Can't change xpack security realms in ECK 1.0

Jaepyoung_Kim · November 22, 2019, 7:45pm

Have an issue of updating security.authc.reamls in elasticsearcy.yml file in ECK.

Installed ECK open source 1.0 in EKS.
I can get password for "elastic" user using following command.

kubectl get secret canoo-elasticserach-es-elastic-user -o=jsonpath='{.data.elastic}' -n elasticsearch| base64 --decode; echo

Since I wanted to create a user and share with other team, I created one user under the menu of "Security/Users" in Kibana.

However I can't login with a new created account.
I figure out that security realms setting is file. In order to use users created in Kibana, I need to use native type.

Original:

security:
authc:
realms:
file:
file1:
order: -100
reserved_realm:
enabled: "false"
enabled: "true"

Want to change to

xpack:
security:
authc:
realms:
file:
file1:
order: 0
native:
native1:
order: 1
reserved_realm:
enabled: "false"
enabled: "true"

But some reason it is not changed.
What I tried to was delete secret and create a new one with data, or kubectl edit secrets... but the setting of elasticsearcy.yml is not updated. Can you help me to change the setting?

Here is my secret of elasticsearch.

apiVersion: v1
data:
elasticsearch.yml: Y2x1c3RlcjoKICBuYW1lOiBjYW5vby1lbGFzdGljc2VyYWNoCiAgcmVtb3RlOgogICAgY29ubmVjdDogZmFsc2UKZGlzY292ZXJ5OgogIHplbjoKICAgIGhvc3RzX3Byb3ZpZGVyOiBmaWxlCm5ldHdvcms6CiAgaG9zdDogMC4wLjAuMAogIHB1Ymxpc2hfaG9zdDogJHtQT0RfSVB9Cm5vZGU6CiAgZGF0YTogdHJ1ZQogIGluZ2VzdDogZmFsc2UKICBtYXN0ZXI6IGZhbHNlCiAgbWw6IGZhbHNlCiAgbmFtZTogJHtQT0RfTkFNRX0KICBzdG9yZToKICAgIGFsbG93X21tYXA6IGZhbHNlCnBhdGg6CiAgZGF0YTogL3Vzci9zaGFyZS9lbGFzdGljc2VhcmNoL2RhdGEKICBsb2dzOiAvdXNyL3NoYXJlL2VsYXN0aWNzZWFyY2gvbG9ncwp4cGFjazoKICBzZWN1cml0eToKICAgIGF1dGhjOgogICAgICByZWFsbXM6CiAgICAgICAgZmlsZToKICAgICAgICAgIGZpbGUxOgogICAgICAgICAgICBvcmRlcjogLTEwMAogICAgICByZXNlcnZlZF9yZWFsbToKICAgICAgICBlbmFibGVkOiAiZmFsc2UiCiAgICBlbmFibGVkOiAidHJ1ZSIKICAgIGh0dHA6CiAgICAgIHNzbDoKICAgICAgICBjZXJ0aWZpY2F0ZTogL3Vzci9zaGFyZS9lbGFzdGljc2VhcmNoL2NvbmZpZy9odHRwLWNlcnRzL3Rscy5jcnQKICAgICAgICBjZXJ0aWZpY2F0ZV9hdXRob3JpdGllczogL3Vzci9zaGFyZS9lbGFzdGljc2VhcmNoL2NvbmZpZy9odHRwLWNlcnRzL2NhLmNydAogICAgICAgIGVuYWJsZWQ6IHRydWUKICAgICAgICBrZXk6IC91c3Ivc2hhcmUvZWxhc3RpY3NlYXJjaC9jb25maWcvaHR0cC1jZXJ0cy90bHMua2V5CiAgICB0cmFuc3BvcnQ6CiAgICAgIHNzbDoKICAgICAgICBjZXJ0aWZpY2F0ZTogL3Vzci9zaGFyZS9lbGFzdGljc2VhcmNoL2NvbmZpZy9ub2RlLXRyYW5zcG9ydC1jZXJ0L3RyYW5zcG9ydC50bHMuY3J0CiAgICAgICAgY2VydGlmaWNhdGVfYXV0aG9yaXRpZXM6CiAgICAgICAgLSAvdXNyL3NoYXJlL2VsYXN0aWNzZWFyY2gvY29uZmlnL3RyYW5zcG9ydC1jZXJ0cy9jYS5jcnQKICAgICAgICBlbmFibGVkOiAidHJ1ZSIKICAgICAgICBrZXk6IC91c3Ivc2hhcmUvZWxhc3RpY3NlYXJjaC9jb25maWcvbm9kZS10cmFuc3BvcnQtY2VydC90cmFuc3BvcnQudGxzLmtleQogICAgICAgIHZlcmlmaWNhdGlvbl9tb2RlOiBjZXJ0aWZpY2F0ZQo=
kind: Secret
metadata:
creationTimestamp: "2019-11-22T19:35:10Z"
labels:
common.k8s.elastic.co/type: elasticsearch
elasticsearch.k8s.elastic.co/cluster-name: elasticserach
elasticsearch.k8s.elastic.co/statefulset-name: elasticserach-es-data
name: elasticserach-es-data-es-config
namespace: elasticsearch
ownerReferences:

apiVersion: elasticsearch.k8s.elastic.co/v1beta1
blockOwnerDeletion: true
controller: true
kind: Elasticsearch
name: elasticserach
uid: ca8492e5-ff76-11e9-a259-02a9107eed52
resourceVersion: "5620293"
selfLink: /api/v1/namespaces/elasticsearch/secrets/elasticserach-es-data-es-config
uid: 324aefdc-0d5f-11ea-a259-02a9107eed52
type: Opaque

sebgl · November 25, 2019, 8:21am

Hey @Jaepyoung_Kim,

there is a bug in release 1.0.0-beta 1 with users created in Kibana and the native realm.
See this workaround: https://github.com/elastic/cloud-on-k8s/issues/2036#issuecomment-544838578.

This will be fixed in next release.

Jaepyoung_Kim · November 25, 2019, 9:44pm

Thanks a lot for your information. After applying the change, I am able login with user created.