Unable to change admin user password while deploying OpenSearch using Helm Chart

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
used OpenSearch helm chart to installation -github.com/opensearch-project/helm-charts

Describe the issue:
I am unable to reset admin user passwords i have updated the yaml file of OpenSearch and modified this part as well

  enabled: true
  path: "/usr/share/opensearch/config/opensearch-security"
  # The following option simplifies securityConfig by using a single secret and
  # specifying the config files as keys in the secret instead of creating
  # different secrets for for each config file.
  # Note that this is an alternative to the individual secret configuration
  # above and shouldn't be used if the above secrets are used.
    # There are multiple ways to define the configuration here:
    # * If you define anything under data, the chart will automatically create
    #   a secret and mount it. This is best option to choose if you want to override all the
    #   existing yml files at once.
    # * If you define securityConfigSecret, the chart will assume this secret is
    #   created externally and mount it. This is best option to choose if your intention is to
    #   only update a single yml file.
    # * It is an error to define both data and securityConfigSecret.
    securityConfigSecret: ""
    dataComplete: true
      internal_users.yml: |-
          type: "internalusers"
          config_version: 2
          hash: "$2y$12$XDdc42zlZ.DhOj44X5zT.OnSxjGj5v7MEUllUG1euFG3wDp/AUGy2"
          reserved: false
          - "admin"
          description: "Demo admin user"

          hash: "$2y$12$XDdc42zlZ.DhOj44X5zT.OnSxjGj5v7MEUllUG1euFG3wDp/AUGy2"
          reserved: false
          description: "Demo OpenSearch Dashboards user"

Still unable to changes it .
I tried to do from OpenSearch dashboard there i am getting error “failed to reset password . forbidden Resource admin is read-only”

** Please need you help **

@Ashutosh Once you create a cluster with helm charts, the only way to update the admin user password is with securityadmin.sh script.

I’ve just updated the admin’s password with securityadmin.sh and it worked.
Could you share the output of your securityadmin.sh script execution?

Did you run it inside or outside of the OpenSearch pod?

1 Like

Hey Anshu, the only way to update the admin password is to run the securityadmin.sh script and restart your pods.

Its possible with Operator to change the password in a running cluster GitHub - Opster/opensearch-k8s-operator: OpenSearch Kubernetes Operator, it takes the secret file hash and if changed with a new password it would auto detect the new hash and run the securityadmin.sh along with rolling restart.

To unblock your case run the securityadmin.sh and perform a rolling restart. Can you contribute to helm-charts to have a way to restart the admin password via the values.yaml file?

Thank you

1 Like

@Ashutosh Just some clarification to @pgodithi comment. There is no need to recreate any OpenSearch pods. The admin’s password is kept in the .opendistro_security index. Once this index is updated with the new password using securityadmin.sh, all the OpenSearch nodes will use the new admin’s password.

Could you share the outputs of your securityadmin.sh backup and restore commands?
Have you noticed any errors in the outputs? If a single config file will fail to update during the securityadmin.sh restore, then all other config files will fail to update.