Encoding of auth_key_unix in in-index config


(Chris H) #1

Thanks to all who helped with my recent issues getting the admin account working. Now we’re getting closer to using this in prod, and the “auth_key” with the plain-text password ain’t gonna fly, so I’m looking to switch to using “auth_key_unix”. I’ve got puppet hashing the password and storing it in the readonlyrest.yml file, and have updated the in-index config. Ultimately, I’d like to have the in-index config updated when the yml file is updated, but to do that well, I need to check the in-index config against the yml file so I’m not just updating it each time puppet runs.

I can dump the in-index config with this command:

eval echo -ne "$(curl -sk https://localhost:9200/.readonlyrest/_search | jq '.hits.hits[0]._source.settings')" > index.config

I had been using that previously to compare the in-index config against the YML with good results. The problem I’m running into now is once I’ve switched to auth_key_unix instead of auth_key, I’m getting the following when I run the diff between the in-index and YML files:

[email protected]:cheerschap# diff index.dump /etc/es/readonlyrest.yml
19c19
<       auth_key_unix: "admin:XKtO65AqrtyY5b1.x6DskxW/..."
---
>       auth_key_unix: "admin:$6$2XKtO65AqrtyY5b1$HSspgFwZycD..."

The YML file has the SHA-512 password hash as would be found in the /etc/shadow file (generated by puppet) - and admin auth works so that’s very good, but the stored value doesn’t match. The seed is repeated in what’s stored, (first 16 chars) but then the hash portion is only the end of the hash.

Is this how ROR stores this value? is that better than just storing it as supplied in the YML file?

I guess I could write the script to extract the in-index config and then extract the relevant parts of the password hash, just curious why the difference between the YML and the in-index version of the same.


(mdnuts) #2

sorry to inject here - but man I like the way you’re doing that auth.


(Simone Scarduzio) #3

Me and @coutoPL have been experimenting with this, and the result is that first of all, the settings are correctly saved to the index, and correctly returned by the API. Secondly, the issue you are facing is more bound to the commands you use.

This cuts the the auth_key_unix value:

eval echo -ne "$(curl -sk -ukibana:kibana https://localhost:9200/.readonlyrest/_search | jq '.hits.hits[0]._source.settings')"

But this simpler version, does not:

curl -sk -u admin:dev https://localhost:9200/.readonlyrest/_search | jq '.hits.hits[0]. *source.settings'*


(Chris H) #4

ohhhhh of course - the shell is killing the middle bits because of the $ characters, damn, I should have caught that. Thanks for the proper command!