Thanks to all who helped with my recent issues getting the admin account working. Now we’re getting closer to using this in prod, and the “auth_key” with the plain-text password ain’t gonna fly, so I’m looking to switch to using “auth_key_unix”. I’ve got puppet hashing the password and storing it in the readonlyrest.yml file, and have updated the in-index config. Ultimately, I’d like to have the in-index config updated when the yml file is updated, but to do that well, I need to check the in-index config against the yml file so I’m not just updating it each time puppet runs.
I can dump the in-index config with this command:
eval echo -ne "$(curl -sk https://localhost:9200/.readonlyrest/_search | jq '.hits.hits[0]._source.settings')" > index.config
I had been using that previously to compare the in-index config against the YML with good results. The problem I’m running into now is once I’ve switched to auth_key_unix instead of auth_key, I’m getting the following when I run the diff between the in-index and YML files:
root@elasticsearch2-0:cheerschap# diff index.dump /etc/es/readonlyrest.yml
19c19
< auth_key_unix: "admin:XKtO65AqrtyY5b1.x6DskxW/..."
---
> auth_key_unix: "admin:$6$2XKtO65AqrtyY5b1$HSspgFwZycD..."
The YML file has the SHA-512 password hash as would be found in the /etc/shadow file (generated by puppet) - and admin auth works so that’s very good, but the stored value doesn’t match. The seed is repeated in what’s stored, (first 16 chars) but then the hash portion is only the end of the hash.
Is this how ROR stores this value? is that better than just storing it as supplied in the YML file?
I guess I could write the script to extract the in-index config and then extract the relevant parts of the password hash, just curious why the difference between the YML and the in-index version of the same.