Unable to change admin user password while deploying OpenSearch

Security
1

**On behalf of a user of Slack **

"Hi All,
Unable to change admin user password while deploying the opensearch cluster itself. Am using opster opensearch-operator:2.3.1 and opensearch: 2.8.0 version.Created two secrets for adminCredentialsSecret and securityConfigSecret(with all yamls and updated admin hash). Same has been mentioned in cluster yaml file with tls.generate and http.generate as trueAfter deploying the yamls

  • bootstrap pod is running and logs are “[2023-07-06T19:08:15,476][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [my-second-cluster-bootstrap-0] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2023-07-06T19:08:16,855][ERROR][o.o.s.a.BackendRegistry ] [my-second-cluster-bootstrap-0] Not yet initialized (you may need to run securityadmin)”
  • securityconfig-update pod is running and waiting for cluster availability
  • cluster pods are in 0/1 state - Logs: Authentication finally failed for admin"
2

Please share your values.yml file.

Could you describe the admin’s password change workflow?

3

Hi,

Please find the cluster.yaml file.

apiVersion: opensearch.opster.io/v1
kind: OpenSearchCluster
metadata:
  name: my-second-cluster
  namespace: opensearch-2
spec:
  security:
    config:
      adminCredentialsSecret:
        name: a-admin-credentials-secret
      securityConfigSecret:
       name: a-securityconfig-secret
    tls:
      transport:
        generate: true
        perNode: true
      http:
        generate: true
  general:
    serviceName: my-second-cluster
    version: 2.8.0
  dashboards:
    opensearchCredentialsSecret:
      name: a-admin-credentials-secret
    enable: true
    version: 2.8.0
    replicas: 1
    resources:
      requests:
         memory: "512Mi"
         cpu: "200m"
      limits:
         memory: "512Mi"
         cpu: "200m"
  nodePools:
    - component: masters
      replicas: 3
      diskSize: "5Gi"
      NodeSelector:
      resources:
         requests:
            memory: "2Gi"
            cpu: "500m"
         limits:
            memory: "3Gi"
            cpu: "1000m"
      roles:
        - "data"
        - "master"
        - "ingest"
---
apiVersion: v1
kind: Secret
metadata:
  name: a-admin-credentials-secret
  namespace: opensearch-2
type: Opaque
data:
  # admin
  username: YWRtaW4=
  # admin123
  password: YWRtaW4xMjM=
---
apiVersion: v1
kind: Secret
metadata:
  name: a-securityconfig-secret
  namespace: opensearch
type: Opaque
stringData:
      action_groups.yml: |-
         _meta:
           type: "actiongroups"
           config_version: 2
      internal_users.yml: |-
        _meta:
          type: "internalusers"
          config_version: 2
        admin:
          hash: "$2a$12$GFYFj72AaDZA7SX3W4gIXeCUavBobKfjLrXgqYI/twct.e0irAMmy"
          reserved: true
          backend_roles:
          - "admin"
          description: "Demo admin user"
4

@rmssath I missed the part about the Opster operator. Let me do some testing and I’ll come back with the findings.

5

@rmssath It took me a while to get this Opster running.
I’ve tested the shared yaml file in my k8s cluster with Opster 2.3.1 and the OpenSearch object was created, but none of the related pods were.
I’ve noticed that one of your secrets was created in the namespace opensearch instead of opensearch-2.

Once I’ve fixed that the pods were created and started. Also, the admin’s password defined in the secret has been applied to OpenSearch’s configuration.

6

@rmssath I’ve found another problem with this secret. For some reason Opster doesn’t like it. It fails to manage the OS cluster once is deployed with this secret through the command line (kubectl create -f …).
Also, Opster console fails to create the OS cluster when I select this secret as a custom security config.

Instead of using the file content in the secret definition, I’ve used a oneliner with --from-file option.

kubectl create secret generic a-securityconfig-secret --from-file=./internal_users.yml --from-file=./action_groups.yml -n opensearch-2
7

Hi @pablo ,

Thanks for your reply.

I dont see any difference in creating the secret by mentioned 2 ways.

Now am able to login with new admin credentials.

But if i do any changes in kind: OpenSearchCluster yaml file. Kubectl apply is working fine. But the operator is throwing Reconcile error “invalid character A~”. So opensearch pods are not getting restarted after the change.

8

@rmssath @pablo

I am unable to change admin password . I tried this way . Could you please help
I have used this GitHub repo -GitHub - opensearch-project/helm-charts: ☸ A community repository for Helm Charts of OpenSearch Project.

I update values.yaml file of folder of charts/opensearch

securityConfig:
  enabled: true
  path: "/usr/share/opensearch/config/opensearch-security"
  actionGroupsSecret:
  configSecret:
  internalUsersSecret:
  rolesSecret:
  rolesMappingSecret:
  tenantsSecret:
  # The following option simplifies securityConfig by using a single secret and
  # specifying the config files as keys in the secret instead of creating
  # different secrets for for each config file.
  # Note that this is an alternative to the individual secret configuration
  # above and shouldn't be used if the above secrets are used.
  config:
    # There are multiple ways to define the configuration here:
    # * If you define anything under data, the chart will automatically create
    #   a secret and mount it. This is best option to choose if you want to override all the
    #   existing yml files at once.
    # * If you define securityConfigSecret, the chart will assume this secret is
    #   created externally and mount it. This is best option to choose if your intention is to
    #   only update a single yml file.
    # * It is an error to define both data and securityConfigSecret.
    securityConfigSecret: ""
    dataComplete: true
    data: 
      internal_users.yml: |-
        _meta:
          type: "internalusers"
          config_version: 2
          
        admin:
          hash: "$2y$12$XDdc42zlZ.DhOj44X5zT.OnSxjGj5v7MEUllUG1euFG3wDp/AUGy2"
          reserved: false
          backend_roles:
          - "admin"
          description: "Demo admin user"

        kibanaserver:
          hash: "$2y$12$XDdc42zlZ.DhOj44X5zT.OnSxjGj5v7MEUllUG1euFG3wDp/AUGy2"
          reserved: false
          description: "Demo OpenSearch Dashboards user"

This is not working and still i am able to login using admin:admin
A big Thanks from my side , if you can help me in this

9

@Ashutosh Once you’ll deploy OpenSearch with helm charts the only ways to update admin user is either with OpenSearch Dashboards or using securityadmin.sh script.

The initial issue regards OpenSearch deployment with Opster.

11

@pablo
I have tried changing password from dashboard but still getting this error
"Failed to reset password . Resource admin is read-only " . I tried api ways as well to change but still got the same error . Also tried this to manually updating securityadmin.sh script it but still no success .
Do you have any idea on this how to fit it ?

12

Hello,
@rmssath
did you get the way to change Admin password for opensearch?

13

@vilasvsontakke Have you tried updating with securityadmin.sh?