How to generate a hash for file realm?
as described here:
I use Elasticsearch in K8S ECK and use this document for define users:
kind: Secret
apiVersion: v1
metadata:
name: my-filerealm-secret
stringData:
users: |-
rdeniro:$2a$10$BBJ/ILiyJ1eBTYoRKxkqbuDEdYECplvxnqQ47uiowE7yGqvCEgj9W
WpA/XDMe/xtVgn1r5Sg=
users_roles: |-
user:rdeniro
How this hash string can be calculated?
You should not generate the hash yourself.
You should use the elasticsearch-users tool for this, as mentioned in the ECK docs:
You can populate the content of both
usersandusers_rolesusing the elasticsearch-users tool.
Those docs have an example of how to do that using docker.
So is there no room for using the bcrypt library ourselves? if I get a salted and hashed password w/ bcrypt can I just plug that value in to the users section? or does it have to be done with the elasticsearch-users helper tool (not sure if something proprietary is going on there).
I guess I'm asking because I tried this, and its not showing up in kibana or using the users api directly doesn't show my user, but also I dont see a particular complaint anywhere. so I'm not sure if it worked or not.
Users created that way are not shown in Kibana.
Here is the answered question
Thank you, i found a note in the docs that it indeed cannot be managed/seen in the regular api or kibana ui, but can show up using the elasticsearch-users tool to list. My user did show up there with the mapping, but I get a 401 when that account is used to index...so this brings me back to whether or not one must use the elasticsearch-users tool to add/create the file for the secret (as per the example) or if we can use bcrypt to provide the password ourselves. I don't see that mentioned anywhere. It just assumes you will use the users helper tool. For all we know, it won't accept it unless its done with the users command helper tool.
@TimV
followup:
i couldn't get it to work plugging in user:<my bcrypt w/ salt generated output>
so in the end I did use elasticsearch user helper tool using the same password i provided to bcrypt
so I dont know what the user tool is doing differently or if it assumes specific params like rounds or stuff surrounding the salt, but the only way I could get my user to work was with the elasticsearch-user tool.
not sure if anyone wants to confirm what exact bcrypt params you'd need to match what its doing but it seems this is the only way it will accept it.
As I said in my earlier reply:
Technically, of course, Elasticsearch can't tell the difference between a file that was generated by the CLI tool & an identical file that was generated by some other means.
However, we do not make any guarantees about compatibility with files other that those generated by the CLI. The way that you get a file that is compatible with Elasticsearch's file realm is by generating that file using the provided tooling.
understood I was just trying to clarify that should was not must. and if you knew what exactly params it was using w/ bcrypt follow the same footsteps. I think thats a fair thing to consider.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.