Password hash not returned via `_opendistro/_security/api/internalusers/{username}` API, and logins fail when creating user with `hash` instead of `password` via API. #5
Hi there, I'm not sure if this is the right place for this issue - please direct me if I should file this somewhere else.
Environment
AWS Elasticsearch version 7.9 with Service software release R20210331
I'm trying to create users via the API, and using hash to specify the password doesn't seem to be working. Additionally, the hash attribute is a blank string for all of the users I GET via the API (whether they were created via the API or UI). This comment makes it sound like the hash should be returned.
Example 1 Create user with password and retrieve user from API
# Create user with password
$ curl -u $ES_USER:$ES_PASSWORD -X PUT -H "Content-Type: application/json" "$ES_URL/_opendistro/_security/api/internalusers/fizz" -d '{ "password": "F00BarB@z" }'
{"status":"CREATED","message":"'fizz' created."}
# Retrieve user to see what their password hash is
curl -s -u $ES_USER:$ES_PASSWORD -X GET "$ES_URL/_opendistro/_security/api/internalusers/fizz" | jq -r .
{
"fizz": {
"hash": "",
"reserved": false,
"hidden": false,
"backend_roles": [],
"attributes": {},
"opendistro_security_roles": [],
"static": false
}
}
Example 1 result Result: I can log in as 'fizz' with the specified password, but no hash is shown from the API in response to the GET.
Example 2 Create user with password hash and retrieve user from API
Example 2 result Result: I can log in as 'fizz' with the password used to generate the hash, but no hash is shown from the API in response to the GET.
NB it's not clear from the API documentation which hashing algorithm should be used. ~I tried the -5, -6, and -apr1 options to openssl passwd, all to no avail.~ EDIT: I found buried in the archived security repo that the hash is a bcrypt hash. I tried that, and logins succeed! However, the hash is still not returned via API.
Hi there, I'm not sure if this is the right place for this issue - please direct me if I should file this somewhere else.
Environment AWS Elasticsearch version 7.9 with Service software release
R20210331I'm trying to create users via the API, and using
hashto specify the password doesn't seem to be working. Additionally, thehashattribute is a blank string for all of the users IGETvia the API (whether they were created via the API or UI). This comment makes it sound like thehashshould be returned.Example 1 Create user with password and retrieve user from API
Example 1 result Result: I can log in as 'fizz' with the specified password, but no hash is shown from the API in response to the
GET.Example 2 Create user with password hash and retrieve user from API
Example 2 result Result: I can log in as 'fizz' with the password used to generate the hash, but no hash is shown from the API in response to the
GET.NB it's not clear from the API documentation which hashing algorithm should be used. ~I tried the
-5,-6, and-apr1options toopenssl passwd, all to no avail.~ EDIT: I found buried in the archived security repo that the hash is abcrypthash. I tried that, and logins succeed! However, the hash is still not returned via API.