We are managing securityplugin through ansible and we are not using securityadmin script to making any configuration change. Everything is working as expected. But while changing the default password for admin user, it’s throwing following error.
The OpenSearch developers has taken the active decision to make it hard to change the default admin password in the default configuration.
Yes, it’s broken by design and I dare to say one of the [worst] decisions I’ve seen in software development (how to maximize the number of installations with admin:admin as password!..)
However, it is possible to change, just not very straight forward. The docs you’re looking for is here: Apply changes with the securityadmin script - OpenSearch documentation and you’ll need to find the internal_users.yml file in your installation (likely you’re using the default files in /usr/share/opensearch/config/opensearch-security/) and run the securityadmin.sh script to update it.
Beware that securityadmin.shwill destroy the entire user database , so if you have made any manual changes, created users, etc. it will have to be redone.
Additionally - securityadmin.sh does allow flags to backup/export the current databses of users etc so if you do have anything you want to keep you can go that route.
I just copied internal_users.yaml file with “reserved: false” (for Admin user) on /tmp folder and ran the security script to disable read-only access. And then it’s allow me to change default admin password.
BTW is there any mechanism that we can apply to change the admin password periodically like in every month without any manual intervention. Please suggest.
I am using OpenSearch helm chart to install OpenSearch and also modified values.yaml file to change admin password for OpenSearch and OpenSearch dashboard but still its now working .
Could you please guide me to fix this issue .
enabled: true
path: "/usr/share/opensearch/config/opensearch-security"
actionGroupsSecret:
configSecret:
internalUsersSecret:
rolesSecret:
rolesMappingSecret:
tenantsSecret:
# The following option simplifies securityConfig by using a single secret and
# specifying the config files as keys in the secret instead of creating
# different secrets for for each config file.
# Note that this is an alternative to the individual secret configuration
# above and shouldn't be used if the above secrets are used.
config:
# There are multiple ways to define the configuration here:
# * If you define anything under data, the chart will automatically create
# a secret and mount it. This is best option to choose if you want to override all the
# existing yml files at once.
# * If you define securityConfigSecret, the chart will assume this secret is
# created externally and mount it. This is best option to choose if your intention is to
# only update a single yml file.
# * It is an error to define both data and securityConfigSecret.
securityConfigSecret: ""
dataComplete: true
data:
internal_users.yml: |-
_meta:
type: "internalusers"
config_version: 2
admin:
hash: "$2y$12$XDdc42zlZ.DhOj44X5zT.OnSxjGj5v7MEUllUG1euFG3wDp/AUGy2"
reserved: false
backend_roles:
- "admin"
description: "Demo admin user"
kibanaserver:
hash: "$2y$12$XDdc42zlZ.DhOj44X5zT.OnSxjGj5v7MEUllUG1euFG3wDp/AUGy2"
reserved: false
description: "Demo OpenSearch Dashboards user"
Also I tried to do from dashboard and getting this error "failed to reset password . forbidden Resource admin is read-only”
I even tried to update internal_user.yml admin hash and then ran securityadmin.sh also . Here is the command “sh securityadmin.sh -cd …/securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -key /etc/elasticsearch/kirk-key.pem” still no success yet
**Please suggest what to do to make it working **
A big thanks in Advance!!