Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow providing cleartext passwords for creating Elasticsearch users #5613

Merged
merged 22 commits into from
May 11, 2022
Merged

Allow providing cleartext passwords for creating Elasticsearch users #5613

merged 22 commits into from
May 11, 2022

Conversation

pebrc
Copy link
Collaborator

@pebrc pebrc commented Apr 25, 2022

Fixes #3056

This PR adds support for an additional form of secret following the https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret format. It will allow users to specify username and a cleartext password.

I also added support for the users_roles file in that secret. The idea being that a user that wants to create a user and assign a role to it does not need to create two separate secrets for that (one for the user and one for the users_role file). The counterargument is of course that we are now mixing Elasticsearch file realm content with the basic authentication secret which might be confusing in a different way.

We always supported setting a custom password for the elastic user through the file realm (because user defined ES users always take precedence) This PR also removes the default elastic user secret if the elastic user is set up through the file realm. The rationale for this decision was to avoid having to sync the contents of both secrets (the user provided one and the operator created one) or have the contents diverge which might lead to confusion. Also we should not not create resources in the API server that are not needed.

@pebrc pebrc added >enhancement Enhancement of existing functionality v2.3.0 labels Apr 25, 2022
pebrc and others added 2 commits April 29, 2022 14:23
barkbay
barkbay reviewed May 3, 2022
View reviewed changes
Copy link
Contributor

@barkbay barkbay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I left a few comments, I'm still doing some tests, looks good so far 👍

docs/orchestrating-elastic-stack-applications/security/users-and-roles.asciidoc Outdated Show resolved Hide resolved
pkg/controller/elasticsearch/user/user_provided.go Outdated Show resolved Hide resolved
pkg/controller/elasticsearch/user/user_provided.go Outdated Show resolved Hide resolved
pkg/controller/elasticsearch/user/user_provided.go Outdated Show resolved Hide resolved
barkbay
barkbay approved these changes May 10, 2022
View reviewed changes
Copy link
Contributor

@barkbay barkbay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

pkg/controller/elasticsearch/user/user_provided.go Outdated Show resolved Hide resolved
pkg/utils/k8s/k8sutils.go Outdated Show resolved Hide resolved
pkg/controller/elasticsearch/user/validation_test.go Outdated Show resolved Hide resolved
pkg/controller/elasticsearch/user/user_provided.go Outdated Show resolved Hide resolved
pkg/controller/elasticsearch/user/user_provided.go Outdated Show resolved Hide resolved
pkg/controller/elasticsearch/user/user_provided_test.go Outdated Show resolved Hide resolved
pkg/controller/elasticsearch/user/user_provided_test.go Show resolved Hide resolved
pkg/controller/elasticsearch/user/user_provided_test.go Show resolved Hide resolved
@pebrc
Copy link
Collaborator Author

pebrc commented May 10, 2022

run/e2e-tests tags=es

@pebrc pebrc merged commit 2d1bbed into elastic:main May 11, 2022
@pebrc pebrc mentioned this pull request Jun 7, 2022
Closed
@barkbay barkbay added >feature Adds or discusses adding a feature to the product and removed >enhancement Enhancement of existing functionality labels Jun 13, 2022
@barkbay barkbay changed the title Allow providing cleartext passwords for creating ES users Allow providing cleartext passwords for creating Elasticsearch users Jun 17, 2022
fantapsody pushed a commit to fantapsody/cloud-on-k8s that referenced this pull request Feb 7, 2023
@pebrc @thbkrkr
@barkbay @fantapsody
Allow providing cleartext passwords for creating ES users (elastic#5613)
d6bbc12 
Add support for an additional form of secret following the https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret format. It will allow users to specify username and a cleartext password.

I also added support for a custom roles file in that secret. The idea being that a user that wants to create a user and assign a role to it does not need to create two separate secrets for that (one for the user and one for the users_role file). Instead they can list the roles to be assigned to the new user in the same secret as a comma separated list.

We always supported setting a custom password for the elastic user through the file realm (because user defined ES users always take precedence) This change also removes the default elastic user secret if the elastic user is set up through the file realm. The rationale for this decision was to avoid having to sync the contents of both secrets (the user provided one and the operator created one) or have the contents diverge which might lead to confusion. Also we should not not create resources in the API server that are not needed

Co-authored-by: Thibault Richard <[email protected]>
Co-authored-by: Michael Morello <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@barkbay barkbay barkbay approved these changes

@thbkrkr thbkrkr thbkrkr left review comments

Assignees
No one assigned
Labels
>feature Adds or discusses adding a feature to the product v2.3.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow providing cleartext passwords for creating ES users
3 participants
@pebrc @thbkrkr @barkbay