Cloud-on-k8s: Issues with users other than default "elastic"

Created on 21 Oct 2019 · 3Comments · Source: elastic/cloud-on-k8s

Bug Report

What did you do?
Followed quickstart guide, additionally created a superuser via the ui

What did you expect to see?

Built-in users, newly created users functioning

What did you see instead? Under which circumstances?

Users UI only shows No items found, GET _security/user returns { }

Attempting to log into kibana as superuser returns Invalid username or password. Please try again.

After creating user via UI, GET _security/user returns:

{
  "test" : {
    "username" : "test",
    "roles" : [
      "superuser"
    ],
    "full_name" : "",
    "email" : "",
    "metadata" : { },
    "enabled" : true
  }
}

Also unable to curl with the new user:

curl -k -u test:password https://localhost:9200?pretty
{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "unable to authenticate user [test] for REST request [/?pretty]",
        "header" : {
          "WWW-Authenticate" : [
            "Bearer realm=\"security\"",
            "ApiKey",
            "Basic realm=\"security\" charset=\"UTF-8\""
          ]
        }
      }
    ],
    "type" : "security_exception",
    "reason" : "unable to authenticate user [test] for REST request [/?pretty]",
    "header" : {
      "WWW-Authenticate" : [
        "Bearer realm=\"security\"",
        "ApiKey",
        "Basic realm=\"security\" charset=\"UTF-8\""
      ]
    }
  },
  "status" : 401
}

Environment

ECK version:

eck-operator:1.0.0-beta1

Kubernetes information:

On premise - Rancher 2.3.1
❯ kubectl version Client Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.2", GitCommit:"c97fe5036ef3df2967d086711e6c0c405941e14b", GitTreeState:"clean", BuildDate:"2019-10-15T19:18:23Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.1", GitCommit:"d647ddbd755faf07169599a625faf302ffc34458", GitTreeState:"clean", BuildDate:"2019-10-02T16:51:36Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"linux/amd64"}

>bug

Source

spencergilbert

Most helpful comment

Thanks for reporting this. It looks like the native realm has been disabled due to the operator enabling the file realm by default. You can update your cluster to enable the native realm by running the following:

cat <<EOF | kubectl apply -f -
apiVersion: elasticsearch.k8s.elastic.co/v1beta1
kind: Elasticsearch
metadata:
  name: quickstart
spec:
  version: 7.4.0
  nodeSets:
  - name: default
    count: 1
    config:
      node.master: true
      node.data: true
      node.ingest: true
      node.store.allow_mmap: false
      xpack.security.authc.realms:
        native:
          native1: 
            order: 1
EOF

I have raised #2037 to investigate this further for a future release.

charith-elastic on 22 Oct 2019

👍4 ❤3

All 3 comments

cat <<EOF | kubectl apply -f -
apiVersion: elasticsearch.k8s.elastic.co/v1beta1
kind: Elasticsearch
metadata:
  name: quickstart
spec:
  version: 7.4.0
  nodeSets:
  - name: default
    count: 1
    config:
      node.master: true
      node.data: true
      node.ingest: true
      node.store.allow_mmap: false
      xpack.security.authc.realms:
        native:
          native1: 
            order: 1
EOF

I have raised #2037 to investigate this further for a future release.

charith-elastic on 22 Oct 2019

👍4 ❤3

Awesome, thanks for the work around @charith-elastic

spencergilbert on 22 Oct 2019

Yes, Thanks for the workaround, been staring at this for hours.