Xpack File User is not authorized


I am staring elasticsearch cluster with kubernetes and docker. While running the docker, I created an admin user using /usr/share/elasticsearch/bin/x-pack/users useradd myadmin -p secret -r admin. The following output is returned after executing users list command from inside the container.

bash-4.2$ /usr/share/elasticsearch/bin/x-pack/users list
myadmin : admin

In elasticsearch.yml, I also added
type: file
order: 0
type: native
order: 1

My roles.yml looks like

cluster: [ 'all' ]
- names: [ '*' ]
privileges: [ 'all' ]

I am successfully able to retrieve the cluster health using built in superuser elastic, but when I tried to do the same with my file user, I got

"error" : {
"root_cause" : [
"type" : "security_exception",
"reason" : "unable to authenticate user [myadmin] for REST request [/_cluster/health?pretty]",
"header" : {
"WWW-Authenticate" : "Basic realm="security" charset="UTF-8""
"type" : "security_exception",
"reason" : "unable to authenticate user [myadmin] for REST request [/_cluster/health?pretty]",
"header" : {
"WWW-Authenticate" : "Basic realm="security" charset="UTF-8""
"status" : 401

Any idea about what I am missing here?

There's not anything obvious, so we're going to need to do some debugging.

The fact that you're getting errors that say

unable to authenticate user [myadmin]

Indicates that this is an authentication problem. Either the x-pack authentication module either thinks that myadmin doesn't exist, or it thinks you're entering the wrong password.

So, for now we can ignore everything to do will roles, and just focus on the realm and user/password setup.

First we can check that your realm configuration is being applied to the elasticsearch server. Run:

curl -XGET -u elastic 'localhost:9200/_xpack/usage?pretty'

The output should look something like this:

  "security": {
    "available": true,
    "enabled": true,
    "realms": {
       "file": { "name":["file"], "available":true, "size":[0], "enabled":true, "order":[0] },
       // ... more realm types
    // more security details
  // more x-pack details

If that's the case, then we want to check that the file that was being updates by bin/x-pack/users is the same file that elasticsearch is reading from.

Look for the file ${CONFIG_DIR}/x-pack/users where ${CONFIG_DIR} is the directory that has your elasticsearch.yml. Depending on how you installed elasticsearch, and where things are configured, it's possible that the users tool is updating a file in a different location, so make sure you look at the file in the config directory that is being used by your elasticsearch server.

That file should look something like:


The bit before the : is the userid, the bit after the : is the bcrypt-ed password.

If that's all in place, then the most likely cause is a password issue.
You could use a bcrypt tool (there's some online if you need) to check whether that bcrypt hash matches the password that you think it's supposed to be ("secret").

Hi Tim,

curl -XGET -u elastic 'localhost:9200/_xpack/usage?pretty' has
"realms" : {
"file" : {
"name" : [
"available" : true,
"size" : [
"enabled" : true,
"order" : [

I copied elasticsearch.yml file to /usr/share/elasticsearch/config, where as I found that there is a default (everything commented out) elasticsearch.yml at /etc/elasticsearch. I used rpm for installing elasticsearch, but it seems elastic search is using the elasticsearch.yml from /usr/share/elasticsearch/config, I added file realm settings to the file in /usr/share/elasticsearch/config and curl -XGET -u elastic 'localhost:9200/_xpack/usage?pretty' is showing the file realm as enabled.

On the other hand users tool created users file at /etc/elasticsearch/x-pack and this file has the correct user name and password for myadmin user.

How can i tell users tool to also create the users file at /usr/share/elasticsearch/config instead of /etc/elasticsearch/

Try one of these:

CONF_DIR=/usr/share/elasticsearch/config bin/x-pack/users useradd myadmin  -p secret -r admin


bin/x-pack/users useradd -Epath.conf=/usr/share/elasticsearch/config myadmin -p secret -r admin

Hi Tim,

bin/x-pack/users useradd -Epath.conf=/usr/share/elasticsearch/config myadmin -p secret -r admin worked. May Thanks :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.