Request for ability to add and remove individual users using sgadmin.sh

Hi SG team,

I’ve been playing around with using configuration management to manage the SG internal users (primarily by using sgadmin.sh). It would be fantastic to be manage users individually, is this already possible and I’m just missing something?
I see one of the main challenges in doing this would be the fact that the entire users hash is stored in ES as a single base64 blob (why is that?) and wouldn’t allow for easy manipulation of individual users.

Many thanks for your time,
Nick

sgadmin is not to meant to be the right tool for that task (albeit it should to be too hard to script something).

We recommend to use the REST api to manage the internal users: Users API | Security for Elasticsearch | Search Guard

Hi hsaly, thanks for your reply.

The issue I’m facing with the API is that the internal users will be overwritten the next time I run sgadmin (please correct me if I’m wrong). How do you suggest users continually update their security policy while making use of the API?

Cheers,
Nick

Do not run sgadmin for internal users (or roles mappings etc). You can upload for example only the authentication config via -f and -t option. See Configuration Migration | Security for Elasticsearch | Search Guard

Generally speaking: Either use sgadmin (in case you have no enterprise subscription or you want to managed everything manually from a central place) or use the REST api but not both on the same config resource. Typically users manage the internal users, roles and role mappings, tenants with the REST API and authentication config and action groups via sgadmin.

Thanks Hsaly,

Perfect, this is exactly what I’ve been looking for. Apologies for missing it in your online docs. I didn’t notice it in the help output from sgadmin because this is the help documentation for the two options:

-f,–file file
-t,–type file-type

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.