My thoughts on installation; Security Plugin

Disclaimer: I have only done one or two “regular” ELK stack installations, so I am not really an “experienced” guy. :slight_smile:

One thing that bothered / confused me during installation of ODfE is the security plugin.

Because you sometimes don’t see these things anymore when you are used to them, I am trying to describe my thought process during installation:

OpenDistro for Elasticsearch Security Demo Installer
** Warning: Do not use on production or public reachable systems **

Uhm? What is going on? I am trying to install this for a production system? How do I do that and why does it do this automatically?

### Success

Ah nice, that was easy.

### Execute this script now on all your nodes and then start all nodes
### Open Distro Security will be automatically initialized.

Wait? I thought this has just been done automatically when the package got installed? Why do I have to run it on all nodes again now? Also what is this script?

### If you like to change the runtime configuration
### change the files in ../securityconfig and execute:

../securityconfig? That does not exist below my current folder.

sudo "/usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh" -cd "/usr/share/elasticsearch/plugins/opendistro_security/securityconfig" -icl -key "/etc/elasticsearch/kirk-key.pem" -cert "/etc/elasticsearch/kirk.pem" -cacert "/etc/elasticsearch/root-ca.pem" -nhnv

Ah, that might explain the folder, but what does it do? Do I have to run it now?

### or run ./securityadmin_demo.sh
### To use the Security Plugin ConfigurationGUI
### To access your secured cluster open https://<hostname>:<HTTP port> and log in with admin/admin.
### (Ignore the SSL certificate warning because we installed self-signed demo certificates)

Hm? Do I run that script To use the Security Plugin ConfigurationGUI or To access your secured cluster… or both?

What does that script do anyway and wasn’t it just run already (see above mentioning of “Demo Installer”)?

admin/admin? Seriously? :frowning: Experience with other software packages shows that people will have installations using this on publicly reachable production servers. No matter how often you tell them to not do that. Please don’t even give them a chance to do so.

Neither of these steps is documented for the installation.

After this I wasn’t sure where to go from here. How do I set up a multi node system with a script that automatically sets up non-production systems without asking me a thing?

I’ll probably figure these things out soon, but at first glace and for my first experience with ODfE it was really confusing…

1 Like

The reason you shouldnt install it on production server is: default passwords for admin, kibana logstash users and also demo certificates.

If you want to build production cluster you should start with:
-generating your own certificates using for example TLS tools from searchguard page(including admin kirk certs)
-then you should change default passwords for internal users. You can do this before starting cluster( then you should edit default internal_users.yml file) or after: using securityadmin.sh script to pull new internal_users.yml file

Hope that will help you

1 Like

Thanks for your reply, kazimier.

The main reason for my post was mostly to show how “confusing” the installation was to me and that I didn’t really know where to go from there.

Also - as many examples in real world scenarios show: Don’t ever set up systems with default passwords. People will use these in production systems, because people are lazy, don’t care or simply forget after they played with the demo. The installer script should not do that. Instead add one more step to the installation and explain how to set up a proper system.