I suspect this is due to the directory permissions. In order to make an atomic update, the CLI will write to a temporary file in the /etc/elasticsearch directory and then rename that file to users (unix filesystems provide atomic renames, but not atomic writes).
Unless the elasticsearch user can write a new file into the directory, that process will fail.
search@secesprd02:~$ ls -ld /etc/elasticsearch/
drwxr-xr-x 5 root root 4096 Aug 8 12:17 /etc/elasticsearch/
BTW I was working from the wonderfully detailed instructions that you posted in this thread.
Just btw those instruction are now slightly out of date: bin/x-pack/users useradd... is now bin/elasticsearch-users useradd, at least at 7.17.
An aside: one of the features I dislike in this forum is that threads get closed after a month of inactivity. This prevents good answers being enhanced by new insights or changes in ES. The latter is particularly critical for ES which evolves fast.
Compare this with the Stack Exchange based forums where good answers are frequently updated for years afterward. Also completely new answers are added as new capabilities are added to systems. This again is very relevant to ES!
elasticsearch@secesprd02:/usr/share/elasticsearch$ bin/elasticsearch-users useradd my_admin -p xxxxxx -r superuser
WARNING: Owner of file [/etc/elasticsearch/users] used to be [root], but now is [elasticsearch]
WARNING: Owner of file [/etc/elasticsearch/users_roles] used to be [root], but now is [elasticsearch]
elasticsearch@secesprd02:/usr/share/elasticsearch$ ls -l /etc/elasticsearch/users
-rw-rw---- 1 elasticsearch elasticsearch 70 Aug 16 08:35 /etc/elasticsearch/users
not sure what the WARNING are about that file was always owned by elasticsearch ?