Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-12113

Provide support to use Elasticsearch Security Feature (xpack.security.enabled: true)

    XMLWordPrintable

Details

    • Suggestion
    • Resolution: Unresolved
    • None
    • Search
    • None
    • 9
    • We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      Issue Summary

      When configuring remote Elasticsearch, xpack.security.enabled must set to false in elasticsearch.yml. As a result, the user cannot configure the following security features in Elasticsearch:

      Security Category Pattern for Controls Control Definition Support Engineer's Verification
      Secure Access Authentication Active directory realms must be used for user authentication. (SSO Integration) Must configure Elastic Stack security features to communicate with Active Directory
      Secure Access Authorization Segregation of duties principle must be followed for all administrative roles. Must configure Elastic Stack security features
      Secure Access Authorization Enforce the least privilege principle as defined in the Access Control Standard for Elasticsearch service access. Must configure Elastic Stack security features
      Secure Access Authorization RBAC must be configured to access Elasticsearch. Require Elasticsearch Security Features for setting up RBAC in Elasticsearch with Kibana (xpack.security.enabled: true)
      Secure Access Authorization Only whitelisted IP addresses must be able to access Elasticsearch domains. Require Elasticsearch Security Features for IP filtering (xpack.security.enabled: true)
      Secure Data Data Encryption All nodes must authenticate using TLS certificates as they join the cluster in ElasticSearch Must configure Elastic Stack security features
      Auditing Auditing Auditing must be enabled as per logging and auditing standard Require Elasticsearch Security Features to enable an audit log (xpack.security.enabled: true)

      If we set xpack.security.enabled: true, remote Elasticsearch unable to start successfully.

      Steps to Reproduce

      1. Install and configure a remote Elasticsearch following Bitbucket documentation (How to Install and configure a remote Elasticsearch instance)
      2. Open elasticsearch.yml
      3. Set xpack.security.enabled: true
      4. Start Elasticsearch

      Expected Results

      Elasticsearch can start successfully.

      Actual Results

      The below exception is thrown in elasticsearch.log:

      [2019-12-25T19:01:16,167][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [AQY_yNT] uncaught exception in thread [main][2019-12-25T19:01:16,167][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [AQY_yNT] uncaught exception in thread [main]org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: Cannot have more than one plugin implementing a REST wrapper at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:163) ~[elasticsearch-6.6.1.jar:6.6.1] at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) ~[elasticsearch-6.6.1.jar:6.6.1] at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.6.1.jar:6.6.1] at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.6.1.jar:6.6.1] at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.6.1.jar:6.6.1] at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:116) ~[elasticsearch-6.6.1.jar:6.6.1] at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:93) ~[elasticsearch-6.6.1.jar:6.6.1]Caused by: java.lang.IllegalArgumentException: Cannot have more than one plugin implementing a REST wrapper at org.elasticsearch.action.ActionModule.<init>(ActionModule.java:382) ~[elasticsearch-6.6.1.jar:6.6.1] at org.elasticsearch.node.Node.<init>(Node.java:477) ~[elasticsearch-6.6.1.jar:6.6.1] at org.elasticsearch.node.Node.<init>(Node.java:265) ~[elasticsearch-6.6.1.jar:6.6.1] at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.6.1.jar:6.6.1] at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.6.1.jar:6.6.1] at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.6.1.jar:6.6.1] at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.6.1.jar:6.6.1] ... 6 more

      Workaround

      Uninstall the Buckler plugin if wishing to use the Elastic security features (xpack) instead of Buckler for securing the Elasticsearch server.

      Attachments

        Activity

          People

            Unassigned Unassigned
            mmarini@atlassian.com Marini Marini (Inactive)
            Votes:
            6 Vote for this issue
            Watchers:
            13 Start watching this issue

            Dates

              Created:
              Updated: