cannot update password or create user in sg_internal_users
118 views
Skip to first unread message
Charlotte Dupont
Dec 6, 2017, 7:35:37 AM12/6/17
to Search Guard Community Forum
Hi,
I'm using search guard 5.3.0-12 with elasticsearch 5.3.0.
I'm suddently not able to change password or add user in sg_internal_users.
I can run the script for hot update with a success result. But in the end, the modifications are not taken into account.
The only change that i have made since, is to switch from openJDK to Oracle JDK.
Can it be the problem ?
I'm using search guard 5.3.0-12 with elasticsearch 5.3.0.
I'm suddently not able to change password or add user in sg_internal_users.
I can run the script for hot update with a success result. But in the end, the modifications are not taken into account.
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: elasticsearch
Clusterstate: YELLOW
Number of nodes: 1
Number of data nodes: 1
searchguard index already exists, so we do not need to create one.
Populate config from /home/centos/elasticsearch-5.3.0/plugins/search-guard-5/sgconfig
Will update 'config' with plugins/search-guard-5/sgconfig/sg_config.yml
SUCC: Configuration for 'config' created or updated
Will update 'roles' with plugins/search-guard-5/sgconfig/sg_roles.yml
SUCC: Configuration for 'roles' created or updated
Will update 'rolesmapping' with plugins/search-guard-5/sgconfig/sg_roles_mapping.yml
SUCC: Configuration for 'rolesmapping' created or updated
Will update 'internalusers' with plugins/search-guard-5/sgconfig/sg_internal_users.yml
SUCC: Configuration for 'internalusers' created or updated
Will update 'actiongroups' with plugins/search-guard-5/sgconfig/sg_action_groups.yml
SUCC: Configuration for 'actiongroups' created or updated
Done with success
The only change that i have made since, is to switch from openJDK to Oracle JDK.
Can it be the problem ?
SG
Dec 6, 2017, 7:50:23 AM12/6/17
to search...@googlegroups.com
Switching to Oracle JDK can not cause this
Your can call sgadmin.sh with the -r option to retrieve the config that is effective
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/cd88a29e-ae6b-4201-9a9b-5000bbcc91a8%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Your can call sgadmin.sh with the -r option to retrieve the config that is effective
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/cd88a29e-ae6b-4201-9a9b-5000bbcc91a8%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Charlotte Dupont
Dec 6, 2017, 8:04:30 AM12/6/17
to search...@googlegroups.com
Thanks, I tried this and the config that is effective is indeed the correct one (with the new user).
But i still cannot connect to kibana with this new user, this is elasticsearch log when i try to connect :
What is this [invalid salt revision] ? If i try to connect with a user x that really doesn't exist, the illegal argument exeption is [x not found]
But i still cannot connect to kibana with this new user, this is elasticsearch log when i try to connect :
[2017-12-06T13:01:38,962][ERROR][c.f.s.a.BackendRegistry ] Unexpected exception com.google.common.util.concurrent.UncheckedExecutionException: java.lang.IllegalArgumentException: Invalid salt revision
[2017-12-06T13:01:38,962][INFO ][c.f.s.a.BackendRegistry ] Cannot authenticate user (or add roles) with ad 4 due to ElasticsearchSecurityException[com.google.common.util.concurrent.UncheckedExecutionException: java.lang.IllegalArgumentException: Invalid salt revision]; nested: UncheckedExecutionException[java.lang.IllegalArgumentException: Invalid salt revision]; nested: IllegalArgumentException[Invalid salt revision];, try next
What is this [invalid salt revision] ? If i try to connect with a user x that really doesn't exist, the illegal argument exeption is [x not found]
And if i to connect with an existing user but with a wrong password i have [password does not match]
Charlotte Dupont
Dec 6, 2017, 10:45:03 AM12/6/17
to Search Guard Community Forum
I found the answer : invalid salt revision is a problem with the bcrypt hash. I was generating bcrypt hash online that was not correct (didn't start with $2a but $2b or $2y).
That is strange because i always used the same website and it suddently does not generate $2a hash.
So i changed the bcrypt generator and it works fine now.
It was not a sgadmin related problem
That is strange because i always used the same website and it suddently does not generate $2a hash.
So i changed the bcrypt generator and it works fine now.
It was not a sgadmin related problem
SG
Dec 6, 2017, 10:55:17 AM12/6/17
to search...@googlegroups.com
SG 6 will support the other bcrypt salts too
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ea93821a-498d-478e-8d66-66c4213664fb%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages