Change default admin user

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 2.2.0

Describe the issue:

We are managing securityplugin through ansible and we are not using securityadmin script to making any configuration change. Everything is working as expected. But while changing the default password for admin user, it’s throwing following error.


    hash: !vault |
      - "admin"

Relevant Logs or Screenshots:

fatal: [localhost]: FAILED! => { 
November 17th 2022 19:06:42Info
    "changed": false, 
November 17th 2022 19:06:42Info
    "connection": "close", 
November 17th 2022 19:06:42Info
    "content": "{\"status\":\"FORBIDDEN\",\"message\":\"Resource 'admin' is read-only.\"}", 
November 17th 2022 19:06:42Info
    "content_length": "65", 
November 17th 2022 19:06:42Info
    "content_type": "application/json; charset=UTF-8", 
November 17th 2022 19:06:42Info
    "date": "Thu, 17 Nov 2022 13:36:37 GMT", 
November 17th 2022 19:06:42Info
    "elapsed": 0, 
November 17th 2022 19:06:42Info
    "json": { 
November 17th 2022 19:06:42Info
        "message": "Resource 'admin' is read-only.", 
November 17th 2022 19:06:42Info
        "status": "FORBIDDEN" 
November 17th 2022 19:06:42Info
November 17th 2022 19:06:42Info
    "redirected": false, 
November 17th 2022 19:06:42Info
    "status": 403, 
November 17th 2022 19:06:42Info
    "strict_transport_security": "max-age=15724800; includeSubDomains", 
November 17th 2022 19:06:42Info
    "url": "" 
November 17th 2022 19:06:42Info
November 17th 2022 19:06:42Info
November 17th 2022 19:06:42Info
Status code was 403 and not [200]: HTTP Error 403: Forbidden 

How can we change it to non-readonly admin user through ansible.

Could anyone please suggest.


When modifying the admin password I believe you have to also set:

  reserved: false
  hidden: false

Thanks @jasonrojas for your suggestion. But “reserved” and “hidden” doesn’t work with api. As I mentioned we are maintaining through ansible.

The OpenSearch developers has taken the active decision to make it hard to change the default admin password in the default configuration.

Yes, it’s broken by design and I dare to say one of the [worst] decisions I’ve seen in software development (how to maximize the number of installations with admin:admin as password!..)

However, it is possible to change, just not very straight forward. The docs you’re looking for is here: Apply changes with the securityadmin script - OpenSearch documentation and you’ll need to find the internal_users.yml file in your installation (likely you’re using the default files in /usr/share/opensearch/config/opensearch-security/) and run the script to update it.

Beware that will destroy the entire user database , so if you have made any manual changes, created users, etc. it will have to be redone.

1 Like

Additionally - does allow flags to backup/export the current databses of users etc so if you do have anything you want to keep you can go that route.

Thanks @jasonrojas @albgus for your input.

I just copied internal_users.yaml file with “reserved: false” (for Admin user) on /tmp folder and ran the security script to disable read-only access. And then it’s allow me to change default admin password.

BTW is there any mechanism that we can apply to change the admin password periodically like in every month without any manual intervention. Please suggest.

@kksaha @jasonrojas

I am using OpenSearch helm chart to install OpenSearch and also modified values.yaml file to change admin password for OpenSearch and OpenSearch dashboard but still its now working .
Could you please guide me to fix this issue .

  enabled: true
  path: "/usr/share/opensearch/config/opensearch-security"
  # The following option simplifies securityConfig by using a single secret and
  # specifying the config files as keys in the secret instead of creating
  # different secrets for for each config file.
  # Note that this is an alternative to the individual secret configuration
  # above and shouldn't be used if the above secrets are used.
    # There are multiple ways to define the configuration here:
    # * If you define anything under data, the chart will automatically create
    #   a secret and mount it. This is best option to choose if you want to override all the
    #   existing yml files at once.
    # * If you define securityConfigSecret, the chart will assume this secret is
    #   created externally and mount it. This is best option to choose if your intention is to
    #   only update a single yml file.
    # * It is an error to define both data and securityConfigSecret.
    securityConfigSecret: ""
    dataComplete: true
      internal_users.yml: |-
          type: "internalusers"
          config_version: 2
          hash: "$2y$12$XDdc42zlZ.DhOj44X5zT.OnSxjGj5v7MEUllUG1euFG3wDp/AUGy2"
          reserved: false
          - "admin"
          description: "Demo admin user"

          hash: "$2y$12$XDdc42zlZ.DhOj44X5zT.OnSxjGj5v7MEUllUG1euFG3wDp/AUGy2"
          reserved: false
          description: "Demo OpenSearch Dashboards user"

Also I tried to do from dashboard and getting this error "failed to reset password . forbidden Resource admin is read-only”
I even tried to update internal_user.yml admin hash and then ran also . Here is the command “sh -cd …/securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -key /etc/elasticsearch/kirk-key.pem” still no success yet
**Please suggest what to do to make it working **
A big thanks in Advance!!

@Ashutosh You can try the following approach if the above-mentioned one doesn’t work.