You need to have root access to your Elasticsearch nodes.
Step 1: Create a new password hash
Passwords are stored in a hash format in a file named
internal_users.yml file. As the name suggests this file stores user credentials including the admin user. Therefore, the first step is to create the hash. Elasticsearch provides a script to create a password hash
This will prompt you to enter a password and outputs its hash. Copy the output as we are going to store it in
NOTE: It appears that
hash.sh script add salts to the password to improve security and therefore you may see different outputs for the same input.
Step 2: Update internal_users.yml
Find the “admin” user section and update the hash value:
admin: hash: "$2y$12$UrLh1/OG6EhZ8RC27BD5ROOQ.4ioECP7RbE1ILC9vg4bWo0cx6vhS" reserved: true backend_roles: - "admin" description: "Demo admin user"
Step 3: Apply security changes
The opendistro_security plugin stores users and permissions in an index (.opendistro_security) and therefore we need to update the index after making any changes to opendistro_security configurations. This is done through
securityadmin.sh script which is under opendistro_security tools.
I’m using default/demo certificates. Replace them with your own custom certificates if you’re in production, they should be located in
cd /usr/share/elasticsearch/plugins/opendistro_security/tools/ sh securityadmin.sh -cd ../securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -key /etc/elasticsearch/kirk-key.pem
Open Distro Security Admin v7 Will connect to localhost:9300 ... done Connected as CN=kirk,OU=client,O=client,L=test,C=de Elasticsearch Version: 7.8.0 Open Distro Security Version: 18.104.22.168 Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ... Clustername: elasticsearch Clusterstate: GREEN Number of nodes: 2 Number of data nodes: 2 .opendistro_security index already exists, so we do not need to create one. Populate config from /usr/share/elasticsearch/plugins/opendistro_security/securityconfig Will update '_doc/config' with ../securityconfig/config.yml SUCC: Configuration for 'config' created or updated Will update '_doc/roles' with ../securityconfig/roles.yml SUCC: Configuration for 'roles' created or updated Will update '_doc/rolesmapping' with ../securityconfig/roles_mapping.yml SUCC: Configuration for 'rolesmapping' created or updated Will update '_doc/internalusers' with ../securityconfig/internal_users.yml SUCC: Configuration for 'internalusers' created or updated Will update '_doc/actiongroups' with ../securityconfig/action_groups.yml SUCC: Configuration for 'actiongroups' created or updated Will update '_doc/tenants' with ../securityconfig/tenants.yml SUCC: Configuration for 'tenants' created or updated Will update '_doc/nodesdn' with ../securityconfig/nodes_dn.yml SUCC: Configuration for 'nodesdn' created or updated Done with success
You should see “Done with success” at the bottom of the output.
In this tutorial, we covered how to change or reset Elasticsearch Open distro admin password.
This Post Has 2 Comments
Hi Corey, I appreciate your feedback. Can you please let me know what step exactly did not work? I am updating the article to make sure it covers everything. Thanks