Changing admin password without the security plugin

Hi! Assuming I am not able to deploy the opensearch security plugin due to legal issues, is there any hope for me to deploy OpenSearch into a k8s cluster with different admin credentials than admin:admin?

The only thought I had so far would be to download and modify the source code to have a random password, then build from that.

Is that possible do you think or is there any better way?

Sorry for the ridiculous requirement, consider it a hypothetical problem if that helps :slight_smile:

Thanks

@nethlaria If you can’t deploy the security plugin then you don’t need to set an admin password as the login feature is part of the security plugin.

Hi @pablo. I must be missing something then, when I spin up a local opensearch cluster using docker compose, it seems to have admin:admin out of the box, this is how I log in to the dashboard at :5601. In fact there don’t seem to be any other users available.

@nethlaria The OpenSearch docker already has a security plugin installed. Admin user is a built-in user of the security plugin.

Could you explain what is your use case? My understanding of your first post was that you don’t wish to have the security plugin installed.

The initial internal user databases are defined in a yml file that lives on disk. The documentation at YAML files - OpenSearch documentation under the section “internal_users.yml” might help clear things up.

Nate

Ah I see I was confused between the default dashboard login and the actual OpenSearch credentials.

Also at first I had the docker compose version running, did some experiments then tried out the minimal distro here and assumed the admin:admin creds would be the same for logstash, not realising that any credentials would work.

New question: is there any way to have even basic http authentication without the security plugin?

Thanks for the replies so far.

Hello,

You can disable the security plugin (Disable security - OpenSearch documentation) and add a nginx or apache2 container to your docker-compose file configured as a reverse proxy with basic auth authentication.

Similar question here but for Kibana: Kibana 7.12 nginx reverse proxy, docker compose - Kibana - Discuss the Elastic Stack

Nginx basic auth: Restricting Access with HTTP Basic Authentication | NGINX Plus

Lionel

1 Like

@lguillaud thanks for this suggestion - I was thinking about making a plugin (there is an elasticsearch openssl proxy already that I can use) but this might well be better. It would be in k8s so I would define an nginx sidecar.