Changing admin password without the security plugin

Hi! Assuming I am not able to deploy the opensearch security plugin due to legal issues, is there any hope for me to deploy OpenSearch into a k8s cluster with different admin credentials than admin:admin?

The only thought I had so far would be to download and modify the source code to have a random password, then build from that.

Is that possible do you think or is there any better way?

Sorry for the ridiculous requirement, consider it a hypothetical problem if that helps :slight_smile:


@nethlaria If you can’t deploy the security plugin then you don’t need to set an admin password as the login feature is part of the security plugin.

Hi @pablo. I must be missing something then, when I spin up a local opensearch cluster using docker compose, it seems to have admin:admin out of the box, this is how I log in to the dashboard at :5601. In fact there don’t seem to be any other users available.

@nethlaria The OpenSearch docker already has a security plugin installed. Admin user is a built-in user of the security plugin.

Could you explain what is your use case? My understanding of your first post was that you don’t wish to have the security plugin installed.

The initial internal user databases are defined in a yml file that lives on disk. The documentation at YAML files - OpenSearch documentation under the section “internal_users.yml” might help clear things up.


Ah I see I was confused between the default dashboard login and the actual OpenSearch credentials.

Also at first I had the docker compose version running, did some experiments then tried out the minimal distro here and assumed the admin:admin creds would be the same for logstash, not realising that any credentials would work.

New question: is there any way to have even basic http authentication without the security plugin?

Thanks for the replies so far.


You can disable the security plugin (Disable security - OpenSearch documentation) and add a nginx or apache2 container to your docker-compose file configured as a reverse proxy with basic auth authentication.

Similar question here but for Kibana: Kibana 7.12 nginx reverse proxy, docker compose - Kibana - Discuss the Elastic Stack

Nginx basic auth: Restricting Access with HTTP Basic Authentication | NGINX Plus


1 Like

@lguillaud thanks for this suggestion - I was thinking about making a plugin (there is an elasticsearch openssl proxy already that I can use) but this might well be better. It would be in k8s so I would define an nginx sidecar.

@lguillaud sorry for bumping an old-ish thread but do you have any advice in getting multi-node clusters to talk via reverse proxy (on port 9300 or the proxied equivalent)? Following the Nginx docs: TCP and UDP Load Balancing | NGINX Plus we couldn’t figure out how the nodes would know the certs etc to use for that protocol…

Looking at the ES docs, one would use the settings but we think that’s not possible with OS and/or without the security plugin

Hello @nethlaria,

I am not sure I will answer right but here the configuration I am using for an API (using uwsgi) with a self-signed certificate for nginx. There are two API endpoints (backend_1 and backend_2) load-balanced by a ssl-ized nginx (upstream).
I would imagine you are trying to do the same but with your OS cluster.

worker_processes auto;
events {
  worker_connections  1024;
http {
	log_format upstreamlog '$server_name to: $upstream_addr {$request} '
   		'upstream_response_time $upstream_response_time'
   		' request_time $request_time';
	access_log  /var/log/nginx/access.log;
	error_log  /var/log/nginx/error_log  crit;

    upstream mybackend {
        server backend_1:5000;
        server backend_2:5000;

    server {
	    listen 443 ssl;
    	listen [::]:443 ssl;
    	server_name _;

      # self-signed cert
      ssl_certificate /etc/ssl/certs/server.crt;
      ssl_certificate_key /etc/ssl/private/server.key;
      ssl_session_cache builtin:1000 shared:SSL:10m;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
      ssl_prefer_server_ciphers on;
    	location / {
        	include uwsgi_params;
        	access_log /var/log/nginx/access.log upstreamlog;
        	uwsgi_pass mybackend;


Thanks a lot for this Lionel, I will try that out.