How to reset Elasticsearch Open Distro / Opensearch admin password

Prerequisites

You need to have root access to your Elasticsearch nodes.

Step 1: Create a new password hash

Passwords are stored in a hash format in a file named internal_users.yml file. As the name suggests this file stores user credentials including the admin user. Therefore, the first step is to create the hash. Elasticsearch provides a script to create a password hash

/usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh

This will prompt you to enter a password and outputs its hash. Copy the output as we are going to store it in internal_users.yml

NOTE: It appears that hash.sh script add salts to the password to improve security and therefore you may see different outputs for the same input.

Step 2: Update internal_users.yml

vi /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml

Find the "admin" user section and update the hash value:

admin:
  hash: "$2y$12$UrLh1/OG6EhZ8RC27BD5ROOQ.4ioECP7RbE1ILC9vg4bWo0cx6vhS"
  reserved: true
  backend_roles:
  - "admin"
  description: "Demo admin user"

Step 3: Apply security changes

The opendistro_security plugin stores users and permissions in an index (.opendistro_security) and therefore we need to update the index after making any changes to opendistro_security configurations. This is done through securityadmin.sh script which is under opendistro_security tools.

I'm using default/demo certificates. Replace them with your own custom certificates if you're in production, they should be located in /etc/elasticsearch/ directory.

cd /usr/share/elasticsearch/plugins/opendistro_security/tools/

sh securityadmin.sh -cd ../securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -key /etc/elasticsearch/kirk-key.pem

Output:

Open Distro Security Admin v7
Will connect to localhost:9300 ... done
Connected as CN=kirk,OU=client,O=client,L=test,C=de
Elasticsearch Version: 7.8.0
Open Distro Security Version: 1.9.0.0
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: elasticsearch
Clusterstate: GREEN
Number of nodes: 2
Number of data nodes: 2
.opendistro_security index already exists, so we do not need to create one.
Populate config from /usr/share/elasticsearch/plugins/opendistro_security/securityconfig
Will update '_doc/config' with ../securityconfig/config.yml 
   SUCC: Configuration for 'config' created or updated
Will update '_doc/roles' with ../securityconfig/roles.yml 
   SUCC: Configuration for 'roles' created or updated
Will update '_doc/rolesmapping' with ../securityconfig/roles_mapping.yml 
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '_doc/internalusers' with ../securityconfig/internal_users.yml 
   SUCC: Configuration for 'internalusers' created or updated
Will update '_doc/actiongroups' with ../securityconfig/action_groups.yml 
   SUCC: Configuration for 'actiongroups' created or updated
Will update '_doc/tenants' with ../securityconfig/tenants.yml 
   SUCC: Configuration for 'tenants' created or updated
Will update '_doc/nodesdn' with ../securityconfig/nodes_dn.yml 
   SUCC: Configuration for 'nodesdn' created or updated
Done with success

You should see "Done with success" at the bottom of the output.

Conclusion

In this tutorial, we covered how to change or reset Elasticsearch Open distro admin password.

RECENT POSTS

Table of Contents