I suspect this is due to the directory permissions. In order to make an atomic update, the CLI will write to a temporary file in the /etc/elasticsearch directory and then rename that file to users (unix filesystems provide atomic renames, but not atomic writes).
Unless the elasticsearch user can write a new file into the directory, that process will fail.
search@secesprd02:~$ ls -ld /etc/elasticsearch/
drwxr-xr-x 5 root root 4096 Aug 8 12:17 /etc/elasticsearch/
Thanks Tim!
BTW I was working from the wonderfully detailed instructions that you posted in this thread.
Just btw those instruction are now slightly out of date: bin/x-pack/users useradd... is now bin/elasticsearch-users useradd, at least at 7.17.
An aside: one of the features I dislike in this forum is that threads get closed after a month of inactivity. This prevents good answers being enhanced by new insights or changes in ES. The latter is particularly critical for ES which evolves fast.
Compare this with the Stack Exchange based forums where good answers are frequently updated for years afterward. Also completely new answers are added as new capabilities are added to systems. This again is very relevant to ES!
elasticsearch@secesprd02:/usr/share/elasticsearch$ bin/elasticsearch-users useradd my_admin -p xxxxxx -r superuser
WARNING: Owner of file [/etc/elasticsearch/users] used to be [root], but now is [elasticsearch]
WARNING: Owner of file [/etc/elasticsearch/users_roles] used to be [root], but now is [elasticsearch]
elasticsearch@secesprd02:/usr/share/elasticsearch$ ls -l /etc/elasticsearch/users
-rw-rw---- 1 elasticsearch elasticsearch 70 Aug 16 08:35 /etc/elasticsearch/users
elasticsearch@secesprd02:/usr/share/elasticsearch$ logout
not sure what the WARNING are about that file was always owned by elasticsearch ?
I notice that the users file is present only on the node where it was created so I tried copying users' and users-roles' to all the other nodes. It made no difference - no great surprise.
I suspect that the problem is "Basic realm="security" where as this user was created in realm "file"
I have look at various docs about realms and authentication but failed to find anything on specifying the realm when authenticating.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.