diff --git a/docs/changelog/83145.yaml b/docs/changelog/83145.yaml new file mode 100644 index 0000000000000..e6e1dce0e706e --- /dev/null +++ b/docs/changelog/83145.yaml @@ -0,0 +1,5 @@ +pr: 83145 +summary: Bind host all instead of just _site_ when needed +area: Security +type: enhancement +issues: [] diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagingTestCase.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagingTestCase.java index fa8053ba5d5bf..c57a9c8343e52 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagingTestCase.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/PackagingTestCase.java @@ -671,7 +671,7 @@ public void verifySecurityAutoConfigured(Installation es) throws Exception { assertThat(settings.get("xpack.security.enabled"), equalTo("true")); if (es.distribution.isDocker() == false) { - assertThat(settings.get("http.host"), equalTo("[_local_, _site_]")); + assertThat(settings.get("http.host"), equalTo("0.0.0.0")); } } diff --git a/x-pack/docs/en/security/enroll-nodes.asciidoc b/x-pack/docs/en/security/enroll-nodes.asciidoc index 282dc44a14d81..28aeb6690e309 100644 --- a/x-pack/docs/en/security/enroll-nodes.asciidoc +++ b/x-pack/docs/en/security/enroll-nodes.asciidoc @@ -1,8 +1,8 @@ [role="exclude"] When {es} starts for the first time, the security auto-configuration process -binds the HTTP layer to both `_site_` and `_local_`, but only binds the -transport layer to `_local_`. This intended behavior ensures that you can start +binds the HTTP layer to `0.0.0.0`, but only binds the transport layer to +localhost. This intended behavior ensures that you can start a single-node cluster with security enabled by default without any additional configuration. @@ -14,10 +14,10 @@ could expire, which is why enrollment tokens aren't generated automatically. Additionally, only nodes on the same host can join the cluster without additional configuration. If you want nodes from another host to join your cluster, you need to set `transport.host` to a -{ref}/modules-network.html#network-interface-values[supported value] other than -`_local_` (such as `_site_`), or an IP address that's bound to an interface -where other hosts can reach it. Refer to -{ref}/modules-network.html#transport-settings[transport settings] for more +{ref}/modules-network.html#network-interface-values[supported value] +(such as uncommenting the suggested value of `0.0.0.0`), or an IP address +that's bound to an interface where other hosts can reach it. Refer to +{ref}/modules-network.html#transport-settings[transport settings] for more information. To enroll new nodes in your cluster, create an enrollment token with the diff --git a/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/AutoConfigureNode.java b/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/AutoConfigureNode.java index f0a004af88f65..a6b8f2d2adef9 100644 --- a/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/AutoConfigureNode.java +++ b/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/AutoConfigureNode.java @@ -782,13 +782,11 @@ protected void execute(Terminal terminal, OptionSet options, Environment env) th || localFinalEnv.settings().hasValue(NetworkService.GLOBAL_NETWORK_BIND_HOST_SETTING.getKey()) || localFinalEnv.settings().hasValue(NetworkService.GLOBAL_NETWORK_PUBLISH_HOST_SETTING.getKey()))) { bw.newLine(); - bw.write("# Allow HTTP API connections from localhost and local networks"); + bw.write("# Allow HTTP API connections from anywhere"); bw.newLine(); bw.write("# Connections are encrypted and require user authentication"); bw.newLine(); - bw.write( - HttpTransportSettings.SETTING_HTTP_HOST.getKey() + ": " + hostSettingValue(NetworkUtils.getAllAddresses()) - ); + bw.write(HttpTransportSettings.SETTING_HTTP_HOST.getKey() + ": 0.0.0.0"); bw.newLine(); } if (false == (localFinalEnv.settings().hasValue(TransportSettings.HOST.getKey()) @@ -798,7 +796,7 @@ protected void execute(Terminal terminal, OptionSet options, Environment env) th || localFinalEnv.settings().hasValue(NetworkService.GLOBAL_NETWORK_BIND_HOST_SETTING.getKey()) || localFinalEnv.settings().hasValue(NetworkService.GLOBAL_NETWORK_PUBLISH_HOST_SETTING.getKey()))) { bw.newLine(); - bw.write("# Allow other nodes to join the cluster from localhost and local networks"); + bw.write("# Allow other nodes to join the cluster from anywhere"); bw.newLine(); bw.write("# Connections are encrypted and mutually authenticated"); bw.newLine(); @@ -806,7 +804,7 @@ protected void execute(Terminal terminal, OptionSet options, Environment env) th || false == anyRemoteHostNodeAddress(transportAddresses, NetworkUtils.getAllAddresses())) { bw.write("#"); } - bw.write(TransportSettings.HOST.getKey() + ": " + hostSettingValue(NetworkUtils.getAllAddresses())); + bw.write(TransportSettings.HOST.getKey() + ": 0.0.0.0"); bw.newLine(); } bw.newLine(); @@ -880,14 +878,6 @@ protected static boolean anyRemoteHostNodeAddress(List allNodesTransport return false; } - protected String hostSettingValue(InetAddress[] allAddresses) { - if (Arrays.stream(allAddresses).anyMatch(InetAddress::isSiteLocalAddress)) { - return "[_local_, _site_]"; - } else { - return "[_local_]"; - } - } - private Environment possiblyReconfigureNode(Environment env, Terminal terminal) throws UserException { // We remove the existing auto-configuration stanza from elasticsearch.yml, the elastisearch.keystore and // the directory with the auto-configured TLS key material, and then proceed as if elasticsearch is started