How to create user with built-in roles?

Search Guard
1

Elasticsearch version:
sg-elasticsearch:7.1.1-oss-35.0.0

Describe the issue:
SearchGuard works perfectly with the following sg_internal_users.yml file:

$ cat plugins/search-guard-7/sgconfig/sg_internal_users.yml 
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
_sg_meta:
  type: "internalusers"
  config_version: 2
# Define your internal users here
# See https://docs.search-guard.com/latest/internal-users-database

## Demo users
admin:
  hash: $2a$12$w3ncSZ6VabTZsXgM5mY4aOkvGU2kLyhALvbn1jAxMmFBgSdFSZfZy
  reserved: true
  backend_roles:
  - admin
  description: "Demo admin user"
kibanaserver:
  hash: $2a$12$x1xgRlzOdpBLLjkhJkcmu.5n.cK73WWbrLxMqwAv5Vpkq.oemCGve
  reserved: true
  description: "Demo kibanaserver user"
kibanaro:
  hash: $2a$12$VKfWLvczvLOScv8ROIPCoO8DuQgSdIGvK1HEQh..gvcw.1fuabBzK
  reserved: false
  backend_roles:
  - "kibanauser"
  - "readall"
  attributes:
    attribute1: "value1"
    attribute2: "value2"
    attribute3: "value3"
  description: "Demo kibanaro user"
logstash:
  hash: $2a$12$xz9CrDir5Oj0wASXT7KehOFd/EfymGsjfGIxRIwzsgkfpzXSUkYjG
  reserved: false
  backend_roles:
  - "logstash"
  description: "Demo logstash user"
readall:
  hash: $2a$12$Vcujriu.OyiH2vD91LbqTuaWtjAXoVQvrPkCsLjbn6TknRpiF4TRq
  reserved: false
  backend_roles:
  - "readall"
  description: "Demo readall user"
snapshotrestore:
  hash: $2a$12$QcAxG7DS6sc67l905UYm2eDuP/IuO8WGHRFKKBFye3MJQiHZTV/Qy
  reserved: false
  backend_roles:
  - "snapshotrestore"
  description: "Demo snapshotrestore user"

Elasticsearch logs:

{"type": "server", "timestamp": "2020-08-20T13:45:50,207+0000", "level": "INFO", "component": "o.e.c.c.CoordinationState", "cluster.name": "topology-es", "node.name": "master-topology-es-0",  "message": "cluster UUID set to [mZvz_C33S3GUaZl81afE7Q]"  }
{"type": "server", "timestamp": "2020-08-20T13:45:50,321+0000", "level": "INFO", "component": "o.e.c.s.ClusterApplierService", "cluster.name": "topology-es", "node.name": "master-topology-es-0",  "message": "master node changed {previous [], current [{master-topology-es-1}{uOGl2VmbQLeWhqj2z_A4_w}{TU6bOkURR2-nf5C_tRAcTw}{10.244.0.13}{10.244.0.13:9300}]}, added {{master-topology-es-1}{uOGl2VmbQLeWhqj2z_A4_w}{TU6bOkURR2-nf5C_tRAcTw}{10.244.0.13}{10.244.0.13:9300},}, term: 2, version: 1, reason: ApplyCommitRequest{term=2, version=1, sourceNode={master-topology-es-1}{uOGl2VmbQLeWhqj2z_A4_w}{TU6bOkURR2-nf5C_tRAcTw}{10.244.0.13}{10.244.0.13:9300}}"  }
{"type": "server", "timestamp": "2020-08-20T13:45:50,391+0000", "level": "INFO", "component": "o.e.h.AbstractHttpServerTransport", "cluster.name": "topology-es", "node.name": "master-topology-es-0", "cluster.uuid": "mZvz_C33S3GUaZl81afE7Q", "node.id": "QQPKvrsmTTKpMsYVFv7Oiw",  "message": "publish_address {10.244.0.11:9200}, bound_addresses {[::]:9200}"  }
{"type": "server", "timestamp": "2020-08-20T13:45:50,396+0000", "level": "INFO", "component": "o.e.n.Node", "cluster.name": "topology-es", "node.name": "master-topology-es-0", "cluster.uuid": "mZvz_C33S3GUaZl81afE7Q", "node.id": "QQPKvrsmTTKpMsYVFv7Oiw",  "message": "started"  }
{"type": "server", "timestamp": "2020-08-20T13:45:50,397+0000", "level": "INFO", "component": "c.f.s.SearchGuardPlugin", "cluster.name": "topology-es", "node.name": "master-topology-es-0", "cluster.uuid": "mZvz_C33S3GUaZl81afE7Q", "node.id": "QQPKvrsmTTKpMsYVFv7Oiw",  "message": "Node started"  }
{"type": "server", "timestamp": "2020-08-20T13:45:50,397+0000", "level": "INFO", "component": "c.f.s.c.ConfigurationRepository", "cluster.name": "topology-es", "node.name": "master-topology-es-0", "cluster.uuid": "mZvz_C33S3GUaZl81afE7Q", "node.id": "QQPKvrsmTTKpMsYVFv7Oiw",  "message": "Check if searchguard index exists ..."  }
{"type": "server", "timestamp": "2020-08-20T13:45:50,398+0000", "level": "INFO", "component": "c.f.s.c.ConfigurationRepository", "cluster.name": "topology-es", "node.name": "master-topology-es-0", "cluster.uuid": "mZvz_C33S3GUaZl81afE7Q", "node.id": "QQPKvrsmTTKpMsYVFv7Oiw",  "message": "searchguard index does not exist yet, so we create a default config"  }
{"type": "server", "timestamp": "2020-08-20T13:45:50,404+0000", "level": "INFO", "component": "c.f.s.c.ConfigurationRepository", "cluster.name": "topology-es", "node.name": "master-topology-es-0", "cluster.uuid": "mZvz_C33S3GUaZl81afE7Q", "node.id": "QQPKvrsmTTKpMsYVFv7Oiw",  "message": "Background init thread started. Install default config?: true"  }
{"type": "server", "timestamp": "2020-08-20T13:45:50,405+0000", "level": "INFO", "component": "c.f.s.SearchGuardPlugin", "cluster.name": "topology-es", "node.name": "master-topology-es-0", "cluster.uuid": "mZvz_C33S3GUaZl81afE7Q", "node.id": "QQPKvrsmTTKpMsYVFv7Oiw",  "message": "0 Search Guard modules loaded so far: []"  }
{"type": "server", "timestamp": "2020-08-20T13:45:50,431+0000", "level": "INFO", "component": "c.f.s.c.ConfigurationRepository", "cluster.name": "topology-es", "node.name": "master-topology-es-0", "cluster.uuid": "mZvz_C33S3GUaZl81afE7Q", "node.id": "QQPKvrsmTTKpMsYVFv7Oiw",  "message": "Will create searchguard index so we can apply default config"  }
{"type": "server", "timestamp": "2020-08-20T13:45:51,616+0000", "level": "INFO", "component": "o.e.c.s.ClusterApplierService", "cluster.name": "topology-es", "node.name": "master-topology-es-0", "cluster.uuid": "mZvz_C33S3GUaZl81afE7Q", "node.id": "QQPKvrsmTTKpMsYVFv7Oiw",  "message": "added {{client-topology-es-1}{LjVxALlwR_yUUC0VMSS7Dw}{7uujnSvhREOov2CpPvgumA}{10.244.0.9}{10.244.0.9:9300},}, term: 2, version: 3, reason: ApplyCommitRequest{term=2, version=3, sourceNode={master-topology-es-1}{uOGl2VmbQLeWhqj2z_A4_w}{TU6bOkURR2-nf5C_tRAcTw}{10.244.0.13}{10.244.0.13:9300}}"  }
{"type": "server", "timestamp": "2020-08-20T13:45:53,773+0000", "level": "INFO", "component": "o.e.c.s.ClusterApplierService", "cluster.name": "topology-es", "node.name": "master-topology-es-0", "cluster.uuid": "mZvz_C33S3GUaZl81afE7Q", "node.id": "QQPKvrsmTTKpMsYVFv7Oiw",  "message": "added {{client-topology-es-0}{o8Osuq6rTVSdu679lu2aPA}{bkGA8uyNS7m9EiFiuD8aHA}{10.244.0.7}{10.244.0.7:9300},}, term: 2, version: 5, reason: ApplyCommitRequest{term=2, version=5, sourceNode={master-topology-es-1}{uOGl2VmbQLeWhqj2z_A4_w}{TU6bOkURR2-nf5C_tRAcTw}{10.244.0.13}{10.244.0.13:9300}}"  }
{"type": "server", "timestamp": "2020-08-20T13:46:00,864+0000", "level": "INFO", "component": "o.e.c.s.ClusterApplierService", "cluster.name": "topology-es", "node.name": "master-topology-es-0", "cluster.uuid": "mZvz_C33S3GUaZl81afE7Q", "node.id": "QQPKvrsmTTKpMsYVFv7Oiw",  "message": "added {{master-topology-es-2}{fS28o3VLQrWf0lePMeQynw}{Axe9dUABScSCOY0-CV3aLA}{10.244.0.15}{10.244.0.15:9300},}, term: 2, version: 6, reason: ApplyCommitRequest{term=2, version=6, sourceNode={master-topology-es-1}{uOGl2VmbQLeWhqj2z_A4_w}{TU6bOkURR2-nf5C_tRAcTw}{10.244.0.13}{10.244.0.13:9300}}"  }
{"type": "server", "timestamp": "2020-08-20T13:46:07,402+0000", "level": "INFO", "component": "o.e.c.s.ClusterApplierService", "cluster.name": "topology-es", "node.name": "master-topology-es-0", "cluster.uuid": "mZvz_C33S3GUaZl81afE7Q", "node.id": "QQPKvrsmTTKpMsYVFv7Oiw",  "message": "added {{data-topology-es-0}{nxcOWEXoRWeVQLISZJxyAQ}{_gHPZWhaR5CPHyYYVaKYlw}{10.244.0.17}{10.244.0.17:9300},}, term: 2, version: 8, reason: ApplyCommitRequest{term=2, version=8, sourceNode={master-topology-es-1}{uOGl2VmbQLeWhqj2z_A4_w}{TU6bOkURR2-nf5C_tRAcTw}{10.244.0.13}{10.244.0.13:9300}}"  }
{"type": "server", "timestamp": "2020-08-20T13:46:10,908+0000", "level": "INFO", "component": "c.f.s.c.ConfigurationRepository", "cluster.name": "topology-es", "node.name": "master-topology-es-0", "cluster.uuid": "mZvz_C33S3GUaZl81afE7Q", "node.id": "QQPKvrsmTTKpMsYVFv7Oiw",  "message": "Index searchguard created?: true"  }
{"type": "server", "timestamp": "2020-08-20T13:46:10,910+0000", "level": "INFO", "component": "c.f.s.s.ConfigHelper", "cluster.name": "topology-es", "node.name": "master-topology-es-0", "cluster.uuid": "mZvz_C33S3GUaZl81afE7Q", "node.id": "QQPKvrsmTTKpMsYVFv7Oiw",  "message": "Will update 'CONFIG' with /usr/share/elasticsearch/plugins/search-guard-7/sgconfig/sg_config.yml"  }
{"type": "server", "timestamp": "2020-08-20T13:46:12,377+0000", "level": "INFO", "component": "c.f.s.s.ConfigHelper", "cluster.name": "topology-es", "node.name": "master-topology-es-0", "cluster.uuid": "mZvz_C33S3GUaZl81afE7Q", "node.id": "QQPKvrsmTTKpMsYVFv7Oiw",  "message": "Will update 'ROLES' with /usr/share/elasticsearch/plugins/search-guard-7/sgconfig/sg_roles.yml"  }
{"type": "server", "timestamp": "2020-08-20T13:46:12,387+0000", "level": "INFO", "component": "o.e.c.s.ClusterApplierService", "cluster.name": "topology-es", "node.name": "master-topology-es-0", "cluster.uuid": "mZvz_C33S3GUaZl81afE7Q", "node.id": "QQPKvrsmTTKpMsYVFv7Oiw",  "message": "added {{data-topology-es-1}{xuCdHv5_QAGaWT3JwivWHQ}{ZbW_BrkrRsuBKC1yS6P54g}{10.244.0.19}{10.244.0.19:9300},}, term: 2, version: 11, reason: ApplyCommitRequest{term=2, version=11, sourceNode={master-topology-es-1}{uOGl2VmbQLeWhqj2z_A4_w}{TU6bOkURR2-nf5C_tRAcTw}{10.244.0.13}{10.244.0.13:9300}}"  }
{"type": "server", "timestamp": "2020-08-20T13:46:15,972+0000", "level": "INFO", "component": "c.f.s.s.ConfigHelper", "cluster.name": "topology-es", "node.name": "master-topology-es-0", "cluster.uuid": "mZvz_C33S3GUaZl81afE7Q", "node.id": "QQPKvrsmTTKpMsYVFv7Oiw",  "message": "Will update 'ROLESMAPPING' with /usr/share/elasticsearch/plugins/search-guard-7/sgconfig/sg_roles_mapping.yml"  }
{"type": "server", "timestamp": "2020-08-20T13:46:16,491+0000", "level": "INFO", "component": "c.f.s.s.ConfigHelper", "cluster.name": "topology-es", "node.name": "master-topology-es-0", "cluster.uuid": "mZvz_C33S3GUaZl81afE7Q", "node.id": "QQPKvrsmTTKpMsYVFv7Oiw",  "message": "Will update 'INTERNALUSERS' with /usr/share/elasticsearch/plugins/search-guard-7/sgconfig/sg_internal_users.yml"  }
{"type": "server", "timestamp": "2020-08-20T13:46:16,848+0000", "level": "INFO", "component": "c.f.s.s.ConfigHelper", "cluster.name": "topology-es", "node.name": "master-topology-es-0", "cluster.uuid": "mZvz_C33S3GUaZl81afE7Q", "node.id": "QQPKvrsmTTKpMsYVFv7Oiw",  "message": "Will update 'ACTIONGROUPS' with /usr/share/elasticsearch/plugins/search-guard-7/sgconfig/sg_action_groups.yml"  }
{"type": "server", "timestamp": "2020-08-20T13:46:17,129+0000", "level": "INFO", "component": "c.f.s.s.ConfigHelper", "cluster.name": "topology-es", "node.name": "master-topology-es-0", "cluster.uuid": "mZvz_C33S3GUaZl81afE7Q", "node.id": "QQPKvrsmTTKpMsYVFv7Oiw",  "message": "Will update 'TENANTS' with /usr/share/elasticsearch/plugins/search-guard-7/sgconfig/sg_tenants.yml"  }
{"type": "server", "timestamp": "2020-08-20T13:46:17,408+0000", "level": "INFO", "component": "c.f.s.c.ConfigurationRepository", "cluster.name": "topology-es", "node.name": "master-topology-es-0", "cluster.uuid": "mZvz_C33S3GUaZl81afE7Q", "node.id": "QQPKvrsmTTKpMsYVFv7Oiw",  "message": "Default config applied"  }
{"type": "server", "timestamp": "2020-08-20T13:46:17,587+0000", "level": "INFO", "component": "c.f.s.c.ConfigurationRepository", "cluster.name": "topology-es", "node.name": "master-topology-es-0", "cluster.uuid": "mZvz_C33S3GUaZl81afE7Q", "node.id": "QQPKvrsmTTKpMsYVFv7Oiw",  "message": "Search Guard License Info: No license needed because enterprise modules are not enabled"  }
{"type": "server", "timestamp": "2020-08-20T13:46:17,588+0000", "level": "INFO", "component": "c.f.s.c.ConfigurationRepository", "cluster.name": "topology-es", "node.name": "master-topology-es-0", "cluster.uuid": "mZvz_C33S3GUaZl81afE7Q", "node.id": "QQPKvrsmTTKpMsYVFv7Oiw",  "message": "Node 'master-topology-es-0' initialized"  }

But when I updated the sg_internal_users.yml with a new user along with others:

$ cat plugins/search-guard-7/sgconfig/sg_internal_users.yml 
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
_sg_meta:
  type: "internalusers"
  config_version: 2
# Define your internal users here
# See https://docs.search-guard.com/latest/internal-users-database

## Demo users
admin:
  hash: $2a$12$x2mBLh9wc3wchAoS45pF3uWHro/U20qynNC5Aa/RqvE/oX4JCBvpe
  reserved: true
  backend_roles:
  - admin
  description: "Demo admin user"
kibanaserver:
  hash: $2a$12$MQP/7RD/HLTydecEOzpa/.2A5vE4R3Xiu2ZWJATFY8da6L9WfFjpu
  reserved: true
  description: "Demo kibanaserver user"
kibanaro:
  hash: $2a$12$gjc2DUoONVFRqEGv1FZta.aa8SbKoGcTGWRL1QMuhALuQAX56ELei
  reserved: false
  backend_roles:
  - "kibanauser"
  - "readall"
  attributes:
    attribute1: "value1"
    attribute2: "value2"
    attribute3: "value3"
  description: "Demo kibanaro user"
logstash:
  hash: $2a$12$u5tkwNkCICSJer.J1svuaucX1oFWzjvW.B7EbisU7.Lpot1dDMYLS
  reserved: false
  backend_roles:
  - "logstash"
  description: "Demo logstash user"
readall:
  hash: $2a$12$SBwi/hq/zJn1bFb/P0K1..FP9qV1OpaMLAV2EMeRaRsOnQp6OIcT2
  reserved: false
  backend_roles:
  - "readall"
  description: "Demo readall user"
snapshotrestore:
  hash: $2a$12$Q064fO1D5Okl98aG8krnLeqN6miL/11E4MrpViBtEMsTprpHbW5cO
  reserved: false
  backend_roles:
  - "snapshotrestore"
  description: "Demo snapshotrestore user"

## new user
readall_monitor:
  hash: $2a$12$8eUOixmlGG6EqTOj4sYulOWQKjyA4ypnKop4xQz/GMNg./zvZTOSu
  search_guard_roles:
  - SGS_READALL_AND_MONITOR

**The SearchGuard plugin never initializes. **

$ curl -XGET "https://localhost:9200/_cluster/health?pretty" -u "admin:mpgu6pup" --insecure
Search Guard not initialized (SG11). See https://docs.search-guard.com/latest/sgadmin⏎

Elasticsearch logs:

Expected behavior:

Should create a user with SGS_READALL_AND_MONITOR built-in role.

What am I missing here?

2

How are you adding the new user? Do you add it to the yml file and then upload it with the sgadmin command? If so, the output of sgadmin command and the ES logs while running the sgadmin command would be helpful.

3

BTW, the yaml file you have shown contains the password hashes without quotes. This might not be necessarily the cause of the error, but it is at least not very stable to have strings with funky characters unquoted in yaml files, as the interpretation of this might vary by yaml parser implementations.

4

Hi @cstaley
Hope you’re doing well.
Since when you support search_guard_roles field in user specification.

readall_monitor:
  hash: $2a$12$8eUOixmlGG6EqTOj4sYulOWQKjyA4ypnKop4xQz/GMNg./zvZTOSu
  search_guard_roles: ???????????????????????

This is the error,

ERR: Seems /usr/share/elasticsearch/plugins/search-guard-7/sgconfig/sg_internal_users.yml is not in SG 7 format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "search_guard_roles" (class com.floragunn.searchguard.sgconf.impl.v7.InternalUserV7), not marked as ignorable (7 known properties: "backend_roles", "attributes", "reserved", "hidden", "description", "hash", "static"])

another question?

  1. we can create user with the roles mentioned.
  2. we can create a user without role, and assign the roles to that user with role_mappaing.

These options make sense to me. But in sg-elasticsearch:7.1.1-oss-35.0.0 it seems like, creating a user with the roles mentioned doesn’t works, I need to create role_mapping too. What is the proper way to a create a user with roles?

5

The search_guard_roles attribute was introduced in 36.0.0:

You can download more recent versions of Search Guard here:

In 35.0.0 or older you have to create a role mapping indeed to map backend roles to Search Guard roles, even if this is a 1:1 mapping.

6

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.