Elasticsearch X-Pack error after upgrade: Incorrect realm settings found

Written by - 0 comments

Published on October 1st 2021 - Listed in Elasticsearch ELK


After an Elasticsearch with X-Pack (basically a security plugin for Elasticsearch which requires a valid support subscription) was upgraded from 6.8.6 to 7.15.0, Elasticsearch failed to start. The ES logs showed the following error:

Caused by: java.lang.IllegalArgumentException: Incorrect realm settings found. Realm settings have been changed to include the type as part of the setting key.
For example 'xpack.security.authc.realms.file.my_file.order'
Found invalid config: xpack.security.authc.realms.ldap1.type,
xpack.security.authc.realms.ldap1.bind_password, xpack.security.authc.realms.ldap1.order, xpack.security.authc.realms.ldap1.bind_dn, xpack.security.authc.realms.ldap1.url, xpack.security.authc.realms.ldap1.unmapped_groups_as_roles
Please see the breaking changes documentation.
    at org.elasticsearch.xpack.security.Security.validateRealmSettings(Security.java:1067) ~[?:?]
    at org.elasticsearch.xpack.security.Security.runStartupChecks(Security.java:415) ~[?:?]
    at org.elasticsearch.xpack.security.Security.<init>(Security.java:402) ~[?:?]
    at org.elasticsearch.xpack.security.Security.<init>(Security.java:392) ~[?:?]
    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
    at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:78) ~[?:?]
    at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
    at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499) ~[?:?]
    at java.lang.reflect.Constructor.newInstance(Constructor.java:480) ~[?:?]
    at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:751) ~[elasticsearch-7.15.0.jar:7.15.0]
    at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:695) ~[elasticsearch-7.15.0.jar:7.15.0]
    at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:496) ~[elasticsearch-7.15.0.jar:7.15.0]
    at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:158) ~[elasticsearch-7.15.0.jar:7.15.0]
    at org.elasticsearch.node.Node.<init>(Node.java:367) ~[elasticsearch-7.15.0.jar:7.15.0]
    at org.elasticsearch.node.Node.<init>(Node.java:288) ~[elasticsearch-7.15.0.jar:7.15.0]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:219) ~[elasticsearch-7.15.0.jar:7.15.0]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:219) ~[elasticsearch-7.15.0.jar:7.15.0]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:399) ~[elasticsearch-7.15.0.jar:7.15.0]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:167) ~[elasticsearch-7.15.0.jar:7.15.0]
    ... 6 more

X-Pack Security Realm: Breaking change!

The error is caused by a breaking change in Elasticsearch 7.x, compared to the previous release 6.x. The relevant part says:

As a consequence of the change to Realm settings, the getRealmSettings method has been removed from the SecurityExtension class, and the settings method on RealmConfig now returns the node’s (global) settings. Custom security extensions should register their settings by implementing the standard Plugin.getSettings method, and can retrieve them from RealmConfig.settings() or using one of the RealmConfig.getSetting methods. Each realm setting should be defined as an AffixSetting as shown in the example below:

Setting.AffixSetting<String> MY_SETTING = Setting.affixKeySetting(
  "xpack.security.authc.realms." + MY_REALM_TYPE + ".", "my_setting",
  key -> Setting.simpleString(key, properties)
);

The RealmSettings.simpleString method can be used as a convenience for the above.

Unfortunately this description does not explain what needs to be done and just adds confusion. Fortunately, further down the same breaking changes documentation, a much better description is added in the "Security realms settings" section:

Or in other words: The "type" ldap has been removed as a configuration key and added "on top" of the different realm entries. 

Changing the authc realm config

In Elastic 6.x, the following authc realm config was used. Notice the type: ldap inside the ldap1 section:

xpack:
  security:
    authc:
      realms:
        ldap1:
          type: ldap
          order: 0
          url: "ldap://ldap.example.com:389"
          bind_dn: "CN=Service Account LDAP,OU=Service Accounts,OU=users,OU=DOMAIN,DC=example,DC=com"
          bind_password: secret
          user_search:
            base_dn: "OU=Users,OU=DOMAIN,DC=example,DC=com"
            attribute: userPrincipalName
          group_search:
            base_dn: "OU=Groups,OU=DOMAIN,DC=example,DC=com"
          files:
            role_mapping: "/etc/elasticsearch/x-pack/role_mapping.yml"
          unmapped_groups_as_roles: false

Now with the breaking change, the ldap type is defined right before the different (in case you have multiple) ldap entries:

xpack:
  security:
    authc:
      realms:
        ldap:
          ldap1:
            order: 0
            url: "ldap://ldap.example.com:389"
            bind_dn: "CN=Service Account LDAP,OU=Service Accounts,OU=users,OU=DOMAIN,DC=example,DC=com"
            bind_password: secret
            user_search:
              base_dn: "OU=Users,OU=DOMAIN,DC=example,DC=com"
              attribute: userPrincipalName
            group_search:
              base_dn: "OU=Groups,OU=DOMAIN,DC=example,DC=com"
            files:
              role_mapping: "/etc/elasticsearch/x-pack/role_mapping.yml"
            unmapped_groups_as_roles: false

Restart Elasticsearch after the config change:

root@elk01:~# systemctl restart elasticsearch

And Elasticsearch started successfully again.


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.