Discovered bug/security issue? Elastic built-in user authentication

Hello,

First time poster here.

I've discovered something rather interesting that I'd like someone who understands the underlying authentication a bit better than myself to take a look at. When using ECE We all know there is the built-in user "elastic" which is the default super user which from my understanding is permanent and cannot be modified, or deleted.

However upon looking at the user list in Kibana the elastic user is hidden, so I thought to myself I'd try creating an elastic user and see if it works - Alas it did. So I set a different password as well as different permissions and it took those as well.

Then I tried to login as both the built-in super user which worked, as well as my newly created elastic user which also worked and was assigned appropriate permissions.

This seems like a very weird way to handle password management, how could this be? How is the user database assigning the appropriate profile dependent on what password I give and not on the username itself since there's technically two elastic usernames? Is it taking the password, salt/hashing whatever then comparing it to the hash of the user profiles and authenticating to the appropriate one that matches? This just seems weird and makes me question on how the entire authentication process works.

Hi @hodops,

Can you send this along to security@elastic.co so we can figure out what's going on?

Thanks in advance

--
Josh Bressers
Elastic Product Security

1 Like

The behaviour might be confusing, but it is expected. Please note it has no security vulnerability because Elasticsearch treats the two elastic users completely separately. There are a few things going on here:

  1. The two elastic users are from different realms. The ECE builtin one is from file realm and the one you created is in the native realm.
  2. The realms form a chain and take turns to authenticate the given credentials. So depending on the different password, a different realm is able to authenticate the elastic user. You can confirm this with a call GET /_security/_authenticate and check the authentication_realm section of the response. The information shows you exactly which realm the user is authenticated against.
  3. In general, username by itself is not unique in Elasticsearch. This is especially true when the user is authenticated by an external authentication provider, e.g. two users from two different LDAP servers can have the same username. Hence, it is "username + realm" that is unique internally to Elasticsearch. In your case, the two users are basically elastic @ file realm and elastic @ native realm.
  4. Elasticsearch has the concept of reserved realm where the elastic username is also reserved. If the reserved realm is enabled (by default), you won't be able to create another elastic user in the native realm (the API call will throw an error). However, when the reserved realm is disabled, as in the case of ECE, you are allowed to create users with the reserved elastic username. We generally consider disabling reserved realm in ECE non-ideal, e.g. it is confusing as you have discovered. It is possible that we'd enable it in future releases (but no roadmap yet).

I hope this helps answering your questions.

2 Likes

Thank you - I suspected it worked like this (similar to how PAM works on unix)

I appreciate the response.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.