Security XPack Non-functional users: 1.0.0 #2106

marcusbb · 2019-11-07T14:52:33Z

Simple quick start set up. ECK 1.0, elastic 7.4.2

Create user - I did manually through Kibana, with Kibana_user and Kibana dashboard roles.

Try to login to browser. Failed to authenticate.

elastic.yml

xpack:
  security:
    authc:
      realms:
        file:
          file1:
            order: -100
      reserved_realm:
        enabled: "false"
    enabled: "true"
    http:
      ssl:
        certificate: /usr/share/elasticsearch/config/http-certs/tls.crt
        certificate_authorities: /usr/share/elasticsearch/config/http-certs/ca.crt
        enabled: true
        key: /usr/share/elasticsearch/config/http-certs/tls.key
    transport:
      ssl:
        certificate: /usr/share/elasticsearch/config/node-transport-cert/transport.tls.crt
        certificate_authorities:
        - /usr/share/elasticsearch/config/transport-certs/ca.crt
        enabled: "true"
        key: /usr/share/elasticsearch/config/node-transport-cert/transport.tls.key
        verification_mode: certificate

NOTE that in 0.9 the security config is written as such:

xpack:
  ilm:
    enabled: true
  monitoring:
    collection:
      enabled: true
  security:
    authc:
      reserved_realm:
        enabled: "false"
    enabled: "true"
    http:
      ssl:
        certificate: /usr/share/elasticsearch/config/http-certs/tls.crt
        enabled: "true"
        key: /usr/share/elasticsearch/config/http-certs/tls.key
    transport:
      ssl:
        certificate: /usr/share/elasticsearch/config/transport-certs/tls.crt
        certificate_authorities:
        - /usr/share/elasticsearch/config/transport-certs/ca.crt
        enabled: "true"
        key: /usr/share/elasticsearch/config/transport-certs/tls.key
        verification_mode: certificate

Environment
ECK 1.0.0 + elastic 7.4.2/7.3.2

This does not occur with ECK 0.9 and elasticsearch 7.3.2

Kubernetes information:
- Cloud: AKS
- Kubernetes distribution: 1.13.12

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.2", GitCommit:"c97fe5036ef3df2967d086711e6c0c405941e14b", GitTreeState:"clean", BuildDate:"2019-10-15T19:18:23Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.12", GitCommit:"a8b52209ee172232b6db7a6e0ce2adc77458829f", GitTreeState:"clean", BuildDate:"2019-10-15T12:04:30Z", GoVersion:"go1.11.13", Compiler:"gc", Platform:"linux/amd64"}

Resource definition:
Quick start unmodified.

Logs:

insert operator logs or any relevant message to the issue here

The text was updated successfully, but these errors were encountered:

marcusbb · 2019-11-07T14:54:53Z

The above 0.9 elastic.yml I added ilm and monitoring config - usually not included.

marcusbb · 2019-11-07T15:07:33Z

I can't disable reserved realm such as

      xpack.security.authc:
        reserved_realm:
          enabled: "false"

{"level":"error","@timestamp":"2019-11-07T15:05:40.315Z","logger":"elasticsearch-controller","message":"Elasticsearch manifest validation failed","ver":"1.0.0-beta1-84792e30","namespace":"default","es_name":"quickstart","violations":[{"Allowed":false,"reason":"node[0]: xpack.security.authc.reserved_realm.enabled is not user configurable"}],"error":"manifest validation failed","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\t/go/pkg/mod/github.com/go-logr/[email protected]/zapr.go:128\ngithub.com/elastic/cloud-on-k8s/pkg/controller/elasticsearch.(*ReconcileElasticsearch).internalReconcile\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/controller/elasticsearch/elasticsearch_controller.go:252\ngithub.com/elastic/cloud-on-k8s/pkg/controller/elasticsearch.(*ReconcileElasticsearch).Reconcile\n\t/go/src/github.com/elastic/cloud-on-k8s/pkg/controller/elasticsearch/elasticsearch_controller.go:219\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:216\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:192\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:171\nk8s.io/apimachinery/pkg/util/wait.JitterUntil.func1\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:152\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:153\nk8s.io/apimachinery/pkg/util/wait.Until\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:88"}
{"level":"info","@timestamp":"2019-11-07T15:05:40.315Z","logger":"elasticsearch-controller","message":"Updating status","ver":"1.0.0-beta1-84792e30","iteration":404,"namespace":"default","es_name":"quickstart"}

marcusbb · 2019-11-07T15:27:53Z

Fixed with configuration:

      xpack.security.authc:
        realms:
          file:
            file1:
              order: 1
          native:
            native1:
              order: 0

sebgl · 2019-11-07T16:16:57Z

Happy you got this working @marcusbb.
This is a bug in the last release. It will be fixed in next one.
#2036 (comment) describes a workaround.

marcusbb closed this as completed Nov 7, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security XPack Non-functional users: 1.0.0 #2106

Security XPack Non-functional users: 1.0.0 #2106

marcusbb commented Nov 7, 2019

marcusbb commented Nov 7, 2019

marcusbb commented Nov 7, 2019

marcusbb commented Nov 7, 2019

sebgl commented Nov 7, 2019 •

edited

Loading

Security XPack Non-functional users: 1.0.0 #2106

Security XPack Non-functional users: 1.0.0 #2106

Comments

marcusbb commented Nov 7, 2019

marcusbb commented Nov 7, 2019

marcusbb commented Nov 7, 2019

marcusbb commented Nov 7, 2019

sebgl commented Nov 7, 2019 • edited Loading

sebgl commented Nov 7, 2019 •

edited

Loading