Opensearch Does not accept Default password

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
In my docker compose I am using this image
opensearchproject/opensearch:latest

Describe the issue:
I followed the instruction on quick start guide to download the docker compose file and run it. I did run and set a custom password in the yaml, but it says unauthorized. I tried setting the password from ENV as well but it didn’t work.

Ref: Installation quickstart - OpenSearch Documentation

Configuration:

OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}

Relevant Logs or Screenshots:
No custom admin password found. Please provide a password via the environment variable OPENSEARCH_INITIAL_ADMIN_PASSWORD.
rsuhas@ATH-PM27YX9J opensearch_lab %
Detected OpenSearch Security Version: 2.17.1.0
No custom admin password found. Please provide a password via the environment variable OPENSEARCH_INITIAL_ADMIN_PASSWORD.

2

Hi @suhas_salavathsa,

Could you please share your docker-compose.yml (and .env if applicable) file(s)?

Thanks,
mj

3

Hi @Mantas its the same file which is there in opensearch docs.
curl -O https://raw.githubusercontent.com/opensearch-project/documentation-website/2.19/assets/examples/docker-compose.yml

4

The following works, with no issues, out of the box in my lab with only one modification:

      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=aSupperCompleXpas12!!

services:
  opensearch-node1: # This is also the hostname of the container within the Docker network (i.e. https://opensearch-node1/)
    image: opensearchproject/opensearch:latest
    container_name: opensearch-node1
    environment:
      - cluster.name=opensearch-cluster # Name the cluster
      - node.name=opensearch-node1 # Name the node that will run in this container
      - discovery.seed_hosts=opensearch-node1,opensearch-node2 # Nodes to look for when discovering the cluster
      - cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2 # Nodes eligibile to serve as cluster manager
      - bootstrap.memory_lock=true # Disable JVM heap memory swapping
      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" # Set min and max JVM heap sizes to at least 50% of system RAM
      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD} # Sets the demo admin user password when using demo configuration (for OpenSearch 2.12 and later)
    ulimits:
      memlock:
        soft: -1 # Set memlock to unlimited (no soft or hard limit)
        hard: -1
      nofile:
        soft: 65536 # Maximum number of open files for the opensearch user - set to at least 65536
        hard: 65536
    volumes:
      - opensearch-data1:/usr/share/opensearch/data # Creates volume called opensearch-data1 and mounts it to the container
    ports:
      - 9200:9200 # REST API
      - 9600:9600 # Performance Analyzer
    networks:
      - opensearch-net # All of the containers will join the same Docker bridge network
  opensearch-node2:
    image: opensearchproject/opensearch:latest # This should be the same image used for opensearch-node1 to avoid issues
    container_name: opensearch-node2
    environment:
      - cluster.name=opensearch-cluster
      - node.name=opensearch-node2
      - discovery.seed_hosts=opensearch-node1,opensearch-node2
      - cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2
      - bootstrap.memory_lock=true
      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=aSupperCompleXpas12!!
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - opensearch-data2:/usr/share/opensearch/data
    networks:
      - opensearch-net
  opensearch-dashboards:
    image: opensearchproject/opensearch-dashboards:latest # Make sure the version of opensearch-dashboards matches the version of opensearch installed on other nodes
    container_name: opensearch-dashboards
    ports:
      - 5601:5601 # Map host port 5601 to container port 5601
    expose:
      - "5601" # Expose port 5601 for web access to OpenSearch Dashboards
    environment:
      OPENSEARCH_HOSTS: '["https://opensearch-node1:9200","https://opensearch-node2:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query
    networks:
      - opensearch-net

volumes:
  opensearch-data1:
  opensearch-data2:

networks:
  opensearch-net:

Best,
mj

5

alternatively, you can use .env file with the content of :

OPENSEARCH_INITIAL_ADMIN_PASSWORD=aSupperCompleXpas12!!

6

Thanks @Mantas , So the password should be added only on either of the Node ? Because I tried adding this and did run the docker compose…

http://localhost:5601/app/login?

username: admin
password: aSupperCompleXpas12!!

But it still says unauthorized… :confused:

7

Can you run the below and share the output please:

docker exec <container-name> env

Bets,
mj

8

Sure, here it is:
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/share/opensearch/jdk/bin:/usr/share/opensearch/bin
HOSTNAME=037b893eea54
discovery.seed_hosts=opensearch-node1,opensearch-node2
cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2
bootstrap.memory_lock=true
OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m
OPENSEARCH_INITIAL_ADMIN_PASSWORD=SE15L1u%6xH7OD
cluster.name=opensearch-cluster
node.name=opensearch-node1
JAVA_HOME=/usr/share/opensearch/jdk
LD_LIBRARY_PATH=:/usr/share/opensearch/plugins/opensearch-knn/lib
HOME=/usr/share/opensearch

Let me know if something else is required.

9

Have you tried:
username: admin
password: SE15L1u%6xH7OD

Best,
mj

10

Yeah, but that didn’t work either… Since I was setting up for learning purpose I tried adding - plugins.security.disabled=true in environment block but that also didn’t help, it still prompted for username and password.

11

One way we can get you logged in is by updating your admin password via internal_users.yml and securityadmin.sh.

Make sure plugins.security.ssl.http.enabled: true
Update password (hash) in your internal_users.yml
Run the securityadmin.sh to apply changes

related:

Best,
mj

1 Like
12

I had the same issue. What helped me, is that I changed the password (hash) in the internal_users.yml. As earlier it was mentioned, you need the /plugins/opensearch-security/tools/hash.sh script to generate a new hashed password, which you will put in the internal_users.yml. To actually change the hash value in it, you can use the sed command line tool, as the container itself doesnt come with nano, vi or anyother text editors(god knows why). Don’t forget to apply the changes with /plugins/opensearch-security/tools/securityadmin.sh. I ran the script from where the the .pem key files were found.

Hope it helps,
Daniel

1 Like
13

Thank you @Mantas I did the changes which you recommended and happen to see the problem is addressed. But I did find an issue when trying to load the opensearch dashboard.
http://localhost:5601/
Error:
{“type”:“log”,“@timestamp”:“2025-03-14T05:04:01Z”,“tags”:[“error”,“opensearch”,“data”],“pid”:1,“message”:“[ConnectionError]: connect ECONNREFUSED 172.18.0.3:9200”}
{“type”:“log”,“@timestamp”:“2025-03-14T05:04:01Z”,“tags”:[“error”,“savedobjects-service”],“pid”:1,“message”:“Unable to retrieve version information from OpenSearch nodes.”}
{“type”:“log”,“@timestamp”:“2025-03-14T05:04:04Z”,“tags”:[“error”,“opensearch”,“data”],“pid”:1,“message”:“[ConnectionError]: connect ECONNREFUSED 172.18.0.3:9200”}
{“type”:“log”,“@timestamp”:“2025-03-14T05:04:06Z”,“tags”:[“error”,“opensearch”,“data”],“pid”:1,“message”:“[ConnectionError]: connect ECONNREFUSED 172.18.0.3:9200”}

I did some reading and got to know I need to use https://127.0.0.1:9200/ when plugins.security.ssl.http.enabled: is set to true. After hitting https://127.0.0.1:9200/ I dont see the dashboard but a Json
{
“name”: “opensearch-node1”,
“cluster_name”: “opensearch-cluster”,
“cluster_uuid”: “WBwi8JAdTM6e6rv5Z19FJg”,
“version”: {
“distribution”: “opensearch”,
“number”: “2.17.1”,
“build_type”: “tar”,
“build_hash”: “1893d20797e30110e5877170e44d42275ce5951e”,
“build_date”: “2024-09-26T21:59:52.691008096Z”,
“build_snapshot”: false,
“lucene_version”: “9.11.1”,
“minimum_wire_compatibility_version”: “7.10.0”,
“minimum_index_compatibility_version”: “7.0.0”
},
“tagline”: “The OpenSearch Project: https://opensearch.org/
}

Can you share some light ?

14

Hi folks, any luck here ? When I am trying to hit localhost:5601 I get this on the UI

“OpenSearch Dashboards server is not ready yet”

And here are the logs

image
image1920×1045 442 KB

15

Hi @suhas_salavathsa,

The dashboard is on port 5601, the nodes are on port 9200, and the JSON is expected.

To access dashboards - try https://127.0.0.1:5601

best,
mj

16

Could you please share your opensearch_dashboards.yml ?

Best,
mj

17

Sure, here it is

services:
opensearch-node1: # This is also the hostname of the container within the Docker network (i.e. https://opensearch-node1/)
image: opensearchproject/opensearch:latest
container_name: opensearch-node1
environment:
- cluster.name=opensearch-cluster # Name the cluster
- node.name=opensearch-node1 # Name the node that will run in this container
- discovery.seed_hosts=opensearch-node1,opensearch-node2 # Nodes to look for when discovering the cluster
- cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2 # Nodes eligibile to serve as cluster manager
- bootstrap.memory_lock=true # Disable JVM heap memory swapping
- “OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m” # Set min and max JVM heap sizes to at least 50% of system RAM
- OPENSEARCH_INITIAL_ADMIN_PASSWORD=mypassword

ulimits:
  memlock:
    soft: -1 # Set memlock to unlimited (no soft or hard limit)
    hard: -1
  nofile:
    soft: 65536 # Maximum number of open files for the opensearch user - set to at least 65536
    hard: 65536
volumes:
  - opensearch-data1:/usr/share/opensearch/data # Creates volume called opensearch-data1 and mounts it to the container
ports:
  - 9200:9200 # REST API
  - 9600:9600 # Performance Analyzer
networks:
  - opensearch-net # All of the containers will join the same Docker bridge network

opensearch-node2:
image: opensearchproject/opensearch:latest # This should be the same image used for opensearch-node1 to avoid issues
container_name: opensearch-node2
environment:
- cluster.name=opensearch-cluster
- node.name=opensearch-node2
- discovery.seed_hosts=opensearch-node1,opensearch-node2
- cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2
- bootstrap.memory_lock=true
- “OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m”
- OPENSEARCH_INITIAL_ADMIN_PASSWORD=mypassword

ulimits:
  memlock:
    soft: -1
    hard: -1
  nofile:
    soft: 65536
    hard: 65536
volumes:
  - opensearch-data2:/usr/share/opensearch/data
networks:
  - opensearch-net

opensearch-dashboards:
image: opensearchproject/opensearch-dashboards:latest # Make sure the version of opensearch-dashboards matches the version of opensearch installed on other nodes
container_name: opensearch-dashboards
ports:
- 5601:5601 # Map host port 5601 to container port 5601
expose:
- “5601” # Expose port 5601 for web access to OpenSearch Dashboards
environment:
OPENSEARCH_HOSTS: ‘[“https://opensearch-node1:9200”,“https://opensearch-node2:9200”]’ # Define the OpenSearch nodes that OpenSearch Dashboards will query
networks:
- opensearch-net

volumes:
opensearch-data1:
opensearch-data2:

networks:
opensearch-net:

Ignore the password, I used a strong password to run it…

18

Try replacing the above with:

OPENSEARCH_HOSTS: '["https://opensearch-node1:9200","https://opensearch-node2:9200"]'

besides that the below works in my lab with no issues:

services:
  opensearch-node1: # This is also the hostname of the container within the Docker network (i.e. https://opensearch-node1/)
    image: opensearchproject/opensearch:latest
    container_name: opensearch-node11
    environment:
      - cluster.name=opensearch-cluster # Name the cluster
      - node.name=opensearch-node1 # Name the node that will run in this container
      - discovery.seed_hosts=opensearch-node1,opensearch-node2 # Nodes to look for when discovering the cluster
      - cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2 # Nodes eligibile to serve as cluster manager
      - bootstrap.memory_lock=true # Disable JVM heap memory swapping
      - “OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m” # Set min and max JVM heap sizes to at least 50% of system RAM
      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=mypassword
    
    ulimits:
      memlock:
        soft: -1 # Set memlock to unlimited (no soft or hard limit)
        hard: -1
      nofile:
        soft: 65536 # Maximum number of open files for the opensearch user - set to at least 65536
        hard: 65536
    volumes:
      - opensearch-data1:/usr/share/opensearch/data # Creates volume called opensearch-data1 and mounts it to the container
    ports:
      - 9200:9200 # REST API
      - 9600:9600 # Performance Analyzer
    networks:
      - opensearch-net # All of the containers will join the same Docker bridge network
    
  opensearch-node2:
    image: opensearchproject/opensearch:latest # This should be the same image used for opensearch-node1 to avoid issues
    container_name: opensearch-node22
    environment:
      - cluster.name=opensearch-cluster
      - node.name=opensearch-node2
      - discovery.seed_hosts=opensearch-node1,opensearch-node2
      - cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2
      - bootstrap.memory_lock=true
      - “OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m”
      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=mypassword
  
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - opensearch-data2:/usr/share/opensearch/data
    networks:
      - opensearch-net
    
  opensearch-dashboards:
    image: opensearchproject/opensearch-dashboards:latest # Make sure the version of opensearch-dashboards matches the version of opensearch installed on other nodes
    container_name: opensearch-dashboards11
    ports:
    - 5601:5601 # Map host port 5601 to container port 5601
    expose:
    - “5601” # Expose port 5601 for web access to OpenSearch Dashboards
    environment:
      OPENSEARCH_HOSTS: '["https://opensearch-node11:9200","https://opensearch-node22:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query
    networks:
      - opensearch-net

volumes:
  opensearch-data1:
  opensearch-data2:
  
networks:
  opensearch-net:

best,
mj