Prerequisites
You need to have root access to your Elasticsearch nodes.
Step 1: Create a new password hash
Passwords are stored in a hash format in a file named internal_users.yml file. As the name suggests this file stores user credentials including the admin user. Therefore, the first step is to create the hash. Elasticsearch provides a script to create a password hash
/usr/share/elasticsearch/plugins/opendistro_security/tools/hash.shThis will prompt you to enter a password and outputs its hash. Copy the output as we are going to store it in internal_users.yml
NOTE: It appears that hash.sh script add salts to the password to improve security and therefore you may see different outputs for the same input.
Step 2: Update internal_users.yml
vi /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.ymlFind the “admin” user section and update the hash value:
admin:
hash: "$2y$12$UrLh1/OG6EhZ8RC27BD5ROOQ.4ioECP7RbE1ILC9vg4bWo0cx6vhS"
reserved: true
backend_roles:
- "admin"
description: "Demo admin user"Step 3: Apply security changes
The opendistro_security plugin stores users and permissions in an index (.opendistro_security) and therefore we need to update the index after making any changes to opendistro_security configurations. This is done through securityadmin.sh script which is under opendistro_security tools.
I’m using default/demo certificates. Replace them with your own custom certificates if you’re in production, they should be located in /etc/elasticsearch/ directory.
cd /usr/share/elasticsearch/plugins/opendistro_security/tools/
sh securityadmin.sh -cd ../securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -key /etc/elasticsearch/kirk-key.pemOutput:
Open Distro Security Admin v7
Will connect to localhost:9300 ... done
Connected as CN=kirk,OU=client,O=client,L=test,C=de
Elasticsearch Version: 7.8.0
Open Distro Security Version: 1.9.0.0
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: elasticsearch
Clusterstate: GREEN
Number of nodes: 2
Number of data nodes: 2
.opendistro_security index already exists, so we do not need to create one.
Populate config from /usr/share/elasticsearch/plugins/opendistro_security/securityconfig
Will update '_doc/config' with ../securityconfig/config.yml
SUCC: Configuration for 'config' created or updated
Will update '_doc/roles' with ../securityconfig/roles.yml
SUCC: Configuration for 'roles' created or updated
Will update '_doc/rolesmapping' with ../securityconfig/roles_mapping.yml
SUCC: Configuration for 'rolesmapping' created or updated
Will update '_doc/internalusers' with ../securityconfig/internal_users.yml
SUCC: Configuration for 'internalusers' created or updated
Will update '_doc/actiongroups' with ../securityconfig/action_groups.yml
SUCC: Configuration for 'actiongroups' created or updated
Will update '_doc/tenants' with ../securityconfig/tenants.yml
SUCC: Configuration for 'tenants' created or updated
Will update '_doc/nodesdn' with ../securityconfig/nodes_dn.yml
SUCC: Configuration for 'nodesdn' created or updated
Done with successYou should see “Done with success” at the bottom of the output.
Conclusion
In this tutorial, we covered how to change or reset Elasticsearch Open distro admin password.
