Can't login with users created by FileRealm and secrets

doctor · April 22, 2020, 4:58pm

Hey,

I'm trying to create a new user on ECK using secrets and FileRealm.

I created the user like explained in the documentation:

# create a folder with the 2 files
mkdir filerealm
touch filerealm/users filerealm/users_roles

# create user 'myuser' with role 'monitoring_user'
docker run \
    -v ${PWD}/filerealm:/usr/share/elasticsearch/config \
    docker.elastic.co/elasticsearch/elasticsearch:{version} \
    bin/elasticsearch-users useradd myuser -p mypassword -r monitoring_user

# create a Kubernetes secret with the file realm content
kubectl create secret generic my-file-realm-secret --from-file filerealm

The user "mysuser" with password "mypassword" now exists inside a secret.

My elastic config looks like this:

apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: quickstart
spec:
  version: 7.6.1
  auth:
    fileRealm:
    - secretName: my-filerealm-secret
  nodeSets:
  - name: default
    count: 1
    config:
      node.master: true
      node.data: true
      node.ingest: true
      node.store.allow_mmap: false

Unfortunatly, trying to loging with the credentials set above is not working.
I can't login within Kibana and curling elastic-http is also forbiden if using this particular user.

Anya_Sabo · April 22, 2020, 5:34pm

What version of ECK are you running? This is an unreleased feature at the moment, so you would need to be running a pre-release build for those docs to apply. You can click the link in the header at the top of the doc page you linked to make sure you are looking at the current documentation on the site.

doctor · April 23, 2020, 10:28am

You're right ! This functionnality seems to be availble on version "1.1" and "master" only.

I have been using the eck version 1.0 which deploys elastic in version 7.6.1.

As the "1.1" version deploys elastic 7.6.2, I updated to 7.6.2 but its still isn't working.

FYI I still have 1.0.1 operator as the link used to download "all-in-one.yaml" for 1.1.0 returns 404.

So I'm still stuck... What should I be deploying if elastic 7.6.2 is not working either ?

Thanks in advance

pebrc · April 24, 2020, 8:38am

As @Anya_Sabo said, this is an unreleased feature. You will have to wait until ECK 1.1 is released before you can use this feature.

You can find the latest release of ECK here: https://www.elastic.co/downloads/elastic-cloud-kubernetes

Because you mentioned it: the Elasticsearch version is not tied to the ECK version. We just update the examples in the repository to the latest Elastic stack version on each release. But they are just examples! So you can deploy Elasticsearch or other Elastic stack applications in version 7.6.2 with the already released versions of ECK. It will not give you access to unreleased features though.

doctor · April 27, 2020, 12:01pm

Ok thanks, I get it.

I'll wait then...

doctor · April 29, 2020, 5:18pm

ECK 1.1 just got released. Creating users from secrets works great with elasticsearch !

Though I still have a question which you may help me ?

The accounts I made don't work with Kibana... How should I created default users for Kibana as I did for elastic ?

Thx

sebgl · April 30, 2020, 11:57am

Kibana relies on the Elasticsearch authentication realms.
Any user you create for Elasticsearch can also be used with Kibana, as long as it has the right role (kibana_admin).

doctor · April 30, 2020, 2:31pm

ah ! Its working. Thx a lot.