Xpack File User is not authorized

sgarap · February 21, 2017, 1:51pm

Hi,

I am staring elasticsearch cluster with kubernetes and docker. While running the docker, I created an admin user using /usr/share/elasticsearch/bin/x-pack/users useradd myadmin -p secret -r admin. The following output is returned after executing users list command from inside the container.

bash-4.2$ /usr/share/elasticsearch/bin/x-pack/users list
myadmin : admin

In elasticsearch.yml, I also added
xpack.security.authc:
realms:
file:
type: file
order: 0
native:
type: native
order: 1

My roles.yml looks like

admin:
cluster: [ 'all' ]
indices:
- names: [ '*' ]
privileges: [ 'all' ]

I am successfully able to retrieve the cluster health using built in superuser elastic, but when I tried to do the same with my file user, I got

{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "unable to authenticate user [myadmin] for REST request [/_cluster/health?pretty]",
"header" : {
"WWW-Authenticate" : "Basic realm="security" charset="UTF-8""
}
}
],
"type" : "security_exception",
"reason" : "unable to authenticate user [myadmin] for REST request [/_cluster/health?pretty]",
"header" : {
"WWW-Authenticate" : "Basic realm="security" charset="UTF-8""
}
},
"status" : 401
}

Any idea about what I am missing here?

TimV · February 22, 2017, 1:44am

There's not anything obvious, so we're going to need to do some debugging.

The fact that you're getting errors that say

unable to authenticate user [myadmin]

Indicates that this is an authentication problem. Either the x-pack authentication module either thinks that myadmin doesn't exist, or it thinks you're entering the wrong password.

So, for now we can ignore everything to do will roles, and just focus on the realm and user/password setup.

First we can check that your realm configuration is being applied to the elasticsearch server. Run:

curl -XGET -u elastic 'localhost:9200/_xpack/usage?pretty'

The output should look something like this:

{
  "security": {
    "available": true,
    "enabled": true,
    "realms": {
       "file": { "name":["file"], "available":true, "size":[0], "enabled":true, "order":[0] },
       // ... more realm types
    },
    // more security details
  },
  // more x-pack details
}

If that's the case, then we want to check that the file that was being updates by bin/x-pack/users is the same file that elasticsearch is reading from.

Look for the file ${CONFIG_DIR}/x-pack/users where ${CONFIG_DIR} is the directory that has your elasticsearch.yml. Depending on how you installed elasticsearch, and where things are configured, it's possible that the users tool is updating a file in a different location, so make sure you look at the file in the config directory that is being used by your elasticsearch server.

That file should look something like:

myadmin:$2a$10$0aBiV9GUAGPqxaRxRwvWveBk1HzytTVmsss.LsyL62Fe63xkGK2Ae

The bit before the : is the userid, the bit after the : is the bcrypt-ed password.

If that's all in place, then the most likely cause is a password issue.
You could use a bcrypt tool (there's some online if you need) to check whether that bcrypt hash matches the password that you think it's supposed to be ("secret").

sgarap · February 22, 2017, 9:49am

Hi Tim,

curl -XGET -u elastic 'localhost:9200/_xpack/usage?pretty' has
"realms" : {
"file" : {
"name" : [
"file"
],
"available" : true,
"size" : [
0
],
"enabled" : true,
"order" : [
0
]
}

I copied elasticsearch.yml file to /usr/share/elasticsearch/config, where as I found that there is a default (everything commented out) elasticsearch.yml at /etc/elasticsearch. I used rpm for installing elasticsearch, but it seems elastic search is using the elasticsearch.yml from /usr/share/elasticsearch/config, I added file realm settings to the file in /usr/share/elasticsearch/config and curl -XGET -u elastic 'localhost:9200/_xpack/usage?pretty' is showing the file realm as enabled.

On the other hand users tool created users file at /etc/elasticsearch/x-pack and this file has the correct user name and password for myadmin user.

How can i tell users tool to also create the users file at /usr/share/elasticsearch/config instead of /etc/elasticsearch/

TimV · February 24, 2017, 1:46am

Try one of these:

CONF_DIR=/usr/share/elasticsearch/config bin/x-pack/users useradd myadmin  -p secret -r admin

or

bin/x-pack/users useradd -Epath.conf=/usr/share/elasticsearch/config myadmin -p secret -r admin

sgarap · March 8, 2017, 12:40pm

Hi Tim,

bin/x-pack/users useradd -Epath.conf=/usr/share/elasticsearch/config myadmin -p secret -r admin worked. May Thanks

system · April 5, 2017, 12:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Xpack File realm user cant login Elasticsearch	5	3080	July 20, 2017
Superuser unable to manage xpack security Elasticsearch	14	6961	April 23, 2018
User Authentication and xpack problem starting Elasticsearch Elasticsearch	7	14535	July 6, 2017
Unable to setup authentication using x-pack Elasticsearch	6	5626	May 16, 2017
Authentication issues while xpack security enabling - Elasticsearch version 7.7 Elasticsearch elastic-stack-security	7	1090	June 18, 2020

Xpack File User is not authorized

Related Topics