Setting password when creating users in sg_internal_users.yml

ES 6.2.2 with corresponding SG

I am wondering how to set the password for the users I created in sg_internal_users.yml. I noticed that there is no place to set the password for the demo users.

#password is: logstash

logstash:

hash: …

roles:

  • logstash

Can I just simply add one more line “password: …” under the username structure.

And for the demo user like logstash, is it possible for me to change the default password in this config file like adding “password: …”

This is because you do not want to have cleartext passwords anywhere in your configuration files. You have to generate a hash of the password you want to use with the hash.sh script that ships with Search Guard. Please refer to the docs on how to use it:

···

On Sunday, April 15, 2018 at 8:48:30 PM UTC-7, Xiaoyu Wu wrote:

ES 6.2.2 with corresponding SG

I am wondering how to set the password for the users I created in sg_internal_users.yml. I noticed that there is no place to set the password for the demo users.

#password is: logstash

logstash:

hash: …

roles:

  • logstash

Can I just simply add one more line “password: …” under the username structure.

And for the demo user like logstash, is it possible for me to change the default password in this config file like adding “password: …”

So do you mean that I can only edit the clear text password after I set up the hash password and everything in the config?

I just want to edit the password of admin and I successfully removed the “reserved” flag but it still threw some internal server error when I actually clicked the submit.

···

On Mon, Apr 16, 2018, 1:59 PM Jochen Kressin jkressin@floragunn.com wrote:

This is because you do not want to have cleartext passwords anywhere in your configuration files. You have to generate a hash of the password you want to use with the hash.sh script that ships with Search Guard. Please refer to the docs on how to use it:

https://docs.search-guard.com/latest/internal-users-database

On Sunday, April 15, 2018 at 8:48:30 PM UTC-7, Xiaoyu Wu wrote:

ES 6.2.2 with corresponding SG

I am wondering how to set the password for the users I created in sg_internal_users.yml. I noticed that there is no place to set the password for the demo users.

#password is: logstash

logstash:

hash: …

roles:

  • logstash

Can I just simply add one more line “password: …” under the username structure.

And for the demo user like logstash, is it possible for me to change the default password in this config file like adding “password: …”

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9bc311d4-f049-4981-bd08-fa52ee45c861%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

No, I mean that the sg_internusers.yml file cannot contain clear text passwords for security reasons. You do not want to use cleartext passwords, this is insecure. Instead of using a clear text password, create the hash of the password with the hash.sh tool and then enter it in sg_internusers.yml via the “hash” key. This is described in the documentation that I posted before.

···

On Monday, April 16, 2018 at 11:08:19 AM UTC-7, Xiaoyu Wu wrote:

So do you mean that I can only edit the clear text password after I set up the hash password and everything in the config?

I just want to edit the password of admin and I successfully removed the “reserved” flag but it still threw some internal server error when I actually clicked the submit.

On Mon, Apr 16, 2018, 1:59 PM Jochen Kressin jkressin@floragunn.com wrote:

This is because you do not want to have cleartext passwords anywhere in your configuration files. You have to generate a hash of the password you want to use with the hash.sh script that ships with Search Guard. Please refer to the docs on how to use it:

https://docs.search-guard.com/latest/internal-users-database

On Sunday, April 15, 2018 at 8:48:30 PM UTC-7, Xiaoyu Wu wrote:

ES 6.2.2 with corresponding SG

I am wondering how to set the password for the users I created in sg_internal_users.yml. I noticed that there is no place to set the password for the demo users.

#password is: logstash

logstash:

hash: …

roles:

  • logstash

Can I just simply add one more line “password: …” under the username structure.

And for the demo user like logstash, is it possible for me to change the default password in this config file like adding “password: …”

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9bc311d4-f049-4981-bd08-fa52ee45c861%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Yes, I understood that. But when we login the page, we do not enter the hash key. What we did is to enter the clear text key. So which place is for creating the password for login?

···

On Apr 16, 2018, at 2:13 PM, Jochen Kressin jkressin@floragunn.com wrote:

No, I mean that the sg_internusers.yml file cannot contain clear text passwords for security reasons. You do not want to use cleartext passwords, this is insecure. Instead of using a clear text password, create the hash of the password with the hash.sh tool and then enter it in sg_internusers.yml via the “hash” key. This is described in the documentation that I posted before.

On Monday, April 16, 2018 at 11:08:19 AM UTC-7, Xiaoyu Wu wrote:

So do you mean that I can only edit the clear text password after I set up the hash password and everything in the config?

I just want to edit the password of admin and I successfully removed the “reserved” flag but it still threw some internal server error when I actually clicked the submit.

On Mon, Apr 16, 2018, 1:59 PM Jochen Kressin jkressin@floragunn.com wrote:

This is because you do not want to have cleartext passwords anywhere in your configuration files. You have to generate a hash of the password you want to use with the hash.sh script that ships with Search Guard. Please refer to the docs on how to use it:

https://docs.search-guard.com/latest/internal-users-database

On Sunday, April 15, 2018 at 8:48:30 PM UTC-7, Xiaoyu Wu wrote:

ES 6.2.2 with corresponding SG

I am wondering how to set the password for the users I created in sg_internal_users.yml. I noticed that there is no place to set the password for the demo users.

#password is: logstash

logstash:

hash: …

roles:

  • logstash

Can I just simply add one more line “password: …” under the username structure.

And for the demo user like logstash, is it possible for me to change the default password in this config file like adding “password: …”

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9bc311d4-f049-4981-bd08-fa52ee45c861%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9bbbe8ed-8955-4290-8418-e1e179236596%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

My current user is not admin and I tried to change the password for admin.

···

On Apr 16, 2018, at 2:13 PM, Jochen Kressin jkressin@floragunn.com wrote:

No, I mean that the sg_internusers.yml file cannot contain clear text passwords for security reasons. You do not want to use cleartext passwords, this is insecure. Instead of using a clear text password, create the hash of the password with the hash.sh tool and then enter it in sg_internusers.yml via the “hash” key. This is described in the documentation that I posted before.

On Monday, April 16, 2018 at 11:08:19 AM UTC-7, Xiaoyu Wu wrote:

So do you mean that I can only edit the clear text password after I set up the hash password and everything in the config?

I just want to edit the password of admin and I successfully removed the “reserved” flag but it still threw some internal server error when I actually clicked the submit.

On Mon, Apr 16, 2018, 1:59 PM Jochen Kressin jkressin@floragunn.com wrote:

This is because you do not want to have cleartext passwords anywhere in your configuration files. You have to generate a hash of the password you want to use with the hash.sh script that ships with Search Guard. Please refer to the docs on how to use it:

https://docs.search-guard.com/latest/internal-users-database

On Sunday, April 15, 2018 at 8:48:30 PM UTC-7, Xiaoyu Wu wrote:

ES 6.2.2 with corresponding SG

I am wondering how to set the password for the users I created in sg_internal_users.yml. I noticed that there is no place to set the password for the demo users.

#password is: logstash

logstash:

hash: …

roles:

  • logstash

Can I just simply add one more line “password: …” under the username structure.

And for the demo user like logstash, is it possible for me to change the default password in this config file like adding “password: …”

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9bc311d4-f049-4981-bd08-fa52ee45c861%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9bbbe8ed-8955-4290-8418-e1e179236596%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Of course you enter the cleartext password on the login page, not the hash. Sorry, but you need to understand how password hashing works in general, this is a basic security concept that applies for nearly all systems. You never store any password in cleartext anywhere, you just store that hash of the password. When a user provides the cleartext password upon login, it is also hashed, and then compared with the already stored hashed password. Hence, the place to enter the password for any user is sg_internalusers.yml, and you need to enter the hashed password here.

Some further reading about password hashing:

···

On Monday, April 16, 2018 at 11:15:55 AM UTC-7, Xiaoyu Wu wrote:

Yes, I understood that. But when we login the page, we do not enter the hash key. What we did is to enter the clear text key. So which place is for creating the password for login?

On Apr 16, 2018, at 2:13 PM, Jochen Kressin jkressin@floragunn.com wrote:

No, I mean that the sg_internusers.yml file cannot contain clear text passwords for security reasons. You do not want to use cleartext passwords, this is insecure. Instead of using a clear text password, create the hash of the password with the hash.sh tool and then enter it in sg_internusers.yml via the “hash” key. This is described in the documentation that I posted before.

On Monday, April 16, 2018 at 11:08:19 AM UTC-7, Xiaoyu Wu wrote:

So do you mean that I can only edit the clear text password after I set up the hash password and everything in the config?

I just want to edit the password of admin and I successfully removed the “reserved” flag but it still threw some internal server error when I actually clicked the submit.

On Mon, Apr 16, 2018, 1:59 PM Jochen Kressin jkressin@floragunn.com wrote:

This is because you do not want to have cleartext passwords anywhere in your configuration files. You have to generate a hash of the password you want to use with the hash.sh script that ships with Search Guard. Please refer to the docs on how to use it:

https://docs.search-guard.com/latest/internal-users-database

On Sunday, April 15, 2018 at 8:48:30 PM UTC-7, Xiaoyu Wu wrote:

ES 6.2.2 with corresponding SG

I am wondering how to set the password for the users I created in sg_internal_users.yml. I noticed that there is no place to set the password for the demo users.

#password is: logstash

logstash:

hash: …

roles:

  • logstash

Can I just simply add one more line “password: …” under the username structure.

And for the demo user like logstash, is it possible for me to change the default password in this config file like adding “password: …”

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9bc311d4-f049-4981-bd08-fa52ee45c861%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9bbbe8ed-8955-4290-8418-e1e179236596%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

This seems to be a bug in the last version of the plugin. Can you please try to change the admin user definition in internalusers.yml from:

admin:

readonly: true

hash: $2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv…TOG

roles:

  • admin

attributes:

#no dots allowed in attribute names

attribute1: value1

attribute2: value2

attribute3: value3

``

to:

admin:

hash: $2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv…TOG

roles:

  • admin

``

(Remove the “attributes” section and the readonly flag, and set your own password hash).

After that use sgadmin to upload the changed configuration.

It seems the Kibana plugin does not support the new “attibutes” key yet. This key was introduced only lately.

Please let me know if this fixes your problem.

···

On Monday, April 16, 2018 at 11:19:53 AM UTC-7, Xiaoyu Wu wrote:

My current user is not admin and I tried to change the password for admin.

On Apr 16, 2018, at 2:13 PM, Jochen Kressin jkressin@floragunn.com wrote:

No, I mean that the sg_internusers.yml file cannot contain clear text passwords for security reasons. You do not want to use cleartext passwords, this is insecure. Instead of using a clear text password, create the hash of the password with the hash.sh tool and then enter it in sg_internusers.yml via the “hash” key. This is described in the documentation that I posted before.

On Monday, April 16, 2018 at 11:08:19 AM UTC-7, Xiaoyu Wu wrote:

So do you mean that I can only edit the clear text password after I set up the hash password and everything in the config?

I just want to edit the password of admin and I successfully removed the “reserved” flag but it still threw some internal server error when I actually clicked the submit.

On Mon, Apr 16, 2018, 1:59 PM Jochen Kressin jkressin@floragunn.com wrote:

This is because you do not want to have cleartext passwords anywhere in your configuration files. You have to generate a hash of the password you want to use with the hash.sh script that ships with Search Guard. Please refer to the docs on how to use it:

https://docs.search-guard.com/latest/internal-users-database

On Sunday, April 15, 2018 at 8:48:30 PM UTC-7, Xiaoyu Wu wrote:

ES 6.2.2 with corresponding SG

I am wondering how to set the password for the users I created in sg_internal_users.yml. I noticed that there is no place to set the password for the demo users.

#password is: logstash

logstash:

hash: …

roles:

  • logstash

Can I just simply add one more line “password: …” under the username structure.

And for the demo user like logstash, is it possible for me to change the default password in this config file like adding “password: …”

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9bc311d4-f049-4981-bd08-fa52ee45c861%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9bbbe8ed-8955-4290-8418-e1e179236596%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Thank you so much. After removing the attributes, the problem has been solved!

在 2018年4月16日星期一 UTC-4下午3:23:21,Jochen Kressin写道:

···

This seems to be a bug in the last version of the plugin. Can you please try to change the admin user definition in internalusers.yml from:

admin:

readonly: true

hash: $2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv…TOG

roles:

  • admin

attributes:

#no dots allowed in attribute names

attribute1: value1

attribute2: value2

attribute3: value3

``

to:

admin:

hash: $2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv…TOG

roles:

  • admin

``

(Remove the “attributes” section and the readonly flag, and set your own password hash).

After that use sgadmin to upload the changed configuration.

It seems the Kibana plugin does not support the new “attibutes” key yet. This key was introduced only lately.

Please let me know if this fixes your problem.

On Monday, April 16, 2018 at 11:19:53 AM UTC-7, Xiaoyu Wu wrote:

My current user is not admin and I tried to change the password for admin.

On Apr 16, 2018, at 2:13 PM, Jochen Kressin jkre...@floragunn.com wrote:

No, I mean that the sg_internusers.yml file cannot contain clear text passwords for security reasons. You do not want to use cleartext passwords, this is insecure. Instead of using a clear text password, create the hash of the password with the hash.sh tool and then enter it in sg_internusers.yml via the “hash” key. This is described in the documentation that I posted before.

On Monday, April 16, 2018 at 11:08:19 AM UTC-7, Xiaoyu Wu wrote:

So do you mean that I can only edit the clear text password after I set up the hash password and everything in the config?

I just want to edit the password of admin and I successfully removed the “reserved” flag but it still threw some internal server error when I actually clicked the submit.

On Mon, Apr 16, 2018, 1:59 PM Jochen Kressin jkre...@floragunn.com wrote:

This is because you do not want to have cleartext passwords anywhere in your configuration files. You have to generate a hash of the password you want to use with the hash.sh script that ships with Search Guard. Please refer to the docs on how to use it:

https://docs.search-guard.com/latest/internal-users-database

On Sunday, April 15, 2018 at 8:48:30 PM UTC-7, Xiaoyu Wu wrote:

ES 6.2.2 with corresponding SG

I am wondering how to set the password for the users I created in sg_internal_users.yml. I noticed that there is no place to set the password for the demo users.

#password is: logstash

logstash:

hash: …

roles:

  • logstash

Can I just simply add one more line “password: …” under the username structure.

And for the demo user like logstash, is it possible for me to change the default password in this config file like adding “password: …”

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9bc311d4-f049-4981-bd08-fa52ee45c861%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9bbbe8ed-8955-4290-8418-e1e179236596%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Hi,

I have a new problem. You mentioned that I could create a new hash password for admin and apply the new configuration.

I did put a new hash password generated by hash.sh and when I tried to log in kibana, I found the default password “admin” did not work for user “admin”. So I am not sure how to log in the kibana GUI?

在 2018年4月16日星期一 UTC-4下午3:23:21,Jochen Kressin写道:

···

This seems to be a bug in the last version of the plugin. Can you please try to change the admin user definition in internalusers.yml from:

admin:

readonly: true

hash: $2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv…TOG

roles:

  • admin

attributes:

#no dots allowed in attribute names

attribute1: value1

attribute2: value2

attribute3: value3

``

to:

admin:

hash: $2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv…TOG

roles:

  • admin

``

(Remove the “attributes” section and the readonly flag, and set your own password hash).

After that use sgadmin to upload the changed configuration.

It seems the Kibana plugin does not support the new “attibutes” key yet. This key was introduced only lately.

Please let me know if this fixes your problem.

On Monday, April 16, 2018 at 11:19:53 AM UTC-7, Xiaoyu Wu wrote:

My current user is not admin and I tried to change the password for admin.

On Apr 16, 2018, at 2:13 PM, Jochen Kressin jkre...@floragunn.com wrote:

No, I mean that the sg_internusers.yml file cannot contain clear text passwords for security reasons. You do not want to use cleartext passwords, this is insecure. Instead of using a clear text password, create the hash of the password with the hash.sh tool and then enter it in sg_internusers.yml via the “hash” key. This is described in the documentation that I posted before.

On Monday, April 16, 2018 at 11:08:19 AM UTC-7, Xiaoyu Wu wrote:

So do you mean that I can only edit the clear text password after I set up the hash password and everything in the config?

I just want to edit the password of admin and I successfully removed the “reserved” flag but it still threw some internal server error when I actually clicked the submit.

On Mon, Apr 16, 2018, 1:59 PM Jochen Kressin jkre...@floragunn.com wrote:

This is because you do not want to have cleartext passwords anywhere in your configuration files. You have to generate a hash of the password you want to use with the hash.sh script that ships with Search Guard. Please refer to the docs on how to use it:

https://docs.search-guard.com/latest/internal-users-database

On Sunday, April 15, 2018 at 8:48:30 PM UTC-7, Xiaoyu Wu wrote:

ES 6.2.2 with corresponding SG

I am wondering how to set the password for the users I created in sg_internal_users.yml. I noticed that there is no place to set the password for the demo users.

#password is: logstash

logstash:

hash: …

roles:

  • logstash

Can I just simply add one more line “password: …” under the username structure.

And for the demo user like logstash, is it possible for me to change the default password in this config file like adding “password: …”

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9bc311d4-f049-4981-bd08-fa52ee45c861%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9bbbe8ed-8955-4290-8418-e1e179236596%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Hi @jkressin,
So I have official docker image of elastic and installed search-guard on top of that and everything is working fine as expected. I enter the password that is there in the sg_internal_usres.yml to access the elastic search.
My question is what if I want to setup new password while running that image like
docker run -e password=newpassword -p port:port <imagename>
what i have done is overriding the sg_internal_users.yml file while building the image, but I want to do the same thing while running it.
Any help would be appreciated.