Opensearch Does not accept Default password

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
In my docker compose I am using this image
opensearchproject/opensearch:latest

Describe the issue:
I followed the instruction on quick start guide to download the docker compose file and run it. I did run and set a custom password in the yaml, but it says unauthorized. I tried setting the password from ENV as well but it didn’t work.

Ref: Installation quickstart - OpenSearch Documentation

Configuration:

OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}

Relevant Logs or Screenshots:
No custom admin password found. Please provide a password via the environment variable OPENSEARCH_INITIAL_ADMIN_PASSWORD.
rsuhas@ATH-PM27YX9J opensearch_lab %
Detected OpenSearch Security Version: 2.17.1.0
No custom admin password found. Please provide a password via the environment variable OPENSEARCH_INITIAL_ADMIN_PASSWORD.

Hi @suhas_salavathsa,

Could you please share your docker-compose.yml (and .env if applicable) file(s)?

Thanks,
mj

Hi @Mantas its the same file which is there in opensearch docs.
curl -O https://raw.githubusercontent.com/opensearch-project/documentation-website/2.19/assets/examples/docker-compose.yml

The following works, with no issues, out of the box in my lab with only one modification:

      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=aSupperCompleXpas12!!

services:
  opensearch-node1: # This is also the hostname of the container within the Docker network (i.e. https://opensearch-node1/)
    image: opensearchproject/opensearch:latest
    container_name: opensearch-node1
    environment:
      - cluster.name=opensearch-cluster # Name the cluster
      - node.name=opensearch-node1 # Name the node that will run in this container
      - discovery.seed_hosts=opensearch-node1,opensearch-node2 # Nodes to look for when discovering the cluster
      - cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2 # Nodes eligibile to serve as cluster manager
      - bootstrap.memory_lock=true # Disable JVM heap memory swapping
      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" # Set min and max JVM heap sizes to at least 50% of system RAM
      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD} # Sets the demo admin user password when using demo configuration (for OpenSearch 2.12 and later)
    ulimits:
      memlock:
        soft: -1 # Set memlock to unlimited (no soft or hard limit)
        hard: -1
      nofile:
        soft: 65536 # Maximum number of open files for the opensearch user - set to at least 65536
        hard: 65536
    volumes:
      - opensearch-data1:/usr/share/opensearch/data # Creates volume called opensearch-data1 and mounts it to the container
    ports:
      - 9200:9200 # REST API
      - 9600:9600 # Performance Analyzer
    networks:
      - opensearch-net # All of the containers will join the same Docker bridge network
  opensearch-node2:
    image: opensearchproject/opensearch:latest # This should be the same image used for opensearch-node1 to avoid issues
    container_name: opensearch-node2
    environment:
      - cluster.name=opensearch-cluster
      - node.name=opensearch-node2
      - discovery.seed_hosts=opensearch-node1,opensearch-node2
      - cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2
      - bootstrap.memory_lock=true
      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=aSupperCompleXpas12!!
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - opensearch-data2:/usr/share/opensearch/data
    networks:
      - opensearch-net
  opensearch-dashboards:
    image: opensearchproject/opensearch-dashboards:latest # Make sure the version of opensearch-dashboards matches the version of opensearch installed on other nodes
    container_name: opensearch-dashboards
    ports:
      - 5601:5601 # Map host port 5601 to container port 5601
    expose:
      - "5601" # Expose port 5601 for web access to OpenSearch Dashboards
    environment:
      OPENSEARCH_HOSTS: '["https://opensearch-node1:9200","https://opensearch-node2:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query
    networks:
      - opensearch-net

volumes:
  opensearch-data1:
  opensearch-data2:

networks:
  opensearch-net:

Best,
mj

alternatively, you can use .env file with the content of :

OPENSEARCH_INITIAL_ADMIN_PASSWORD=aSupperCompleXpas12!!

Thanks @Mantas , So the password should be added only on either of the Node ? Because I tried adding this and did run the docker compose…

http://localhost:5601/app/login?

username: admin
password: aSupperCompleXpas12!!

But it still says unauthorized…

Can you run the below and share the output please:

docker exec <container-name> env

Bets,
mj

Sure, here it is:
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/share/opensearch/jdk/bin:/usr/share/opensearch/bin
HOSTNAME=037b893eea54
discovery.seed_hosts=opensearch-node1,opensearch-node2
cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2
bootstrap.memory_lock=true
OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m
OPENSEARCH_INITIAL_ADMIN_PASSWORD=SE15L1u%6xH7OD
cluster.name=opensearch-cluster
node.name=opensearch-node1
JAVA_HOME=/usr/share/opensearch/jdk
LD_LIBRARY_PATH=:/usr/share/opensearch/plugins/opensearch-knn/lib
HOME=/usr/share/opensearch

Let me know if something else is required.

Have you tried:
username: admin
password: SE15L1u%6xH7OD

Best,
mj

Yeah, but that didn’t work either… Since I was setting up for learning purpose I tried adding - plugins.security.disabled=true in environment block but that also didn’t help, it still prompted for username and password.