cannot update password or create user in sg_internal_users

Hi,

I’m using search guard 5.3.0-12 with elasticsearch 5.3.0.

I’m suddently not able to change password or add user in sg_internal_users.
I can run the script for hot update with a success result. But in the end, the modifications are not taken into account.

Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …
Clustername: elasticsearch
Clusterstate: YELLOW
Number of nodes: 1
Number of data nodes: 1
searchguard index already exists, so we do not need to create one.
Populate config from /home/centos/elasticsearch-5.3.0/plugins/search-guard-5/sgconfig
Will update ‘config’ with plugins/search-guard-5/sgconfig/sg_config.yml
SUCC: Configuration for ‘config’ created or updated
Will update ‘roles’ with plugins/search-guard-5/sgconfig/sg_roles.yml
SUCC: Configuration for ‘roles’ created or updated
Will update ‘rolesmapping’ with plugins/search-guard-5/sgconfig/sg_roles_mapping.yml
SUCC: Configuration for ‘rolesmapping’ created or updated
Will update ‘internalusers’ with plugins/search-guard-5/sgconfig/sg_internal_users.yml
SUCC: Configuration for ‘internalusers’ created or updated
Will update ‘actiongroups’ with plugins/search-guard-5/sgconfig/sg_action_groups.yml
SUCC: Configuration for ‘actiongroups’ created or updated
Done with success

The only change that i have made since, is to switch from openJDK to Oracle JDK.
Can it be the problem ?

Switching to Oracle JDK can not cause this

Your can call sgadmin.sh with the -r option to retrieve the config that is effective

···

Am 06.12.2017 um 13:35 schrieb Charlotte Dupont <charlotte.dupont@eglobalmark.com>:

Hi,

I'm using search guard 5.3.0-12 with elasticsearch 5.3.0.

I'm suddently not able to change password or add user in sg_internal_users.
I can run the script for hot update with a success result. But in the end, the modifications are not taken into account.

Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: elasticsearch
Clusterstate: YELLOW
Number of nodes: 1
Number of data nodes: 1
searchguard index already exists, so we do not need to create one.
Populate config from /home/centos/elasticsearch-5.3.0/plugins/search-guard-5/sgconfig
Will update 'config' with plugins/search-guard-5/sgconfig/sg_config.yml
   SUCC: Configuration for 'config' created or updated
Will update 'roles' with plugins/search-guard-5/sgconfig/sg_roles.yml
   SUCC: Configuration for 'roles' created or updated
Will update 'rolesmapping' with plugins/search-guard-5/sgconfig/sg_roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
Will update 'internalusers' with plugins/search-guard-5/sgconfig/sg_internal_users.yml
   SUCC: Configuration for 'internalusers' created or updated
Will update 'actiongroups' with plugins/search-guard-5/sgconfig/sg_action_groups.yml
   SUCC: Configuration for 'actiongroups' created or updated
Done with success

The only change that i have made since, is to switch from openJDK to Oracle JDK.
Can it be the problem ?

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/cd88a29e-ae6b-4201-9a9b-5000bbcc91a8%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

Thanks, I tried this and the config that is effective is indeed the correct one (with the new user).
But i still cannot connect to kibana with this new user, this is elasticsearch log when i try to connect :

[2017-12-06T13:01:38,962][ERROR][c.f.s.a.BackendRegistry ] Unexpected exception com.google.common.util.concurrent.UncheckedExecutionException: java.lang.IllegalArgumentException: Invalid salt revision
[2017-12-06T13:01:38,962][INFO ][c.f.s.a.BackendRegistry ] Cannot authenticate user (or add roles) with ad 4 due to ElasticsearchSecurityException[com.google.common.util.concurrent.UncheckedExecutionException: java.lang.IllegalArgumentException: Invalid salt revision]; nested: UncheckedExecutionException[java.lang.IllegalArgumentException: Invalid salt revision]; nested: IllegalArgumentException[Invalid salt revision];, try next

What is this [invalid salt revision] ? If i try to connect with a user x that really doesn’t exist, the illegal argument exeption is [x not found]

And if i to connect with an existing user but with a wrong password i have [password does not match]

···

On Wednesday, December 6, 2017 at 1:50:23 PM UTC+1, Search Guard wrote:

Switching to Oracle JDK can not cause this

Your can call sgadmin.sh with the -r option to retrieve the config that is effective

Am 06.12.2017 um 13:35 schrieb Charlotte Dupont charlott...@eglobalmark.com:

Hi,

I’m using search guard 5.3.0-12 with elasticsearch 5.3.0.

I’m suddently not able to change password or add user in sg_internal_users.
I can run the script for hot update with a success result. But in the end, the modifications are not taken into account.

Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …

Clustername: elasticsearch

Clusterstate: YELLOW

Number of nodes: 1

Number of data nodes: 1

searchguard index already exists, so we do not need to create one.

Populate config from /home/centos/elasticsearch-5.3.0/plugins/search-guard-5/sgconfig

Will update ‘config’ with plugins/search-guard-5/sgconfig/sg_config.yml

SUCC: Configuration for ‘config’ created or updated

Will update ‘roles’ with plugins/search-guard-5/sgconfig/sg_roles.yml

SUCC: Configuration for ‘roles’ created or updated

Will update ‘rolesmapping’ with plugins/search-guard-5/sgconfig/sg_roles_mapping.yml

SUCC: Configuration for ‘rolesmapping’ created or updated

Will update ‘internalusers’ with plugins/search-guard-5/sgconfig/sg_internal_users.yml

SUCC: Configuration for ‘internalusers’ created or updated

Will update ‘actiongroups’ with plugins/search-guard-5/sgconfig/sg_action_groups.yml

SUCC: Configuration for ‘actiongroups’ created or updated

Done with success

The only change that i have made since, is to switch from openJDK to Oracle JDK.
Can it be the problem ?


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/cd88a29e-ae6b-4201-9a9b-5000bbcc91a8%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

I found the answer : invalid salt revision is a problem with the bcrypt hash. I was generating bcrypt hash online that was not correct (didn’t start with $2a but $2b or $2y).
That is strange because i always used the same website and it suddently does not generate $2a hash.
So i changed the bcrypt generator and it works fine now.
It was not a sgadmin related problem

···

On Wednesday, December 6, 2017 at 2:04:30 PM UTC+1, Charlotte Dupont wrote:

Thanks, I tried this and the config that is effective is indeed the correct one (with the new user).
But i still cannot connect to kibana with this new user, this is elasticsearch log when i try to connect :

[2017-12-06T13:01:38,962][ERROR][c.f.s.a.BackendRegistry ] Unexpected exception com.google.common.util.concurrent.UncheckedExecutionException: java.lang.IllegalArgumentException: Invalid salt revision
[2017-12-06T13:01:38,962][INFO ][c.f.s.a.BackendRegistry ] Cannot authenticate user (or add roles) with ad 4 due to ElasticsearchSecurityException[com.google.common.util.concurrent.UncheckedExecutionException: java.lang.IllegalArgumentException: Invalid salt revision]; nested: UncheckedExecutionException[java.lang.IllegalArgumentException: Invalid salt revision]; nested: IllegalArgumentException[Invalid salt revision];, try next

What is this [invalid salt revision] ? If i try to connect with a user x that really doesn’t exist, the illegal argument exeption is [x not found]

And if i to connect with an existing user but with a wrong password i have [password does not match]

On Wednesday, December 6, 2017 at 1:50:23 PM UTC+1, Search Guard wrote:

Switching to Oracle JDK can not cause this

Your can call sgadmin.sh with the -r option to retrieve the config that is effective

Am 06.12.2017 um 13:35 schrieb Charlotte Dupont charlott...@eglobalmark.com:

Hi,

I’m using search guard 5.3.0-12 with elasticsearch 5.3.0.

I’m suddently not able to change password or add user in sg_internal_users.
I can run the script for hot update with a success result. But in the end, the modifications are not taken into account.

Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …

Clustername: elasticsearch

Clusterstate: YELLOW

Number of nodes: 1

Number of data nodes: 1

searchguard index already exists, so we do not need to create one.

Populate config from /home/centos/elasticsearch-5.3.0/plugins/search-guard-5/sgconfig

Will update ‘config’ with plugins/search-guard-5/sgconfig/sg_config.yml

SUCC: Configuration for ‘config’ created or updated

Will update ‘roles’ with plugins/search-guard-5/sgconfig/sg_roles.yml

SUCC: Configuration for ‘roles’ created or updated

Will update ‘rolesmapping’ with plugins/search-guard-5/sgconfig/sg_roles_mapping.yml

SUCC: Configuration for ‘rolesmapping’ created or updated

Will update ‘internalusers’ with plugins/search-guard-5/sgconfig/sg_internal_users.yml

SUCC: Configuration for ‘internalusers’ created or updated

Will update ‘actiongroups’ with plugins/search-guard-5/sgconfig/sg_action_groups.yml

SUCC: Configuration for ‘actiongroups’ created or updated

Done with success

The only change that i have made since, is to switch from openJDK to Oracle JDK.
Can it be the problem ?


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/cd88a29e-ae6b-4201-9a9b-5000bbcc91a8%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

SG 6 will support the other bcrypt salts too

···

Am 06.12.2017 um 16:45 schrieb Charlotte Dupont <charlotte.dupont@eglobalmark.com>:

I found the answer : invalid salt revision is a problem with the bcrypt hash. I was generating bcrypt hash online that was not correct (didn't start with $2a but $2b or $2y).
That is strange because i always used the same website and it suddently does not generate $2a hash.
So i changed the bcrypt generator and it works fine now.
It was not a sgadmin related problem

On Wednesday, December 6, 2017 at 2:04:30 PM UTC+1, Charlotte Dupont wrote:
Thanks, I tried this and the config that is effective is indeed the correct one (with the new user).
But i still cannot connect to kibana with this new user, this is elasticsearch log when i try to connect :

[2017-12-06T13:01:38,962][ERROR][c.f.s.a.BackendRegistry ] Unexpected exception com.google.common.util.concurrent.UncheckedExecutionException: java.lang.IllegalArgumentException: Invalid salt revision
[2017-12-06T13:01:38,962][INFO ][c.f.s.a.BackendRegistry ] Cannot authenticate user (or add roles) with ad 4 due to ElasticsearchSecurityException[com.google.common.util.concurrent.UncheckedExecutionException: java.lang.IllegalArgumentException: Invalid salt revision]; nested: UncheckedExecutionException[java.lang.IllegalArgumentException: Invalid salt revision]; nested: IllegalArgumentException[Invalid salt revision];, try next

What is this [invalid salt revision] ? If i try to connect with a user x that really doesn't exist, the illegal argument exeption is [x not found]
And if i to connect with an existing user but with a wrong password i have [password does not match]

On Wednesday, December 6, 2017 at 1:50:23 PM UTC+1, Search Guard wrote:
Switching to Oracle JDK can not cause this

Your can call sgadmin.sh with the -r option to retrieve the config that is effective

> Am 06.12.2017 um 13:35 schrieb Charlotte Dupont <charlott...@eglobalmark.com>:
>
> Hi,
>
> I'm using search guard 5.3.0-12 with elasticsearch 5.3.0.
>
> I'm suddently not able to change password or add user in sg_internal_users.
> I can run the script for hot update with a success result. But in the end, the modifications are not taken into account.
>
> Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
> Clustername: elasticsearch
> Clusterstate: YELLOW
> Number of nodes: 1
> Number of data nodes: 1
> searchguard index already exists, so we do not need to create one.
> Populate config from /home/centos/elasticsearch-5.3.0/plugins/search-guard-5/sgconfig
> Will update 'config' with plugins/search-guard-5/sgconfig/sg_config.yml
> SUCC: Configuration for 'config' created or updated
> Will update 'roles' with plugins/search-guard-5/sgconfig/sg_roles.yml
> SUCC: Configuration for 'roles' created or updated
> Will update 'rolesmapping' with plugins/search-guard-5/sgconfig/sg_roles_mapping.yml
> SUCC: Configuration for 'rolesmapping' created or updated
> Will update 'internalusers' with plugins/search-guard-5/sgconfig/sg_internal_users.yml
> SUCC: Configuration for 'internalusers' created or updated
> Will update 'actiongroups' with plugins/search-guard-5/sgconfig/sg_action_groups.yml
> SUCC: Configuration for 'actiongroups' created or updated
> Done with success
>
> The only change that i have made since, is to switch from openJDK to Oracle JDK.
> Can it be the problem ?
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/cd88a29e-ae6b-4201-9a9b-5000bbcc91a8%40googlegroups.com\.
> For more options, visit https://groups.google.com/d/optout\.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ea93821a-498d-478e-8d66-66c4213664fb%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.