealmSettings method has been removed from the SecurityExtension class, and the settings method on RealmConfig now returns the node’s (global) settings. Custom security extensions should register their settings by implementing the standard Plugin.getSettings method, and can retrieve them from RealmConfig.settings() or using one of the RealmConfig.getSetting methods. Each realm setting should be defined as an AffixSetting as shown in the example below:
Setting.AffixSetting<String> MY_SETTING = Setting.affixKeySetting(
"xpack.security.authc.realms." + MY_REALM_TYPE + ".", "my_setting",
key -> Setting.simpleString(key, properties)
);
The RealmSettings.simpleString method can be used as a convenience for the above.
Unfortunately this description does not explain what needs to be done and just adds confusion. Fortunately, further down the same breaking changes documentation, a much better description is added in the "Security realms settings" section:
Or in other words: The "type" ldap has been removed as a configuration key and added "on top" of the different realm entries.
In Elastic 6.x, the following authc realm config was used. Notice the type: ldap inside the ldap1 section:
xpack:
security:
authc:
realms:
ldap1:
type: ldap
order: 0
url: "ldap://ldap.example.com:389"
bind_dn: "CN=Service Account LDAP,OU=Service Accounts,OU=users,OU=DOMAIN,DC=example,DC=com"
bind_password: secret
user_search:
base_dn: "OU=Users,OU=DOMAIN,DC=example,DC=com"
attribute: userPrincipalName
group_search:
base_dn: "OU=Groups,OU=DOMAIN,DC=example,DC=com"
files:
role_mapping: "/etc/elasticsearch/x-pack/role_mapping.yml"
unmapped_groups_as_roles: false
Now with the breaking change, the ldap type is defined right before the different (in case you have multiple) ldap entries:
xpack:
security:
authc:
realms:
ldap:
ldap1:
order: 0
url: "ldap://ldap.example.com:389"
bind_dn: "CN=Service Account LDAP,OU=Service Accounts,OU=users,OU=DOMAIN,DC=example,DC=com"
bind_password: secret
user_search:
base_dn: "OU=Users,OU=DOMAIN,DC=example,DC=com"
attribute: userPrincipalName
group_search:
base_dn: "OU=Groups,OU=DOMAIN,DC=example,DC=com"
files:
role_mapping: "/etc/elasticsearch/x-pack/role_mapping.yml"
unmapped_groups_as_roles: false
Restart Elasticsearch after the config change:
root@elk01:~# systemctl restart elasticsearch
And Elasticsearch started successfully again.
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Icingaweb Icingaweb2 Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder