I am trying to create users in Search guard so they can login to Kibana

If you think it is a bug report or you have a technical issue, please answer the following questions. For general questions, you can delete these questions.

Elasticsearch version: 7.17.3

Server OS version: Windows 2019

Kibana version (if relevant): 7.17.3

Browser version (if relevant):

Browser OS version (if relevant):

Describe the issue: I want to create users in Search guard, so they can login to the Kibana. I am trying to do it via the command

./sgctl.sh add-user-local jdoe --search-guard-roles  SGS_KIBANA_USER --password -o /path/to/a/local/sg_internal_users.yml

Is this the correct command... do i need to specify the roles some where and the password will be given after running this command 

Steps to reproduce:

Expected behavior:

Provide configuration:
kibana/config/kibana.yml (if relevant)

Provide logs:
Kibana (if relevant)

Screenshots (if relevant):

Errors in browser console (if relevant):

Additional data:

Can some one please look in to this query… and reply back .


./sgctl.sh add-user-local akam --search-guard-roles SGS_KIBANA_USER --password -o /path/to/a/local/sg_internal_users.yml

Using this command to create user… but the password is not going … how to set a password for this user

I have installed the SG 53.1.0 , where i have only SG Admin in tools. I dont have the SGCTL.sh or sgctl.bat file. Can i download it and use it… will it impact my existing SG Cluster

Hi @amalk12

Could you please write versions of Elasticsearch and Search Guard?

The Search Guard has to be installed with a certain version of Elasticsearch. Here you can find more information: Latest Releases | Security for Elasticsearch | Search Guard

If you install the Search Guard FLX version, you can use “sgctl.sh”. But if you install the Search Guard Classic version, then you have to use the regular “sgadmin.sh” tool.

After making changes to the sg_roles_mapping.yml file, you should upload the changes to the cluster.

For Search Guard FLX, you can do it by executing the command:

./sgctl.sh update-config path/to/config/dir/

For Search Guard Classic, you can do it by executing the script:


According to Search Guard documentation, the command will ask you to enter a password. Alternatively, you can specify the password after the --password switch. If the file specified by the -o switch does not exist, it is automatically created. If it already exists, the entry will be appended. Here you can find more information:


I am using Search guard classic. So if i edit the sg_roles_mapping.yml file , do i need to stop the SG Cluster …?
Or without stopping the cluster can i do the edit the file and load it to the cluster.

In classic, do i need to use the Hash password for generating the credentials for the users.


Hi @amalk12 !

You should apply the changes when the cluster is running. You can edit configuration files whether the cluster is running or not.

Before applying the changes, please make a backup of your cluster configurations:

/sgadmin.sh -r -ts ... -tspass ... -ks ... -kspass ...

You can find more information about applying configuration changes here: Using sgadmin | Elasticsearch Security | Search Guard .

If you want to add new users to the sg_internal_users.yml, the user’s password must be hashed. To do so, you can use the hash.sh tool:

./plugins/<your-search-guard-folder>/tools/hash.sh -p <new-password>

Sorry to reply you late. I just want to know , there are 3 ELastic servers in my cluster and SC is installed in all the 3 servers.

I see in all the 3 servers i see the sg_internal_users.ml , so should I be adding the users in all the sg_internal_users.yml file or just one ELK Server

Hi @amalk12 !

You don’t need to add users to all sg_internal_users.yml files. You can add users to the sg_internal_users.yml file on one of the nodes. After that, you should apply your changes via the sgadmin tool.

Hi Eugene7,

Thanks for the reply. will try to add users and make the changes via the sgadmin tool

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.