Help Creating a File Based User

ryh · June 18, 2019, 4:22pm

Hi All,

I can't seem to get this working via Docker.

Here's my Dockerfile.

FROM docker.elastic.co/elasticsearch/elasticsearch:7.1.1

COPY --chown=elasticsearch:elasticsearch users /usr/share/elasticsearch/config/
COPY --chown=elasticsearch:elasticsearch users_roles /usr/share/elasticsearch/config/
COPY --chown=elasticsearch:elasticsearch roles.yml /usr/share/elasticsearch/config/
COPY --chown=elasticsearch:elasticsearch elasticsearch.yml /usr/share/elasticsearch/config/

CMD ["elasticsearch", "-Elogger.level=INFO"]

roles.yml

writer:
  indices:
    - names: [ '*' ]
      privileges: [ 'write', 'read' ]

user_roles

writer:ry

users

ry:$2b$10$JEXLIzQeRVRYcA.r/J3HB.OT2w9z1INft9Ltv809ouczvnezIhuMS

I keep getting a 401 error.

{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "unable to authenticate user [ry] for REST request [/?pretty]",
        "header" : {
          "WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
        }
      }
    ],
    "type" : "security_exception",
    "reason" : "unable to authenticate user [ry] for REST request [/?pretty]",
    "header" : {
      "WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
    }
  },
  "status" : 401
}

Thanks in advance,
Ry

TimV · June 21, 2019, 2:46am

How did you create this file?
It definitely wasn't created using the elasticsearch-users tool.
We don't use version 2b bcrypt passwords.

ryh · June 21, 2019, 4:45pm

Created it using python's bcrypt library

TimV · June 24, 2019, 4:49am

Well that won't work. The bcrypt format that python generates is not the same at we use internally.

Officially, we only support using the elasticsearch-users tool to manage these files. You're free to manage them some othr way, but you will need to make sure that they're in a compatible format with the files we generate.

ryh · June 24, 2019, 4:20pm

Python's bcyrpt is equivalent to the hash/salt algorithm that elasticsearch uses. I found out that replacing 2b with 2a is actually allowed and will not screw things up.

Am I still missing anything? Here's the new users file

some_app: $2a$10$Sgyqh8VXqZbQ07jlhsLbPOtAS576ehgbOEeiecpEEeLiLncUP2W4i

roles.yml

es_write_only:
    cluster: ['all']
    indices:
      - names: ["*"]
        privileges: ["write", "create_index", "create", "index"]

users_roles

es_write_only: some_app

Result

{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "unable to authenticate user [some_app] for REST request [/?pretty]",
        "header" : {
          "WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
        }
      }
    ],
    "type" : "security_exception",
    "reason" : "unable to authenticate user [some_app] for REST request [/?pretty]",
    "header" : {
      "WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
    }
  },
  "status" : 401
}

Thanks,
Ry

TimV · June 25, 2019, 1:09am

That's a very confident assertion to make, given that you haven't actually gotten it working yet.

You have spaces in there. Our tool does not generate spaces.
To quote my earlier comment:

ryh · June 25, 2019, 4:00pm

When I meant not screw things up, I meant Python's bcrypt library is still able to decode my password even after changing 2b to 2a.

I'm referencing this table which states that encryption type needed for elasticsearch to read my hashed/salted password - https://www.elastic.co/guide/en/elasticsearch/reference/master/security-settings.html

Likewise, realms that store passwords hash them using cryptographically strong and password-specific salt values. You can configure the algorithm for password hashing by setting the xpack.security.authc.password_hashing.algorithm setting to one of the following:

Table 2. Password hashing algorithms

Algorithm	 	 	Description
bcrypt

 	 	
Uses bcrypt algorithm with salt generated in 1024 rounds. (default)

bcrypt4

 	 	
Uses bcrypt algorithm with salt generated in 16 rounds.

bcrypt5

 	 	
Uses bcrypt algorithm with salt generated in 32 rounds.

bcrypt6

 	 	
Uses bcrypt algorithm with salt generated in 64 rounds.

bcrypt7

 	 	
Uses bcrypt algorithm with salt generated in 128 rounds.

bcrypt8

 	 	
Uses bcrypt algorithm with salt generated in 256 rounds.

bcrypt9

 	 	
Uses bcrypt algorithm with salt generated in 512 rounds.

bcrypt10

 	 	
Uses bcrypt algorithm with salt generated in 1024 rounds.

Is there any bcrypt library on any programming language able to replicate elaticsearch-users results?

TimV · June 26, 2019, 3:13am

I'm sorry, I can't really help you. The only option we support for generating those files it to use the elasticsearch-users tool directly.

I you really want to reproduce that code yourself, then I can't stop you, but you're on your own. My only advice is to call the elasticsearch-users tool directly.

ryh · June 26, 2019, 4:14pm

No worries. I understand.

Thanks for the replies,
Ry

system · July 24, 2019, 4:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.