github-mirrors/elasticsearch
1
0
Fork 0
mirror of https://github.com/elastic/elasticsearch.git synced 2025-06-28 17:34:17 -04:00
Code Issues Projects Releases Packages Wiki Activity

URL option for BaseRunAsSuperuserCommand (#81025)

Browse source 
Add a --url option for elasticsearch-reset-password and
elasticsearch-create-enrollment-token CLI Tools ( and any tools
that would extend BaseRunAsSuperuserCommand ).
The tools use CommandLineHttpClient internally, which tries its
best to deduce the URL of the local node based on the configuration
but there are certain cases where it either fails or returns an
unwanted result. Concretely:

- CommandLineHttpClient#getDefaultURL will always return a URL with
the port set to 9200, unless otherwise explicitly set in the
configuration. When running multiple nodes on the same host,
subsequent nodes get sequential port numbers after 9200 by default
and this means that the CLI tool will always connect the first of
n nodes in a given host. Since these tools depend on a file realm
local user, requests to other nodes would fail
- When an ES node binds and listens to many addresses, there can
be the case that not all of the IP addresses are added as SANs in
the certificate that is used for TLS on the HTTP layer.
CommandLineHttpClient#getDefaultURL will pick an address based on
a preference order but that address might not be in the SANs and
thus all requests to the node would fail due to failed hostname
verification.

Manually setting `--url` to an appropriate value allows users to
overcome these edge cases.
This commit is contained in:
Ioannis Kakavas 2021-11-29 23:49:27 +02:00 committed by GitHub
parent 1f933390c1
commit 537f371f34
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 164 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

20
docs/reference/commands/create-enrollment-token.asciidoc
View file

@ -12,7 +12,7 @@ The `elasticsearch-create-enrollment-token` command creates enrollment tokens fo
[source,shell]
----
bin/elasticsearch-create-enrollment-token
[-f, --force] [-h, --help] [-E <KeyValuePair>] [-s, --scope]
[-f, --force] [-h, --help] [-E <KeyValuePair>] [-s, --scope] [--url]
----
[discrete]
@ -23,7 +23,7 @@ Use this command to create enrollment tokens, which you can use to enroll new
with an existing {es} cluster that has security features enabled.
The command generates (and subsequently removes) a temporary user in the
<<file-realm,file realm>> to run the request that creates enrollment tokens.
IMPORTANT: You cannot use this tool if the file realm is disabled in your
IMPORTANT: You cannot use this tool if the file realm is disabled in your
`elasticsearch.yml` file.
This command uses an HTTP connection to connect to the cluster and run the user
@ -42,12 +42,17 @@ option. For more information about debugging connection failures, see
`-E <KeyValuePair>`:: Configures a standard {es} or {xpack} setting.
`-f, --force`:: Forces the command to run against an unhealthy cluster.
`-f, --force`:: Forces the command to run against an unhealthy cluster.
`-h, --help`:: Returns all of the command parameters.
`-s, --scope`:: Specifies the scope of the generated token. Supported values are `node` and `kibana`.
`--url`:: Specifies the base URL (hostname and port of the local node) that the tool uses to submit API
requests to {es}. The default value is determined from the settings in your
`elasticsearch.yml` file. If `xpack.security.http.ssl.enabled` is set to `true`,
you must specify an HTTPS URL.
[discrete]
=== Examples
@ -57,3 +62,12 @@ The following command creates an enrollment token for enrolling an {es} node int
----
bin/elasticsearch-create-enrollment-token -s node
----
The following command creates an enrollment token for enrolling a {kib} instance into a cluster.
The specified URL indicates where the elasticsearch-create-enrollment-token tool attempts to reach the
local {es} node:
[source,shell]
----
bin/elasticsearch-create-enrollment-token -s kibana --url "https://172.0.0.3:9200"
----

17
docs/reference/commands/reset-password.asciidoc
View file

@ -14,7 +14,7 @@ the native realm and built-in users.
bin/elasticsearch-reset-password
[-a, --auto] [-b, --batch] [-E <KeyValuePair]
[-f, --force] [-h, --help] [-i, --interactive]
[-s, --silent] [-u, --username] [-v, --verbose]
[-s, --silent] [-u, --username] [--url] [-v, --verbose]
----
[discrete]
@ -59,12 +59,17 @@ option. For more information about debugging connection failures, see
`-u, --username`:: The username of the native realm user or built-in user.
`--url`:: Specifies the base URL (hostname and port of the local node) that the tool uses to submit API
requests to {es}. The default value is determined from the settings in your
`elasticsearch.yml` file. If `xpack.security.http.ssl.enabled` is set to `true`,
you must specify an HTTPS URL.
`-v --verbose`:: Shows verbose output in the console.
[discrete]
=== Examples
The following example resets the password of the `elastic` user to an auto-generated value and
prints the new password in the console.
prints the new password in the console:
[source,shell]
----
@ -78,3 +83,11 @@ in the terminal for the desired password:
----
bin/elasticsearch-reset-password --username user1 -i
----
The following example resets the password of a native user with username `user2` to an auto-generated value
prints the new password in the console. The specified URL indicates where the elasticsearch-reset-password
tool attempts to reach the local {es} node:
[source,shell]
----
bin/elasticsearch-reset-password --url "https://172.0.0.3:9200" --username user2 -i
----