Cannot create Elasticsearch users with ECK

I'm following this tutorial: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-users-and-roles.html to set up users in Elasticsearch programmatically.

I have eck 1.1.2 installed in the cluster, Elasticsearch and Kibana 7.7.1

Here are my steps:

  • Generated filerealm with:
mkdir filerealm
touch filerealm/users filerealm/users_roles

docker run \
    -v ${PWD}/filerealm:/usr/share/elasticsearch/config \
    docker.elastic.co/elasticsearch/elasticsearch:7.7.1 \
    bin/elasticsearch-users useradd test.user10 -p mypassword -r monitoring_user

docker run \
    -v ${PWD}/filerealm:/usr/share/elasticsearch/config \
    docker.elastic.co/elasticsearch/elasticsearch:7.7.1 \
    bin/elasticsearch-users useradd test.user11 -p mypassword -r monitoring_user
  • Created a secret with it:
    kubectl create secret generic my-file-realm-secret --from-file filerealm

  • Manifest to create Elasticsearch:

apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: es-test
spec:
  auth:
    fileRealm:
    - secretName: my-file-realm-secret
  http:
    tls:
      selfSignedCertificate:
        disabled: true
  nodeSets:
  - config:
      node.data: true
      node.ingest: true
      node.master: true
      node.store.allow_mmap: false
    count: 2
    name: default    
    volumeClaimTemplates:
    - metadata:
        name: elasticsearch-data
      spec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 5Gi
        storageClassName: standard
  version: 7.7.1
  • and Kibana:
apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
  name: es-test
spec:
  count: 2
  elasticsearchRef:
    name: es-test
  http:
    tls:
      selfSignedCertificate:
        disabled: true
  config:
      elasticsearch.requestHeadersWhitelist: [ es-security-runas-user, authorization ]
      xpack.monitoring.elasticsearch.requestHeadersWhitelist: [ es-security-runas-user, authorization, Authorization ]
  version: 7.7.1

However, when I login into Kibana (with automatically created elastic user), I don't see any users listed at https://<Kibana-URL>/app/kibana#/management/security/users

When I jump into a ES container and check the file realm content, the users (test.user10 and test.user11) are there:

# cat /mnt/elastic-internal/xpack-file-realm/users
elastic-internal-probe:$2a$10$wUYK52XN4slvIGfL0a8/hOlaUPVXHRnKr0aEZzCuYiOF.k2GPAkQK
elastic-internal:$2a$10$v7tAzMI3jPQEzfyARPbjcecE0MPDg1cc6zhK1i3560Fy0CMIM6D6u
elastic:$2a$10$ZmBcRqF6FeGGN1d0cYCCreQI/nOP75iK4NKedF9tOON1Mdo7mLl22
es-test-es-test-kibana-user:$2a$10$bljDQaLWwXyeXwCWELe.deS1k4O1VX6BuaLZkpryA.6sO3I64YPF6
test.user10:$2a$10$Py6mQp/JqniA0uiuzSeg5ekL4PpVL1jiOgVNtlJHLRTPOSGQLNhOy
test.user11:$2a$10$hIFINTQPGclCEUxncufADOLqTtXzP/5tvTco7rRYYQdcFBayoEh1m

There's no error messages coming from the eck operator, ES or Kibana.

Am I missing something?
Do I need to configure ES to use the file realm somehow?

1 Like

Can you log in with the users? You cannot view or manage them via Kibana as described in the docs. It may be worth linking to them from the ECK documentation though since you are not the first person to raise this question.

1 Like

Ah, great point, I haven't noticed that part in the docs about not being able to manage users via Kibana UI.

I was able to log in with Kibana UI for a programmatically created user that has a kibana_admin role.

Thank you @Anya_Sabo!