cloud-on-k8s icon indicating copy to clipboard operation
cloud-on-k8s copied to clipboard
verified publisher icon elastic

XPack default realms order inverted?

Open MelwinKfr opened this issue 4 months ago • 4 comments

Hello,

Why do the file1 realm takes precedence over the native1 realm in the default settings? Would it be a problem if I invert the order?

https://github.com/elastic/cloud-on-k8s/blob/15e2c8dff3dfa4a59ad327963a0f5d1d69d6d777/pkg/controller/elasticsearch/settings/merged_config.go#L164

I am trying to understand the default settings as I have the feeling it may trigger the following warning:

elasticsearch {"@timestamp":"2025-08-26T09:30:15.259Z", "log.level": "WARN", "message":"Authentication to realm file1 failed - Password authentication failed for elastic", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread.name":"elasticsearch[es-cluster-es-default-1][get][T#4]","log.logger":"org.elasticsearch.xpack.security.authc.RealmsAuthenticator","elasticsearch.cluster.uuid":"0yLsUekBTxOkdtcHYxxopw","elasticsearch.node.id":"3_hpralNRAmQvjxe5OOTsw","elasticsearch.node.name":"es-cluster-es-default-1","elasticsearch.cluster.name":"es-cluster"}

As far as I understand, this warning means the elastic user is failing password authentication. But since Elasticsearch tries authentication realms in order file1 (order: -100) → native1 (order: -99), we see the file1 failed log before it attempts to use the native1 realm.

Does this assumption makes any sense?

Thank you for your help, Melwin

MelwinKfr avatar Aug 26 '25 09:08 MelwinKfr

same problem, any suggestion?

junneyang avatar Sep 26 '25 10:09 junneyang

The ECK operator uses a file realm user for orchestration purposes. We want to make sure that ECK is always able to manage Elasticsearch by giving the file realm a high priority.

pebrc avatar Sep 26 '25 12:09 pebrc

The ECK operator uses a file realm user for orchestration purposes. We want to make sure that ECK is always able to manage Elasticsearch by giving the file realm a high priority.

thanks ! So, is it okay to ignore this error log? Will it cause any other problems? "@timestamp":"2025-09-25T03:00:42.363Z", "log.level": "WARN", "message":"Authentication to realm file1 failed - Password authentication failed for elastic", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server"

junneyang avatar Sep 28 '25 06:09 junneyang

and more, after deploying a cluster with ES 7.10, this WARN log does not appear. The cluster with ES 8.19 has this issue.

junneyang avatar Sep 28 '25 06:09 junneyang