Hash as environment variable in sg_internal_users.yml

Elasticsearch Version: 5.6.14
Search Guard Version: 5.6.14-19.2

Currently I have the following sg_internal_users.yml file as my config:

# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
  hash: ${ADMIN_PWD_HASH}
  #password is: ${ADMIN_PASSWORD}
  - sg_admin

  #password is: ${READONLY_PASSWORD}
  - sg_readonly

This is so that when I’m inside the node, during the start up (via entrypoint function) I can generate the hash for the password that is provided by the user

chmod +x hash.sh

However this does not seem to be working as when I try and validate through I curl I get back an ‘unauthorized’ message. I know that admin/readall come predefined with a username/password but I wanted to know how the process would work for new users. Would the user have to generate the password using the hasher themselves and then copy paste the hash into the internal config file before running elasticsearch? For a cluster would this mean that each node in the cluster would have the same hash in the internal file? Thank you!

Support for env vars in sg_*.yml will arrive shortly with SG v25.0.

Thanks for the quick reply! So for now the users would have to pre generate the hash before running anything?

Yes. But in a complex or enterprise setup we recommend using an external authentication system like LDAP or a openid/saml based IdP.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.