24 July 2018 Engineering

Elastic Stack 6.3.0 and 6.3.1 May Disable Security for Trial Licenses

By Josh Bressers

If you are currently using a trial license with Elastic Stack 6.2.x or earlier, your X-Pack security functionality may be disabled when upgrading to 6.3.0 or 6.3.1.

Previous to version 6.3.0, X-Pack could be downloaded and installed to extend the functionality of the Elastic Stack. To trial the features within X-Pack (without purchasing a subscription), a 30-day trial license could be requested to enable features like security, alerting, and more.

Starting with version 6.3.0, the default distribution of the Elastic Stack now comes with all of the features that were previously bundled into X-Pack. The default distribution also comes with a Basic license, which enables some feature functionality but not all. For instance, the Basic license does not enable Elastic security features.

If a 30-day trial is started to enable platinum-level functionality, security is not enabled by default. This same behavior applies to upgrades from 6.2.x and prior to 6.3.0 and 6.3.1. The reason for this default setting is to ensure the cluster will not experience any downtime, as enabling security functionality requires the cluster must be stopped and configured

Affected Systems

This bug will impact any cluster that meets all of the following requirements and is being upgraded to 6.3.0 or 6.3.1:

  • Version 6.2.x or earlier
  • Trial license
  • Security functionality is enabled

This issue does not affect clusters with Basic, Gold, Platinum, or Enterprise licenses, nor does it affect deployments of the hosted Elasticsearch Service or Elastic Cloud Enterprise.

Impact of the Bug

If a trial license was generated in a version of the Elastic Stack that’s earlier than 6.3.0 and the cluster is then upgraded to version 6.3.0 or 6.3.1, X-Pack security functionality will be silently disabled. This could result in a compromise of the data stored in the cluster.

Workaround

Elastic Stack 6.3.2 fixes this issue by determining if a trial license was generated prior to version 6.3.0, and then ensuring that security enabled.

If you are planning to upgrade a cluster with a Trial license to 6.3+, please ensure you upgrade to version 6.3.2 or greater. If you have already upgraded to 6.3.0 or 6.3.1 and cannot upgrade to 6.3.2 please verify that Elastic security is explicitly enabled.

How to Verify that Security is Enabled

Run this command (updating the Elasticsearch host and port per your environment):

curl http://localhost:9200/?pretty

Results when Security is Enabled

If security is enabled, your output will be similar to:

{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "missing authentication token for REST request [/?pretty]",
        "header" : {
          "WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
        }
      }
    ],
    "type" : "security_exception",
    "reason" : "missing authentication token for REST request [/?pretty]",
    "header" : {
      "WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
    }
  },
  "status" : 401
}

Results when Security is Disabled

If security is disabled, your output will be similar to:

{
  "name" : "bKnCpEt",
  "cluster_name" : "docker-cluster",
  "cluster_uuid" : "L4LfQKsWRAO2sbwq6UmoWg",
  "version" : {
    "number" : "6.3.2",
    "build_flavor" : "default",
    "build_type" : "tar",
    "build_hash" : "053779d",
    "build_date" : "2018-07-20T05:20:23.451332Z",
    "build_snapshot" : false,
    "lucene_version" : "7.3.1",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}

How to Enable Security

Ensure you have this setting in your elasticsearch.yml file:

xpack.security.enabled: true