Disable transport ssl authorization in SearchGuard

Alexey_Chernyaev · March 29, 2019, 1:09pm

I need install this plugin on a working cluster (2 master node + 2 data node). Installing should without stopped service when working with this cluster. My plan installing:

Disable 1 data node and 1 master node;
Install on this nodes SearchGuard;
Add certificates on server and add config SearchGuard in config ElasticSearch (but disable force ssl communication nodes in cluster);
Sync indexes;
Retry install plugin with 2 another nodes (without disable forse ssl communication nodes);
Sync indexes;
Enable force ssl communication on first 2 nodes.
But how disable force ssl communication nodes? It’s real? If it’s not real, have you any ideas about update my cluster?

jkressin · March 29, 2019, 1:12pm

The short answer is: You cannot disable TLS on transport layer (inter-node communication). If you install SG on 2 nodes and leave the other nodes as the are you will end up with a split cluster since the first 2 nodes cannot talk to the other nodes anymore. At the moment you cannot install SG without a full cluster restart.

···

On Tuesday, June 20, 2017 at 10:05:33 AM UTC+2, Alexey Chernyaev wrote:

I need install this plugin on a working cluster (2 master node + 2 data node). Installing should without stopped service when working with this cluster. My plan installing:

Disable 1 data node and 1 master node;

Install on this nodes SearchGuard;

Add certificates on server and add config SearchGuard in config ElasticSearch (but disable force ssl communication nodes in cluster);

Sync indexes;

Retry install plugin with 2 another nodes (without disable forse ssl communication nodes);

Sync indexes;

Enable force ssl communication on first 2 nodes.
But how disable force ssl communication nodes? It’s real? If it’s not real, have you any ideas about update my cluster?