https://datahubproject.io logo
Join Slack
Powered by
Hey all, I set up a separate Elastic Search instan...
# all-things-deployment
r
Hey all, I set up a separate Elastic Search instance on AWS to use with Datahub, but when I use its host:port I got the following error on the GMS pod:
Copy code
2022/08/02 01:34:44 Received 400 from <http://search-datahub-elasticsearch-foobar.us-west-2.es.amazonaws.com:443>. Sleeping 1s
I used 
ELASTICSEARCH_HOST
and 
ELASTICSEARCH_PORT
env variables in the GMS deployment (I used Kustomize). Any idea?
b
looks like there is some misconfiguration , the url you configured http://search-datahub-elasticsearch-foobar.us-west-2.es.amazonaws.com:443/ is using port 443 with http protocol which is wrong http work with 80 protocol
if you are using ssl (https/443) protocol ,update the elasticsearch settings under global in the values.yaml as follows -
Copy code
elasticsearch:
    host: <<elasticsearch-endpoint>>
    port: "443"
    useSSL: "true"
for HTTP (without SSL) communication update below settings
Copy code
elasticsearch:
    host: <<elasticsearch-endpoint>>
    port: "80"
r
Thanks Navin, I’m not getting 400 anymore with port 80 but getting this following 403, also I’m not using helm chart so how can I apply the elasticsearchSetupJob to the config?
Copy code
Received 403 from <http://search-datahub-elasticsearch-i2zymt4u4yi7jgag7gtpkizkpa.us-west-2.es.amazonaws.com:80>. Sleeping 1s
a
^ you could just run that job/container a single time and point it to your ES cluster. It is only required to run once
r
@average-vr-23088 I’m not using helm but Kustomize instead @green-football-43791 unfortunately adding 
ELASTICSEARCH_USERNAME
ELASTICSEARCH_PASSWORD
to the env still didn’t help, I’m still getting 403 like the above 😭
a
how have you deployed Elastic Search? is it the AWS managed one?
r
Yes
Amazon OpenSearch Service
a
did you enable the internal user database on OpenSearch?
r
oh, I created a master user and provided username/password to GMS. Should I not do that?
a
there are few ways to configure security for OpenSearch, one is if you set 
TheMasterUser
to an IAM role, typically used with Cognito. Another is if you enable the internal user database with fine-grained access control. In that scenario, if OpenSearch is public and you set up the right resource policy, it can support HTTP basic auth. The first setup doesn’t support HTTP basic auth, it forces you to do signed requests to the ElasticSearch API — something datahub doesn’t support
r
I see, so the only option is to enable the internal user database with fine-grained access control? The link you sent is still using 
TheMasterUser
, but without Cognito right?
a
thats right. You’d have to use a cluster that is configured to be public and support HTTP Basic auth, using that fine grained access control setup i linked to. It would be nice if DataHub supported doing signed requests but I can see how that would make it fairly specific to AWS OpenSearch
Optionally, you can just run Elastic Search via K8, it isn’t really a critical piece of the infra. If it fails, you can always restore the indices
r
Thank you! Do you know where can I “Sign in using theMasterUser” ? I don’t see that option anywhere in my OpenSearch Dashboard https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac-walkthrough-basic.html
Copy code
2. Navigate to OpenSearch Dashboards.
3. Sign in using TheMasterUser.
FWIW I’m not getting an error code anymore just
Copy code
2022/08/02 19:10:16 Problem with request: Get "<http://search-datahub-elasticsearch-foobar.us-west-2.es.amazonaws.com:80>": dial tcp 54.70.124.114:80: connect: connection refused. Sleeping 1s
2 Views
Open in Slack
PreviousNext
Powered by