Unable to log in elastic using the non-default user's username and password

I was able to successfully create a user 'test1' and assign it the superuser role.
Execute rest api
POST /_security/user/test1?pretty
{
"password" : "test@1",
"roles" : [ "superuser"],
"full_name" : "Test User",
"email" : "testuser@example.com",
"metadata" : {
"intelligence" : 7
}
}

The user is successfully created
{
"created" : true
}

But when I tried to invoke elastic api using the newly created user 'test1', I got the following error

curl -u test1:test@1 https://es.endpoint
{"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [test1] for REST request [/]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}}],"type":"security_exception","reason":"unable to authenticate user [test1] for REST request [/]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}},"status":401}

My elastic stack was set up using the following configuration. The default elastic user works fine. Any idea why test1 does not work?

apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
name: quickstart
namespace: log-server
spec:
version: 7.5.1
http:
tls:
selfSignedCertificate:
disabled: true
nodeSets:

  • name: default
    count: 3
    config:
    xpack.security.authc:
    anonymous:
    username: anonymous
    roles: superuser
    authz_exception: false

Figured out myself. This is due to the license. With basic license, I must explicitly set xpack.security.enabled: true

xpack.security.enabled: true is supposed to be set by ECK, by default.
Are you saying it works when you set it yourself, but does not work when you don't set it?

Somehow it is not set and I have to explicitly set to true. If I don't specify xpack.security.enabled, it does not work
Not clear if this has anything to do with the other xpack features in my nodeSet configuration as I set other features explicitly, such as xpack.monitoring.enabled.

I know that if nodeSet configure only has following. xpack.security.enabled seems to be set to true as default

  node.master: true
  node.data: true
  node.ingest: true
  node.store.allow_mmap: false