0

I'm new to open distro for elasticsearch and trying to run it on the Kubernetes cluster. After deploying the cluster, I need to change the password for admin user.

I went through this post - default-password-reset

I came to know that, to change the password I need to do the following steps:

  • exec in one of the master nodes
  • generate a hash for the new password using /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh script
  • update /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml with the new hash
  • run /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh with parameters

Questions:

  • Is there any way to set those (via env or elasticsearch.yml) during bootstrapping the cluster?
Kamol Hasan
  • 12,218
  • 1
  • 37
  • 46

3 Answers3

2

I had to recreate internal_users.yml file with the updated password hashes and mounted the file in /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml directory for database pods.

So, when the Elasticsearch nodes bootstrapped, it bootstrapped with the updated password for default users ( i.e. admin ).

I used bcrypt go package to generate password hash.

Kamol Hasan
  • 12,218
  • 1
  • 37
  • 46
2

docker exec -ti ELASTIC_MASTER bash

/usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh

##enter pass

yum install nano

#replace generated hash with new one nano /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml

#exec this command to take place sh /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -icl -nhnv -cacert config/root-ca.pem -cert config/admin.pem -key config/admin-key.pem

Aref
  • 144
  • 1
  • 7
0

You can also execute below commands to obtain value of username, password from you kubernetes cluster:

kubectl get secret -n wazuh elastic-cred -o go-template='{{.data.username | base64decode}}'
kubectl get secret -n wazuh elastic-cred -o go-template='{{.data.password | base64decode}}'

Note: '-n wazuh' indicates the namespace, use what applies to you

Ref: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-deploy-elasticsearch.html

vinnar
  • 15
  • 2
  • 8