Uploaded image for project: 'Bitbucket Server'
  1. Bitbucket Server
  2. BSERV-12113

Provide support to use Elasticsearch Security Feature (xpack.security.enabled: true)

    XMLWordPrintable

    Details

    • Type: Suggestion
    • Status: Gathering Interest (View Workflow)
    • Resolution: Unresolved
    • Fix Version/s: None
    • Component/s: Search
    • Labels:
      None
    • UIS:
      8
    • Feedback Policy:
      We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Description

      Issue Summary

      When configuring remote Elasticsearch, xpack.security.enabled must set to false in elasticsearch.yml. As a result, the user cannot configure the following security features in Elasticsearch:

      Security Category Pattern for Controls Control Definition Support Engineer's Verification
      Secure Access Authentication Active directory realms must be used for user authentication. (SSO Integration) Must configure Elastic Stack security features to communicate with Active Directory
      Secure Access Authorization Segregation of duties principle must be followed for all administrative roles. Must configure Elastic Stack security features
      Secure Access Authorization Enforce the least privilege principle as defined in the Access Control Standard for Elasticsearch service access. Must configure Elastic Stack security features
      Secure Access Authorization RBAC must be configured to access Elasticsearch. Require Elasticsearch Security Features for setting up RBAC in Elasticsearch with Kibana (xpack.security.enabled: true)
      Secure Access Authorization Only whitelisted IP addresses must be able to access Elasticsearch domains. Require Elasticsearch Security Features for IP filtering (xpack.security.enabled: true)
      Secure Data Data Encryption All nodes must authenticate using TLS certificates as they join the cluster in ElasticSearch Must configure Elastic Stack security features
      Auditing Auditing Auditing must be enabled as per logging and auditing standard Require Elasticsearch Security Features to enable an audit log (xpack.security.enabled: true)

      If we set xpack.security.enabled: true, remote Elasticsearch unable to start successfully.

      Steps to Reproduce

      1. Install and configure a remote Elasticsearch following Bitbucket documentation (How to Install and configure a remote Elasticsearch instance)
      2. Open elasticsearch.yml
      3. Set xpack.security.enabled: true
      4. Start Elasticsearch

      Expected Results

      Elasticsearch can start successfully.

      Actual Results

      The below exception is thrown in elasticsearch.log:

      [2019-12-25T19:01:16,167][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [AQY_yNT] uncaught exception in thread [main][2019-12-25T19:01:16,167][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [AQY_yNT] uncaught exception in thread [main]org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: Cannot have more than one plugin implementing a REST wrapper at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:163) ~[elasticsearch-6.6.1.jar:6.6.1] at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) ~[elasticsearch-6.6.1.jar:6.6.1] at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.6.1.jar:6.6.1] at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.6.1.jar:6.6.1] at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.6.1.jar:6.6.1] at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:116) ~[elasticsearch-6.6.1.jar:6.6.1] at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:93) ~[elasticsearch-6.6.1.jar:6.6.1]Caused by: java.lang.IllegalArgumentException: Cannot have more than one plugin implementing a REST wrapper at org.elasticsearch.action.ActionModule.<init>(ActionModule.java:382) ~[elasticsearch-6.6.1.jar:6.6.1] at org.elasticsearch.node.Node.<init>(Node.java:477) ~[elasticsearch-6.6.1.jar:6.6.1] at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.1.jar:6.6.1] at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.1.jar:6.6.1] at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.1.jar:6.6.1] at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.1.jar:6.6.1] at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.1.jar:6.6.1] ... 6 more
      

      Workaround

      Currently, there is no known workaround for this behavior. A workaround will be added here when available

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            mmarini@atlassian.com Marini Marini (Inactive)
            Votes:
            5 Vote for this issue
            Watchers:
            9 Start watching this issue

              Dates

              Created:
              Updated:

                Backbone Issue Sync

                • Backbone Issue Sync is enabled for your project, but there is no synchronization info for this issue.