Errors with elasticsearch-users useradd -- 7.17.1

Russell_Fulton · August 15, 2022, 2:28am

I am trying to add a user to the file realm to recover from the elastic user failing to login -- I have no idea why logins started to fail.

From the manual I understand that the file realm is active by default so I don't have to change the config.

elasticsearch@secesprd02:/usr/share/elasticsearch$ bin/elasticsearch-users useradd my_admin -p mytemp-password -r superuser
Exception in thread "main" java.io.UncheckedIOException: could not write file [/etc/elasticsearch/users]
	at org.elasticsearch.xpack.security.support.SecurityFiles.writeFileAtomically(SecurityFiles.java:72)
	at org.elasticsearch.xpack.security.authc.file.FileUserPasswdStore.writeFile(FileUserPasswdStore.java:180)


elasticsearch@secesprd02:/usr/share/elasticsearch$ id
uid=114(elasticsearch) gid=123(elasticsearch) groups=123(elasticsearch),1042(letsencrypt)
elasticsearch@secesprd02:/usr/share/elasticsearch$ ls -l /etc/elasticsearch/users
-rw-rw---- 1 root elasticsearch 0 Aug 15 13:54 /etc/elasticsearch/users
elasticsearch@secesprd02:/usr/share/elasticsearch$ touch  /etc/elasticsearch/users
elasticsearch@secesprd02:/usr/share/elasticsearch$

The elasticsearch user has write access to /etc/elasticsearch/users so I at a loss as to why java gets a permissions error when trying to write it.

Any help on this very much appreciated!. : )

Yang_Wang · August 15, 2022, 5:05am

Is the disk full?

TimV · August 15, 2022, 5:17am

I suspect this is due to the directory permissions. In order to make an atomic update, the CLI will write to a temporary file in the /etc/elasticsearch directory and then rename that file to users (unix filesystems provide atomic renames, but not atomic writes).

Unless the elasticsearch user can write a new file into the directory, that process will fail.

Russell_Fulton · August 15, 2022, 7:31pm

bingo!

search@secesprd02:~$ ls -ld /etc/elasticsearch/
drwxr-xr-x 5 root root 4096 Aug  8 12:17 /etc/elasticsearch/

Thanks Tim!

BTW I was working from the wonderfully detailed instructions that you posted in this thread.

Just btw those instruction are now slightly out of date: bin/x-pack/users useradd... is now bin/elasticsearch-users useradd, at least at 7.17.

An aside: one of the features I dislike in this forum is that threads get closed after a month of inactivity. This prevents good answers being enhanced by new insights or changes in ES. The latter is particularly critical for ES which evolves fast.

Compare this with the Stack Exchange based forums where good answers are frequently updated for years afterward. Also completely new answers are added as new capabilities are added to systems. This again is very relevant to ES!

Russell_Fulton · August 15, 2022, 11:44pm

the adduser now works:

elasticsearch@secesprd02:/usr/share/elasticsearch$ bin/elasticsearch-users useradd my_admin -p xxxxxx -r superuser
WARNING: Owner of file [/etc/elasticsearch/users] used to be [root], but now is [elasticsearch]
WARNING: Owner of file [/etc/elasticsearch/users_roles] used to be [root], but now is [elasticsearch]
elasticsearch@secesprd02:/usr/share/elasticsearch$ ls -l /etc/elasticsearch/users
-rw-rw---- 1 elasticsearch elasticsearch 70 Aug 16 08:35 /etc/elasticsearch/users
elasticsearch@secesprd02:/usr/share/elasticsearch$ logout

not sure what the WARNING are about that file was always owned by elasticsearch ?

When I test it I get:

rful011@secesprd02:~$ curl --noproxy \* -u my_admin -XPUT 'https://secesprd01.its.auckland.ac.nz:9200/_password?pretty' -H 'Content-Type: application/json' -d'{ "password": "xxxxxxxxxxxxxxxxx" }' 
Enter host password for user 'my_admin':
{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "unable to authenticate user [my_admin] for REST request [/_password?pretty]",
        "header" : {
          "WWW-Authenticate" : [
            "Basic realm=\"security\" charset=\"UTF-8\"",
            "Bearer realm=\"security\"",
            "ApiKey"
          ]
        }
      }
    ],
 < snip >
  "status" : 401
}

I notice that the users file is present only on the node where it was created so I tried copying users' and users-roles' to all the other nodes. It made no difference - no great surprise.

I suspect that the problem is "Basic realm="security" where as this user was created in realm "file"

I have look at various docs about realms and authentication but failed to find anything on specifying the realm when authenticating.

system · September 13, 2022, 12:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.