search

elastic / elasticsearch

Free and Open Source, Distributed, RESTful Search Engine
https://www.elastic.co/products/elasticsearch
Other
69.95k stars 24.74k forks source link

disable ES node xpack.security.enabled in turn #76143

Closed KasuganoShin closed 3 years ago

KasuganoShin commented 3 years ago

Our ES cluster is using basic security now which contains 3 master nodes, 3 client nodes and several data nodes, now we want to set xpack.security.enabled from true to false, and don't use security function.

Problem is when we change node elasticsearch.yml , set xpack.security.enabled from true to false, restart node, that node can't join cluster, and occur error info: {"type": "server", "timestamp": "", "level": "DEBUG", "component": "o.e.d.PeerFinder", "cluster.name": "es-cluster", "node.name": "master01", "message": "Peer{transportAddress=xxx:9300, discoveryNode=null, peersRequestInFlight=false} connection failed", "stacktrace": ["org.elasticsearch.transport.ConnectTransportException: [][xxx:9300] general node connection failure", "at org.elasticsearch.transport.TcpTransport$ChannelsConnectedListener.lambda$onResponse$2(TcpTransport.java:979) ~[elasticsearch-7.6.2.jar:7.6.2]", "at org.elasticsearch.action.ActionListener$1.onFailure(ActionListener.java:71) ~[elasticsearch-7.6.2.jar:7.6.2]", "at org.elasticsearch.transport.TransportHandshaker$HandshakeResponseHandler.handleLocalException(TransportHandshaker.java:155) ~[elasticsearch-7.6.2.jar:7.6.2]", "at org.elasticsearch.transport.TransportHandshaker.lambda$sendHandshake$0(TransportHandshaker.java:67) ~[elasticsearch-7.6.2.jar:7.6.2]", "at org.elasticsearch.action.ActionListener.lambda$wrap$0(ActionListener.java:132) ~[elasticsearch-7.6.2.jar:7.6.2]", "at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:63) ~[elasticsearch-7.6.2.jar:7.6.2]", "at org.elasticsearch.action.ActionListener.lambda$toBiConsumer$3(ActionListener.java:160) ~[elasticsearch-7.6.2.jar:7.6.2]", "at org.elasticsearch.common.concurrent.CompletableContext.lambda$addListener$0(CompletableContext.java:39) ~[elasticsearch-core-7.6.2.jar:7.6.2]", "at java.util.concurrent.CompletableFuture.uniWhenComplete(CompletableFuture.java:859) ~[?:?]", "at java.util.concurrent.CompletableFuture$UniWhenComplete.tryFire(CompletableFuture.java:837) ~[?:?]", "at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:506) ~[?:?]", "at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:2144) ~[?:?]", "at org.elasticsearch.common.concurrent.CompletableContext.complete(CompletableContext.java:61) ~[elasticsearch-core-7.6.2.jar:7.6.2]", "at org.elasticsearch.transport.netty4.Netty4TcpChannel.lambda$addListener$0(Netty4TcpChannel.java:61) ~[?:?]", "at io.netty.util.concurrent.DefaultPromise.notifyListener0(DefaultPromise.java:577) ~[?:?]", "at io.netty.util.concurrent.DefaultPromise.notifyListeners0(DefaultPromise.java:570) ~[?:?]", "at io.netty.util.concurrent.DefaultPromise.notifyListenersNow(DefaultPromise.java:549) ~[?:?]", "at io.netty.util.concurrent.DefaultPromise.notifyListeners(DefaultPromise.java:490) ~[?:?]", "at io.netty.util.concurrent.DefaultPromise.setValue0(DefaultPromise.java:615) ~[?:?]", "at io.netty.util.concurrent.DefaultPromise.setSuccess0(DefaultPromise.java:604) ~[?:?]", "at io.netty.util.concurrent.DefaultPromise.trySuccess(DefaultPromise.java:104) ~[?:?]", "at io.netty.channel.DefaultChannelPromise.trySuccess(DefaultChannelPromise.java:84) ~[?:?]", "at io.netty.channel.AbstractChannel$CloseFuture.setClosed(AbstractChannel.java:1159) ~[?:?]", "at io.netty.channel.AbstractChannel$AbstractUnsafe.doClose0(AbstractChannel.java:761) ~[?:?]", "at io.netty.channel.AbstractChannel$AbstractUnsafe.close(AbstractChannel.java:737) ~[?:?]", "at io.netty.channel.AbstractChannel$AbstractUnsafe.close(AbstractChannel.java:608) ~[?:?]", "at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.closeOnRead(AbstractNioByteChannel.java:105) ~[?:?]", "at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:171) ~[?:?]", "at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:700) ~[?:?]", "at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:600) ~[?:?]", "at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:554) ~[?:?]", "at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:514) ~[?:?]", "at io.netty.util.concurrent.SingleThreadEventExecutor$6.run(SingleThreadEventExecutor.java:1050) ~[?:?]", "at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[?:?]", "at java.lang.Thread.run(Thread.java:830) [?:?]", "Caused by: org.elasticsearch.transport.TransportException: handshake failed because connection reset", "... 32 more"] }

{"type": "server", "timestamp": "", "level": "WARN", "component": "o.e.c.c.ClusterFormationFailureHelper", "cluster.name": "es-cluster", "node.name": "data01", "message": "master not discovered yet: have discovered [{data01}{60GzQQ7fTgmSB_hm8U1A0g}{bxLT_VCYQnqUsOTs1pPvwQ}{xxx}{xxx:9300}{dil}{ml.machine_memory=134906093568, node_type=warm, xpack.installed=true, ml.max_open_jobs=20}]; discovery will continue using [xxx:9300, xxx:9300, xxx.13:9300] from hosts providers and [] from last-known cluster state; node term 17, last-accepted version 173 in term 17" } "at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:554) ~[?:?]", "at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:514) ~[?:?]", "at io.netty.util.concurrent.SingleThreadEventExecutor$6.run(SingleThreadEventExecutor.java:1050) ~[?:?]", "at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[?:?]", "at java.lang.Thread.run(Thread.java:830) [?:?]", "Caused by: org.elasticsearch.transport.TransportException: handshake failed because connection reset", "... 32 more"] }

I want to know how to disable ES node xpack.security.enabled in turn, not close all cluster nodes, change this setting and restart all cluster nodes onetime. Online ES service can't be interrupt anyway. thanks~

tvernum commented 3 years ago

There currently no way to disable security in a rolling restart (or to enable it), and it is unlikely we would implement that feature.

Can you explain why you are trying to disable security on your production cluster?

elasticmachine commented 3 years ago

Pinging @elastic/es-security (Team:Security)

KasuganoShin commented 3 years ago

There currently no way to disable security in a rolling restart (or to enable it), and it is unlikely we would implement that feature.

Can you explain why you are trying to disable security on your production cluster?

We are prepare to use apache ranger security instead of x-pack-security, but cannot have more than one plugin implementing a REST wrapper. Our other services like hive, presto are all use apache ranger for security, so we are also want to use apache ranger instead.