This PR addresses #113535 - a confusing error message when the user attempts to update the password for the elastic superuser in a cloud deployment.

At the heart of the issue is the difference in how the `elastic` superuser is implemented on self-hosted deployments vs. managed cloud deployments. Elasticsearch has two distinct security realms: `file` and `native`. On a self-hosted deployment, the `elastic` superuser is represented as a document in the `.security` index, whereas in a cloud deployment `elastic` is defined in the `ES_PATH_CONF/users` and `ES_PATH_CONF/user_roles` files placed on each node in the cluster.

The TransportChangePasswordAction impl is designed to update the password for users in the `native` realm specifically, and a failure on cloud to change the password for `elastic` using the Change Password API fails with the error that the user does not exist.

The solution here leverages `fileUserPasswdStore.userExists` to do a low cost check on whether the request username belongs to the `file` realm and will exit early with an informative error message if that is the case.

Author: ankit--sethi

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/user/TransportChangePasswordAction.java

@@ -11,6 +11,7 @@
 import org.elasticsearch.action.ActionType;
 import org.elasticsearch.action.support.ActionFilters;
 import org.elasticsearch.action.support.HandledTransportAction;
+import org.elasticsearch.common.ValidationException;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.EsExecutors;
 import org.elasticsearch.injection.guice.Inject;
@@ -21,25 +22,32 @@
 import org.elasticsearch.xpack.core.security.authc.support.Hasher;
 import org.elasticsearch.xpack.core.security.user.AnonymousUser;
 import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore;
+import org.elasticsearch.xpack.security.authc.file.FileUserPasswdStore;
 
 import java.util.Locale;
 
+import static org.elasticsearch.core.Strings.format;
+import static org.elasticsearch.xpack.core.security.user.UsernamesField.ELASTIC_NAME;
+
 public class TransportChangePasswordAction extends HandledTransportAction<ChangePasswordRequest, ActionResponse.Empty> {
 
     public static final ActionType<ActionResponse.Empty> TYPE = new ActionType<>("cluster:admin/xpack/security/user/change_password");
     private final Settings settings;
     private final NativeUsersStore nativeUsersStore;
+    private final FileUserPasswdStore fileUserPasswdStore;
 
     @Inject
     public TransportChangePasswordAction(
         Settings settings,
         TransportService transportService,
         ActionFilters actionFilters,
-        NativeUsersStore nativeUsersStore
+        NativeUsersStore nativeUsersStore,
+        FileUserPasswdStore fileUserPasswdStore
     ) {
         super(TYPE.name(), transportService, actionFilters, ChangePasswordRequest::new, EsExecutors.DIRECT_EXECUTOR_SERVICE);
         this.settings = settings;
         this.nativeUsersStore = nativeUsersStore;
+        this.fileUserPasswdStore = fileUserPasswdStore;
     }
 
     @Override
@@ -62,6 +70,25 @@ protected void doExecute(Task task, ChangePasswordRequest request, ActionListene
             );
             return;
         }
+
+        if (fileUserPasswdStore.userExists(request.username())) {
+            // File realm users cannot be managed through this API.
+            // unresolved q: is it possible a username is repeated across file and native realms, such that stopping here is incorrect?
+            logger.debug(() -> format("failed to change password for user [%s]", request.username()));
+            ValidationException validationException = new ValidationException();
+            validationException.addValidationError(
+                "user ["
+                    + username
+                    + "] is file-based and cannot be managed via this API."
+                    + (ELASTIC_NAME.equalsIgnoreCase(username)
+                        ? " To update the '" + ELASTIC_NAME + "' user in a cloud deployment, use the console."
+                        : "")
+            );
+            listener.onFailure(validationException);
+            return;
+        }
+
         nativeUsersStore.changePassword(request, listener.safeMap(v -> ActionResponse.Empty.INSTANCE));
+
     }
 }

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportChangePasswordActionTests.java

@@ -10,6 +10,7 @@
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.ActionResponse;
 import org.elasticsearch.action.support.ActionFilters;
+import org.elasticsearch.common.ValidationException;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.tasks.Task;
 import org.elasticsearch.test.ESTestCase;
@@ -26,6 +27,8 @@
 import org.elasticsearch.xpack.core.security.user.KibanaUser;
 import org.elasticsearch.xpack.core.security.user.User;
 import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore;
+import org.elasticsearch.xpack.security.authc.file.FileUserPasswdStore;
+import org.mockito.Mockito;
 
 import java.util.Collections;
 import java.util.Locale;
@@ -56,6 +59,7 @@ public void testAnonymousUser() {
             .build();
         AnonymousUser anonymousUser = new AnonymousUser(settings);
         NativeUsersStore usersStore = mock(NativeUsersStore.class);
+        FileUserPasswdStore fileUserPasswdStore = mock(FileUserPasswdStore.class);
         TransportService transportService = new TransportService(
             Settings.EMPTY,
             mock(Transport.class),
@@ -69,7 +73,8 @@ public void testAnonymousUser() {
             settings,
             transportService,
             mock(ActionFilters.class),
-            usersStore
+            usersStore,
+            fileUserPasswdStore
         );
         // Request will fail before the request hashing algorithm is checked, but we use the same algorithm as in settings for consistency
         ChangePasswordRequest request = new ChangePasswordRequest();
@@ -96,6 +101,56 @@ public void onFailure(Exception e) {
         verifyNoMoreInteractions(usersStore);
     }
 
+    public void testFileRealmUser() {
+        final Hasher hasher = getFastStoredHashAlgoForTests();
+        Settings settings = Settings.builder()
+            .put(AnonymousUser.ROLES_SETTING.getKey(), "superuser")
+            .put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), hasher.name())
+            .build();
+        ElasticUser elasticUser = new ElasticUser(true);
+        NativeUsersStore usersStore = mock(NativeUsersStore.class);
+        FileUserPasswdStore fileUserPasswdStore = mock(FileUserPasswdStore.class);
+        TransportService transportService = new TransportService(
+            Settings.EMPTY,
+            mock(Transport.class),
+            mock(ThreadPool.class),
+            TransportService.NOOP_TRANSPORT_INTERCEPTOR,
+            x -> null,
+            null,
+            Collections.emptySet()
+        );
+        TransportChangePasswordAction action = new TransportChangePasswordAction(
+            settings,
+            transportService,
+            mock(ActionFilters.class),
+            usersStore,
+            fileUserPasswdStore
+        );
+        Mockito.when(fileUserPasswdStore.userExists(Mockito.eq(elasticUser.principal()))).thenReturn(true);
+        ChangePasswordRequest request = new ChangePasswordRequest();
+        request.username(elasticUser.principal());
+        request.passwordHash(hasher.hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING));
+
+        final AtomicReference<Throwable> throwableRef = new AtomicReference<>();
+        final AtomicReference<ActionResponse.Empty> responseRef = new AtomicReference<>();
+        action.doExecute(mock(Task.class), request, new ActionListener<>() {
+            @Override
+            public void onResponse(ActionResponse.Empty changePasswordResponse) {
+                responseRef.set(changePasswordResponse);
+            }
+
+            @Override
+            public void onFailure(Exception e) {
+                throwableRef.set(e);
+            }
+        });
+
+        assertThat(responseRef.get(), is(nullValue()));
+        assertThat(throwableRef.get(), instanceOf(ValidationException.class));
+        assertThat(throwableRef.get().getMessage(), containsString("is file-based and cannot be managed via this API"));
+        verifyNoMoreInteractions(usersStore);
+    }
+
     public void testValidUser() {
         testValidUser(randomFrom(new ElasticUser(true), new KibanaUser(true), new User("joe")));
     }
@@ -107,6 +162,7 @@ public void testValidUserWithInternalUsername() {
     private void testValidUser(User user) {
         final Hasher hasher = getFastStoredHashAlgoForTests();
         NativeUsersStore usersStore = mock(NativeUsersStore.class);
+        FileUserPasswdStore fileUserPasswdStore = mock(FileUserPasswdStore.class);
         ChangePasswordRequest request = new ChangePasswordRequest();
         request.username(user.principal());
         request.passwordHash(hasher.hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING));
@@ -132,7 +188,8 @@ private void testValidUser(User user) {
             passwordHashingSettings,
             transportService,
             mock(ActionFilters.class),
-            usersStore
+            usersStore,
+            fileUserPasswdStore
         );
         final AtomicReference<Throwable> throwableRef = new AtomicReference<>();
         final AtomicReference<ActionResponse.Empty> responseRef = new AtomicReference<>();
@@ -157,6 +214,7 @@ public void onFailure(Exception e) {
     public void testWithPasswordThatsNotAHash() {
         final User user = randomFrom(new ElasticUser(true), new KibanaUser(true), new User("joe"));
         NativeUsersStore usersStore = mock(NativeUsersStore.class);
+        FileUserPasswdStore fileUserPasswdStore = mock(FileUserPasswdStore.class);
         ChangePasswordRequest request = new ChangePasswordRequest();
         request.username(user.principal());
         request.passwordHash(randomAlphaOfLengthBetween(14, 20).toCharArray());
@@ -177,7 +235,8 @@ public void testWithPasswordThatsNotAHash() {
             passwordHashingSettings,
             transportService,
             mock(ActionFilters.class),
-            usersStore
+            usersStore,
+            fileUserPasswdStore
         );
         action.doExecute(mock(Task.class), request, new ActionListener<>() {
             @Override
@@ -204,6 +263,7 @@ public void testWithDifferentPasswordHashingAlgorithm() {
         final User user = randomFrom(new ElasticUser(true), new KibanaUser(true), new User("joe"));
         final Hasher hasher = getFastStoredHashAlgoForTests();
         NativeUsersStore usersStore = mock(NativeUsersStore.class);
+        FileUserPasswdStore fileUserPasswdStore = mock(FileUserPasswdStore.class);
         ChangePasswordRequest request = new ChangePasswordRequest();
         request.username(user.principal());
         request.passwordHash(hasher.hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING));
@@ -235,7 +295,8 @@ public void testWithDifferentPasswordHashingAlgorithm() {
             passwordHashingSettings,
             transportService,
             mock(ActionFilters.class),
-            usersStore
+            usersStore,
+            fileUserPasswdStore
         );
         action.doExecute(mock(Task.class), request, new ActionListener<>() {
             @Override
@@ -259,6 +320,7 @@ public void testException() {
         final Hasher hasher = getFastStoredHashAlgoForTests();
         final User user = randomFrom(new ElasticUser(true), new KibanaUser(true), new User("joe"));
         NativeUsersStore usersStore = mock(NativeUsersStore.class);
+        FileUserPasswdStore fileUserPasswdStore = mock(FileUserPasswdStore.class);
         ChangePasswordRequest request = new ChangePasswordRequest();
         request.username(user.principal());
         request.passwordHash(hasher.hash(SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING));
@@ -285,7 +347,8 @@ public void testException() {
             passwordHashingSettings,
             transportService,
             mock(ActionFilters.class),
-            usersStore
+            usersStore,
+            fileUserPasswdStore
         );
         final AtomicReference<Throwable> throwableRef = new AtomicReference<>();
         final AtomicReference<ActionResponse.Empty> responseRef = new AtomicReference<>();