Skip to content

Misleading error message when trying to change password for non-native user #113535

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
abseht opened this issue Sep 25, 2024 · 2 comments
Open

Misleading error message when trying to change password for non-native user #113535

abseht opened this issue Sep 25, 2024 · 2 comments
Assignees
@ankit--sethi
Labels
>bug :Security/Security Security issues without another label Team:Security Meta label for security team

Comments

@abseht
Copy link

abseht commented Sep 25, 2024

Elasticsearch Version

8.15.2

Installed Plugins

No response

Java Version

bundled

OS Version

managed elastic.co deployment

Problem Description

Cannot change password for elastic user using these instructions

It returns

{
  "error": {
    "root_cause": [
      {
        "type": "validation_exception",
        "reason": "Validation Failed: 1: user must exist in order to change password;"
      }
    ],
    "type": "validation_exception",
    "reason": "Validation Failed: 1: user must exist in order to change password;"
  },
  "status": 400
}

Moreover, trying to do so with Terraform provider and this resource also returns below error.

│ Error: System user "elastic" not found
│ 
│   with module.password.elasticstack_elasticsearch_security_system_user.this["elastic"],
│   on ../module_elasticsearch_user/built_in_user.tf line 1, in resource "elasticstack_elasticsearch_security_system_user" "this":
│    1: resource "elasticstack_elasticsearch_security_system_user" "this" {

Steps to Reproduce

  1. Go to your elastic.co console.
  2. Select a deployment
  3. Go to API console
  4. Send request to POST /_security/user/_password with body { "password": "new-Password-12345"}
    Image
    OR
  5. Send request to POST /_security/user/elastic/_password with the same body
    Image

Logs (if relevant)

No response
@abseht abseht added >bug needs:triage Requires assignment of a team area label labels Sep 25, 2024
@benwtrent benwtrent added the :Security/Security Security issues without another label label Sep 26, 2024
@elasticsearchmachine elasticsearchmachine added the Team:Security Meta label for security team label Sep 26, 2024
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@elasticsearchmachine elasticsearchmachine removed the needs:triage Requires assignment of a team area label label Sep 26, 2024
@tvernum
Copy link
Contributor

tvernum commented Mar 25, 2025

It is intentional that you cannot change the elastic password from within Elasticsearch and Kibana on cloud.
You need to reset the password using the cloud console.

The error message is misleading (the user does exist, but cannot be managed through this API) and it would be good to clean that up.

@tvernum tvernum changed the title Cannot change password for built in user Misleading error message when trying to change password for non-native user Mar 25, 2025
@ankit--sethi ankit--sethi self-assigned this Apr 30, 2025
ankit--sethi added a commit to ankit--sethi/elasticsearch that referenced this issue May 1, 2025
@ankit--sethi
This PR addresses elastic#113535 - a confusing error message when the…
fe01fd3 
… user attempts to update the password for the `elastic` superuser in a cloud deployment.

At the heart of the issue is the difference in how the `elastic` superuser is implemented on self-hosted deployments vs. managed cloud deployments. Elasticsearch has two distinct security realms: `file` and `native`. On a self-hosted deployment, the `elastic` superuser is represented as a document in the `.security` index, whereas in a cloud deployment `elastic` is defined in the `ES_PATH_CONF/users` and `ES_PATH_CONF/user_roles` files placed on each node in the cluster.

The TransportChangePasswordAction impl is designed to update the password for users in the `native` realm specifically, and a failure on cloud to change the password for `elastic` using the Change Password API fails with the error that the user does not exist.

The solution here leverages `fileUserPasswdStore.userExists` to do a low cost check on whether the request username belongs to the `file` realm and will exit early with an informative error message if that is the case.
@ankit--sethi ankit--sethi mentioned this issue May 1, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ankit--sethi ankit--sethi

Labels
>bug :Security/Security Security issues without another label Team:Security Meta label for security team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tvernum @benwtrent @ankit--sethi @elasticsearchmachine @abseht