Skip to content

Fix error message when changing the password for a user in the file realm #127621

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

Fix error message when changing the password for a user in the file realm #127621

wants to merge 15 commits into from

Conversation

ankit--sethi
Copy link
Contributor

@ankit--sethi ankit--sethi commented May 1, 2025
edited
Loading

This PR addresses #113535 - a confusing error message when the user attempts to update the password for the elastic superuser in a cloud deployment.

At the heart of the issue is the difference in how the elastic superuser is implemented on self-hosted deployments vs. managed cloud deployments. Elasticsearch has two distinct security realms: file and native. On a self-hosted deployment, the elastic superuser is represented as a document in the .security index (placing it in the native realm), whereas in a cloud deployment elastic is defined in the ES_PATH_CONF/users and ES_PATH_CONF/user_roles files installed on each node in the cluster (placing it in the file realm).

The TransportChangePasswordAction impl is designed to update the password for users in the native realm specifically, and on cloud an attempt to change the password for elastic using the Change Password API fails with the error that the user does not exist. This is misleading since the user exists but is simply coming from the file realm.

The solution here first checks if the user is not found in the native realm - if that is the case it checks the file realm in case the user is present there. This case is provided a new error message. Other cases end in a "user not found" state or proceed to invoke changePassword.

@ankit--sethi
This PR addresses elastic#113535 - a confusing error message when the…
fe01fd3 
… user attempts to update the password for the `elastic` superuser in a cloud deployment.

At the heart of the issue is the difference in how the `elastic` superuser is implemented on self-hosted deployments vs. managed cloud deployments. Elasticsearch has two distinct security realms: `file` and `native`. On a self-hosted deployment, the `elastic` superuser is represented as a document in the `.security` index, whereas in a cloud deployment `elastic` is defined in the `ES_PATH_CONF/users` and `ES_PATH_CONF/user_roles` files placed on each node in the cluster.

The TransportChangePasswordAction impl is designed to update the password for users in the `native` realm specifically, and a failure on cloud to change the password for `elastic` using the Change Password API fails with the error that the user does not exist.

The solution here leverages `fileUserPasswdStore.userExists` to do a low cost check on whether the request username belongs to the `file` realm and will exit early with an informative error message if that is the case.
@ankit--sethi ankit--sethi added >bug :Security/Security Security issues without another label auto-backport Automatically create backport pull requests when merged v8.19.0 v8.17.7 v8.18.2 v9.0.2 labels May 1, 2025
@elasticsearchmachine elasticsearchmachine added v9.1.0 Team:Security Meta label for security team labels May 1, 2025
@elasticsearchmachine
Copy link
Collaborator

Hi @ankit--sethi, I've created a changelog YAML for you.

@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@ankit--sethi ankit--sethi requested a review from a team as a code owner May 7, 2025 21:03
@elasticsearchmachine
Copy link
Collaborator

Hi @ankit--sethi, I've updated the changelog YAML for you.

tvernum
tvernum reviewed May 8, 2025
View reviewed changes
...rc/main/java/org/elasticsearch/xpack/security/action/user/TransportChangePasswordAction.java Outdated
Optional<Realm> realm = realms.stream().filter(t -> FileRealmSettings.TYPE.equalsIgnoreCase(t.type())).findAny();
if (user == null && realm.isPresent()) {
// we should check if this request is mistakenly trying to reset a file realm user
FileRealm fileRealm = (FileRealm) realm.get();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why only file realms? Couldn't we just do this for all realms?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fair point, maybe we can? I'm gonna take a closer look to see if there are any gotchas to doing that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tvernum tvernum tvernum left review comments

@slobodanadamovic slobodanadamovic Awaiting requested review from slobodanadamovic

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
auto-backport Automatically create backport pull requests when merged >bug :Security/Security Security issues without another label Team:Security Meta label for security team v8.17.7 v8.18.2 v8.19.0 v9.0.2 v9.1.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ankit--sethi @elasticsearchmachine @tvernum