Username input in search-guard-flx-elasticsearch-plugin-2.0.0-rc-es-8.12.2.zip

If you think it is a bug report or you have a technical issue, please answer the following questions. For general questions, you can delete these questions.

**Elasticsearch version:8.12.2

**Server OS version:centos 7
Search guard version
search-guard-flx-elasticsearch-plugin-2.0.0-rc-es-8.12.2.zip

Error Message
Successfully connected to cluster elasticsearch (localhost) as user CN=Server,
java.lang.IllegalArgumentException: Illegal character in fragment at index 36: /searchguard/internal_users/…username…encripted
at java.base/java.net.URI.create(URI.java:932)
at org.apache.http.client.methods.HttpGet.(HttpGet.java:66)
at com.floragunn.searchguard.sgctl.client.SearchGuardRestClient.get(SearchGuardRestClient.java:177)
at com.floragunn.searchguard.sgctl.client.SearchGuardRestClient.getUser(SearchGuardRestClient.java:100)
at com.floragunn.searchguard.sgctl.commands.user.UpdateUser.lambda$call$1(UpdateUser.java:78)
at com.floragunn.searchguard.sgctl.commands.BaseCommand.retryOnConcurrencyConflict(BaseCommand.java:125)
at com.floragunn.searchguard.sgctl.commands.user.UpdateUser.call(UpdateUser.java:76)
at com.floragunn.searchguard.sgctl.commands.user.UpdateUser.call(UpdateUser.java:46)
at picocli.CommandLine.executeUserObject(CommandLine.java:2041)
at picocli.CommandLine.access$1500(CommandLine.java:148)
at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2461)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2453)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2415)
at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2273)
at picocli.CommandLine$RunLast.execute(CommandLine.java:2417)
at picocli.CommandLine.execute(CommandLine.java:2170)
at com.floragunn.searchguard.sgctl.SgctlTool.exec(SgctlTool.java:63)
at com.floragunn.searchguard.sgctl.SgctlTool.main(SgctlTool.java:58)
Caused by: java.net.URISyntaxException: Illegal character in fragment at index 36: /searchguard/internal_users/…
at java.base/java.net.URI$Parser.fail(URI.java:2995)
at java.base/java.net.URI$Parser.checkChars(URI.java:3166)
at java.base/java.net.URI$Parser.parse(URI.java:3210)
at java.base/java.net.URI.(URI.java:645)
at java.base/java.net.URI.create(URI.java:930)
… 17 more
Failed to update user. The installation was aborted.
Below username is works in elasticseach 6 but throws error in elasticsearch 8.12.2
pongo#~!$*()_-+=.?/pongo#~!$*()
-+=.?/pongo#~`!$*()
-+=.?/db18

Cause for this error and how to resolve it.
And what is official documentation says about username and password

Below is yml
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
xpack.security.enabled: false
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
enabled: false
keystore.path: certs/http.p12
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/transport.p12
truststore.path: certs/transport.p12
cluster.initial_master_nodes:

  • 192.168.28.38
    http.host: 0.0.0.0
    cluster.name: elasticsearch
    node.name: localhost.localdomain
    network.host: localhost,ip
    http.port: 9200
    searchguard.enterprise_modules_enabled: false
    thread_pool.write.queue_size: 1000
    discovery.seed_hosts: ip
    http.max_content_length: 500mb
    indices.query.bool.max_clause_count: 200000
    thread_pool.search.size: 50
    searchguard.ssl.transport.pemkey_filepath: key.pem
    searchguard.ssl.transport.pemcert_filepath: cert.pem
    searchguard.ssl.transport.pemtrustedcas_filepath: cacert.pem
    searchguard.ssl.transport.enforce_hostname_verification: false
    searchguard.ssl.transport.enabled_protocols:
  • TLSv1.2
    searchguard.ssl.http.pemkey_filepath: key.pem
    searchguard.ssl.http.pemcert_filepath: cert.pem
    searchguard.ssl.http.pemtrustedcas_filepath: cacert.pem
    searchguard.ssl.http.enabled: true
    searchguard.ssl.http.enabled_protocols:
  • TLSv1.2
    searchguard.authcz.admin_dn:
  • CN=Server,XXXXXX
    searchguard.nodes_dn:
    XXXXXXX
    searchguard.check_snapshot_restore_write_privileges: true
    searchguard.restapi.roles_enabled:
  • SGS_ALL_ACCESS

Hi @Varinder1,

I have noticed that you are using the RC version, the GA is now available and I would strongly suggest using GA, please see more here:

How did you deploy your internal user, and how did you hash passwords?

Thanks,
Mantas


I am using elasticsearch 8. I am using latest version of searchguard.2.0.0

@mantas Am I missing something, please suggest . Can i use **pongo#~!$*()_-+=.?/pongo#~!$()-+=.?/pongo#~`!$()-+=.?/db18 as a username without any issue.

@Varinder1, yes that is the correct way to get the plugin.

Should look something like:

search-guard-flx-elasticsearch-plugin-2.0.0-es-8.12.2.zip (with out rc)

how do you create your internal users?

Could you please elaborate on the below:

Thanks,
Mantas

I have tried the GA version it also fails
“${INSTALL_PATH}”/bin/elasticsearch-plugin install -b file:“${SCRIPT_PATH}/sources/search-guard-flx-elasticsearch-plugin-2.0.0-es-8.12.2.zip” >>“${INSTALL_LOG}”

I did not do anything special to create internal user

I also want to edit this post , can any body help me with this .

Can anybody brief the discussion?
It’s getting tough to understand cause the coding is just too much and messy.

I was using pongo#~!$*()_-+=.?/pongo#~ !$() -+=.?/pongo#~`!$() -+=.?/db18 as user name it is working fine in ES6 but throwing error in ES8.
Thats it.