Running deletes the roles/tenants created over the API

Hello everyone,

It seems that if I created users/roles/tenants over the API and run afterwards for whatever reason to update the cluster security configuration, it will delete any previous record added over the API.

Is this the expected behavior ? I find this problematic.


have you found solution for this?

I answered a similar question in another thread about this.

Thanks ejohns81
I understood this but my problem is, I am automating everything in chef so that i can manage and changes internal user(admin,kibanaserver,logstash etc) password anytime for different env.

I am maintaining password in vault and reading it from there new password (if i change) and updating into my config files using chef.

Now problem is, to reflect this changes i have to run for /securityconfig/ folder then it will update my new password for internal user but now i will lost everything for other user which i created from kibana.

What you suggest best way to manage this?


We ended up doing everything over the OD API for users. When we create the cluster we have ofcourse the initial users (admin,management and 1 for monitoring). From that point on we do everything over REST and no need to call the anymore.

We simply did some automation to call the API and create the needed roles/users/tenants


Thanks Valentin for quick response.
But what if you want to change the password for internal users like admin etc?

You do it over the API or Kibana.


We can not change admin and kibanaserver password from kibana UI, all other user we can manage from kibana, thats a problem :frowning:

This is exactly what i want to do but it looks like the API wipes out my entire configuration.
I want to use the API to update the password of our bind id. Before doing it, i wanted to do a simple update, for example:
PATCH {curhost}/_opendistro/_security/api/securityconfig
[ {
“op”: “replace”, “path”: “/config/dynamic/authc/ldapnam/description”, “value”: “What descripiton”
} ]
The command returns success, but queries after the PATCH fail. When i run the query to get the Configuration:

Nothing is returned.
I end up having to run to restore functionality.

Any thoughts on what might be going on?

I don’t do these kind of updates via the API yet, it my case it’s just users (CRUD).

I suspect you hit a bug and it’s not transparent on whats happening into the backend.

I have a similar problem. I configured a cluster with terraform using as a final step. Everithing ok, but if I add/edit some role all my previous configuration dissapear forcing me to run again to recover my config.

For testing roles pruposes I prefer to use the kibana UI because it is more friendly than console with vim.

@ashishpatil09 with the latest versions of ODFE you can now reset kibanaserver’s and admin’s password.


I’ve checked on 1.13.1 and it worked. However when I did update of ldap description, both http_enabled and transport_enabled were set to true.

curl --insecure -u admin:admin -H “Content-Type: application/json” -X PATCH https://localhost:9201/_opendistro/_security/api/securityconfig -d ’
“op”: “replace”, “path”: “/config/dynamic/authc/ldap/description”, “value”: “This is updated description”
{“status”:“OK”,“message”:“Resource updated.”}

    "ldap" : {
      "http_enabled" : true,
      "transport_enabled" : true,
      "order" : 5,
      "http_authenticator" : {
        "challenge" : true,
        "type" : "basic",
        "config" : { }
      "authentication_backend" : {
        "type" : "ldap",
        "config" : {
          "enable_ssl" : false,
          "enable_start_tls" : false,
          "enable_ssl_client_auth" : false,
          "verify_hostnames" : true,
          "hosts" : [
          "userbase" : "ou=people,dc=example,dc=com",
          "usersearch" : "(sAMAccountName={0})"
      "description" : "This is updated description"

On 1.12.0 I’ve got exactly the same issue as you did. It looks like a bug.