Open
Description
Elasticsearch Version
Version: 8.17.3, Build: deb/a091390de485bd4b127884f7e565c0cad59b10d2/2025-02-28T10:07:26.089129809Z, JVM: 23
Installed Plugins
No response
Java Version
bundled
OS Version
Linux ubu1804 4.15.0-235-generic #247-Ubuntu SMP Wed Feb 12 19:53:11 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
Problem Description
I noticed that using the elasticsearch-service-tokens tool on my Ubuntu system creates the file /etc/elasticsearch/service-tokens with wrong permissions, such that its not readable by the elasticsearch process. This is fixable by doing a chmod and restating elasticsearch, but this should not be necessary. This is despite the setgid bit being set (automatically) on /etc/elasticsearch when created on installation.
Steps to Reproduce
$ sudo apt install elasticsearch=8.17.3 -y
$ sudo systemctl daemon-reload
$ sudo systemctl start elasticsearch.service
$ curl -s -k -u $EUSER:$EPASS https://localhost:9200 | jq -Sc
{"cluster_name":"elasticsearch","cluster_uuid":"JCRDTktsQ_6iZ1DSYDR_pQ","name":"ubu1804","tagline":"You Know, for Search","version":{"build_date":"2025-02-28T10:07:26.089129809Z","build_flavor":"default","build_hash":"a091390de485bd4b127884f7e565c0cad59b10d2","build_snapshot":false,"build_type":"deb","lucene_version":"9.12.0","minimum_index_compatibility_version":"7.0.0","minimum_wire_compatibility_version":"7.17.0","number":"8.17.3"}}
$ sudo find /etc/elasticsearch/ -ls
1049835 4 drwxr-s--- 4 root elasticsearch 4096 Mar 13 15:59 /etc/elasticsearch/
1054376 4 -rw-rw---- 1 root elasticsearch 473 Feb 28 10:11 /etc/elasticsearch/role_mapping.yml
1054408 4 -rw-rw---- 1 root elasticsearch 4052 Mar 13 15:59 /etc/elasticsearch/elasticsearch.yml
1054385 0 -rw-rw---- 1 root elasticsearch 0 Feb 28 10:11 /etc/elasticsearch/users_roles
1054381 4 -rw-rw---- 1 root elasticsearch 1042 Feb 28 10:11 /etc/elasticsearch/elasticsearch-plugins.example.yml
1054386 0 -rw-rw---- 1 root elasticsearch 0 Feb 28 10:11 /etc/elasticsearch/users
1049917 20 -rw-rw---- 1 root elasticsearch 17969 Feb 28 10:11 /etc/elasticsearch/log4j2.properties
1054380 4 -rw-rw---- 1 root elasticsearch 197 Feb 28 10:11 /etc/elasticsearch/roles.yml
1054382 4 -rw-rw---- 1 root elasticsearch 3074 Feb 28 10:11 /etc/elasticsearch/jvm.options
1054389 4 drwxr-x--- 2 root elasticsearch 4096 Mar 13 15:59 /etc/elasticsearch/certs
1054407 4 -rw-rw---- 1 root elasticsearch 1915 Mar 13 15:59 /etc/elasticsearch/certs/http_ca.crt
1054410 12 -rw-rw---- 1 root elasticsearch 10061 Mar 13 15:59 /etc/elasticsearch/certs/http.p12
1054409 8 -rw-rw---- 1 root elasticsearch 5838 Mar 13 15:59 /etc/elasticsearch/certs/transport.p12
1054383 4 -rw-rw---- 1 root elasticsearch 536 Mar 13 15:59 /etc/elasticsearch/elasticsearch.keystore
1054388 4 drwxr-s--- 2 root elasticsearch 4096 Feb 28 10:15 /etc/elasticsearch/jvm.options.d
$ sudo /usr/share/elasticsearch/bin/elasticsearch-service-tokens create elastic/kibana kibana1
SERVICE_TOKEN elastic/kibana/kibana1 = AA...
$ TOKEN="AA..."
$ sudo find /etc/elasticsearch/ -ls
1049835 4 drwxr-s--- 4 root elasticsearch 4096 Mar 13 16:02 /etc/elasticsearch/
1054376 4 -rw-rw---- 1 root elasticsearch 473 Feb 28 10:11 /etc/elasticsearch/role_mapping.yml
1054408 4 -rw-rw---- 1 root elasticsearch 4052 Mar 13 15:59 /etc/elasticsearch/elasticsearch.yml
1054385 0 -rw-rw---- 1 root elasticsearch 0 Feb 28 10:11 /etc/elasticsearch/users_roles
1054381 4 -rw-rw---- 1 root elasticsearch 1042 Feb 28 10:11 /etc/elasticsearch/elasticsearch-plugins.example.yml
1054386 0 -rw-rw---- 1 root elasticsearch 0 Feb 28 10:11 /etc/elasticsearch/users
1049917 20 -rw-rw---- 1 root elasticsearch 17969 Feb 28 10:11 /etc/elasticsearch/log4j2.properties
1054412 4 -rw------- 1 root elasticsearch 135 Mar 13 16:02 /etc/elasticsearch/service_tokens
1054380 4 -rw-rw---- 1 root elasticsearch 197 Feb 28 10:11 /etc/elasticsearch/roles.yml
1054382 4 -rw-rw---- 1 root elasticsearch 3074 Feb 28 10:11 /etc/elasticsearch/jvm.options
1054389 4 drwxr-x--- 2 root elasticsearch 4096 Mar 13 15:59 /etc/elasticsearch/certs
1054407 4 -rw-rw---- 1 root elasticsearch 1915 Mar 13 15:59 /etc/elasticsearch/certs/http_ca.crt
1054410 12 -rw-rw---- 1 root elasticsearch 10061 Mar 13 15:59 /etc/elasticsearch/certs/http.p12
1054409 8 -rw-rw---- 1 root elasticsearch 5838 Mar 13 15:59 /etc/elasticsearch/certs/transport.p12
1054383 4 -rw-rw---- 1 root elasticsearch 536 Mar 13 15:59 /etc/elasticsearch/elasticsearch.keystore
1054388 4 drwxr-s--- 2 root elasticsearch 4096 Feb 28 10:15 /etc/elasticsearch/jvm.options.d
$ sudo fgrep service_tokens /var/log/elasticsearch/elasticsearch.log /var/log/elasticsearch/elasticsearch_server.json
/var/log/elasticsearch/elasticsearch.log:[2025-03-13T16:02:52,304][ERROR][o.e.x.s.a.s.FileServiceAccountTokenStore] [ubu1804] failed to parse service tokens file [/etc/elasticsearch/service_tokens]. skipping/removing all tokens...
/var/log/elasticsearch/elasticsearch_server.json:{"@timestamp":"2025-03-13T16:02:52.304Z", "log.level":"ERROR", "message":"failed to parse service tokens file [/etc/elasticsearch/service_tokens]. skipping/removing all tokens...", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread.name":"elasticsearch[ubu1804][generic][T#14]","log.logger":"org.elasticsearch.xpack.security.authc.service.FileServiceAccountTokenStore","elasticsearch.cluster.uuid":"JCRDTktsQ_6iZ1DSYDR_pQ","elasticsearch.node.id":"EXqrMhUjTEehYXEMHL_jjA","elasticsearch.node.name":"ubu1804","elasticsearch.cluster.name":"elasticsearch"}
$ curl -s -k -H "Authorization: Bearer ${TOKEN}" -k https://localhost:9200/ | jq -Sc
{"error":{"header":{"WWW-Authenticate":["Basic realm=\"security\", charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]},"reason":"failed to authenticate service account [elastic/kibana] with token name [kibana1]","root_cause":[{"header":{"WWW-Authenticate":["Basic realm=\"security\", charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]},"reason":"failed to authenticate service account [elastic/kibana] with token name [kibana1]","type":"security_exception"}],"type":"security_exception"},"status":401}
$ sudo chmod 660 /etc/elasticsearch/service_tokens
$ sudo systemctl restart elasticsearch.service
$ curl -s -k -H "Authorization: Bearer ${TOKEN}" -k https://localhost:9200/ | jq -Sc
{"cluster_name":"elasticsearch","cluster_uuid":"JCRDTktsQ_6iZ1DSYDR_pQ","name":"ubu1804","tagline":"You Know, for Search","version":{"build_date":"2025-02-28T10:07:26.089129809Z","build_flavor":"default","build_hash":"a091390de485bd4b127884f7e565c0cad59b10d2","build_snapshot":false,"build_type":"deb","lucene_version":"9.12.0","minimum_index_compatibility_version":"7.0.0","minimum_wire_compatibility_version":"7.17.0","number":"8.17.3"}}
### Logs (if relevant)
_No response_