You need to have root access to your Elasticsearch nodes.
Step 1: Create a new password hash
Passwords are stored in a hash format in a file named
internal_users.yml file. As the name suggests this file stores user credentials including the admin user. Therefore, the first step is to create the hash. Elasticsearch provides a script to create a password hash
This will prompt you to enter a password and outputs its hash. Copy the output as we are going to store it in
NOTE: It appears that
hash.sh script add salts to the password to improve security and therefore you may see different outputs for the same input.
Step 2: Update internal_users.yml
Find the “admin” user section and update the hash value:
description: "Demo admin user"
Step 3: Apply security changes
The opendistro_security plugin stores users and permissions in an index (.opendistro_security) and therefore we need to update the index after making any changes to opendistro_security configurations. This is done through
securityadmin.sh script which is under opendistro_security tools.
I’m using default/demo certificates. Replace them with your own custom certificates if you’re in production, they should be located in
sh securityadmin.sh -cd ../securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -key /etc/elasticsearch/kirk-key.pem
Open Distro Security Admin v7
Will connect to localhost:9300 ... done
Connected as CN=kirk,OU=client,O=client,L=test,C=de
Elasticsearch Version: 7.8.0
Open Distro Security Version: 184.108.40.206
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Number of nodes: 2
Number of data nodes: 2
.opendistro_security index already exists, so we do not need to create one.
Populate config from /usr/share/elasticsearch/plugins/opendistro_security/securityconfig
Will update '_doc/config' with ../securityconfig/config.yml
SUCC: Configuration for 'config' created or updated
Will update '_doc/roles' with ../securityconfig/roles.yml
SUCC: Configuration for 'roles' created or updated
Will update '_doc/rolesmapping' with ../securityconfig/roles_mapping.yml
SUCC: Configuration for 'rolesmapping' created or updated
Will update '_doc/internalusers' with ../securityconfig/internal_users.yml
SUCC: Configuration for 'internalusers' created or updated
Will update '_doc/actiongroups' with ../securityconfig/action_groups.yml
SUCC: Configuration for 'actiongroups' created or updated
Will update '_doc/tenants' with ../securityconfig/tenants.yml
SUCC: Configuration for 'tenants' created or updated
Will update '_doc/nodesdn' with ../securityconfig/nodes_dn.yml
SUCC: Configuration for 'nodesdn' created or updated
Done with success
You should see “Done with success” at the bottom of the output.
In this tutorial, we covered how to change or reset Elasticsearch Open distro admin password.