Change default admin user

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 2.2.0

Describe the issue:

We are managing securityplugin through ansible and we are not using securityadmin script to making any configuration change. Everything is working as expected. But while changing the default password for admin user, it’s throwing following error.

Configuration:

configs:
  admin:
    hash: !vault |
      $ANSIBLE_VAULT;1.1;AHS286;default
      38323839613263363663333166353930313035626361323838616164303736643639356663386535
      3631336232653261363431336236326463346237613730320a383135303432623862633736396462
      36346330646164643336303431373265623835343763326430376139383831303865636138653661
      3135663535663261330a613037376332306261613630316461646535613532306531356162333864
      33306664346163636365653636636431623861653033346466656433323864646135
    backend_roles:
      - "admin"

Relevant Logs or Screenshots:

fatal: [localhost]: FAILED! => { 
November 17th 2022 19:06:42Info
    "changed": false, 
November 17th 2022 19:06:42Info
    "connection": "close", 
November 17th 2022 19:06:42Info
    "content": "{\"status\":\"FORBIDDEN\",\"message\":\"Resource 'admin' is read-only.\"}", 
November 17th 2022 19:06:42Info
    "content_length": "65", 
November 17th 2022 19:06:42Info
    "content_type": "application/json; charset=UTF-8", 
November 17th 2022 19:06:42Info
    "date": "Thu, 17 Nov 2022 13:36:37 GMT", 
November 17th 2022 19:06:42Info
    "elapsed": 0, 
November 17th 2022 19:06:42Info
    "json": { 
November 17th 2022 19:06:42Info
        "message": "Resource 'admin' is read-only.", 
November 17th 2022 19:06:42Info
        "status": "FORBIDDEN" 
November 17th 2022 19:06:42Info
    }, 
November 17th 2022 19:06:42Info
    "redirected": false, 
November 17th 2022 19:06:42Info
    "status": 403, 
November 17th 2022 19:06:42Info
    "strict_transport_security": "max-age=15724800; includeSubDomains", 
November 17th 2022 19:06:42Info
    "url": "https://opensearch.kishorekumar.cloud:443/_plugins/_security/api/internalusers/admin" 
November 17th 2022 19:06:42Info
} 
November 17th 2022 19:06:42Info
MSG: 
November 17th 2022 19:06:42Info
Status code was 403 and not [200]: HTTP Error 403: Forbidden 

How can we change it to non-readonly admin user through ansible.

Could anyone please suggest.

Thanks,
Kishore

When modifying the admin password I believe you have to also set:

  reserved: false
  hidden: false

Thanks @jasonrojas for your suggestion. But “reserved” and “hidden” doesn’t work with api. As I mentioned we are maintaining through ansible.

The OpenSearch developers has taken the active decision to make it hard to change the default admin password in the default configuration.

Yes, it’s broken by design and I dare to say one of the [worst] decisions I’ve seen in software development (how to maximize the number of installations with admin:admin as password!..)

However, it is possible to change, just not very straight forward. The docs you’re looking for is here: Apply changes with the securityadmin script - OpenSearch documentation and you’ll need to find the internal_users.yml file in your installation (likely you’re using the default files in /usr/share/opensearch/config/opensearch-security/) and run the securityadmin.sh script to update it.

Beware that securityadmin.sh will destroy the entire user database , so if you have made any manual changes, created users, etc. it will have to be redone.

Additionally - securityadmin.sh does allow flags to backup/export the current databses of users etc so if you do have anything you want to keep you can go that route.

Thanks @jasonrojas @albgus for your input.

I just copied internal_users.yaml file with “reserved: false” (for Admin user) on /tmp folder and ran the security script to disable read-only access. And then it’s allow me to change default admin password.

BTW is there any mechanism that we can apply to change the admin password periodically like in every month without any manual intervention. Please suggest.