Unable to change internal_user "admin" password

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch 2.11.1

Describe the issue:
So I tried to change my internal_user “admin” 's password and it failed with the following error:
{“status”:“FORBIDDEN”,“message”:“Resource ‘admin’ is reserved.”}

So I edited the internal_user.yaml file to change the “reserved” parameter from “true” to “false”, I ran the secrurityadmin.sh script and changed the password.

All good so far, but now I don’t want to leave my admin as not reserved since it might pose a security concern.

My problem is that when I try to change “reserved” back to false after changing the password and I run securityadmin.sh once more the password automatically reverts to its original value “admin”. So it’s either keep admin user marked as not reserved but I get to change its password, or admin is a reserved user but every person that can access opensearch-dashboards can get creative if they so choose.

Is there any other way to get around this problem?

Thank you very much,

side note: I’ve been really enjoying working with opensearch, the project seems to be in good hands, a big thank you to the devs and to the community supporting it


Relevant Logs or Screenshots:

Ok I think I figured it out, sorry

I basically did the same first steps,

I edited my internal_users.yml and changed reserved from “true” to “false” and ran the securityadmin.sh script.

Changed the admin password then I ran the securityadmin.sh script with -backup to save every current opensearch-security file to a volume I mounted inside my containers.

I edited the internal_users.yml I just backed up and made admin reserved again. Then I ran securityadmin.sh once more with -cd and specifying the path to my backed up files and now I have my reserved admin with my a different password.

I forgot to mention I was running this on k8s cluster on my initial post. This thread can be closed

Hi @vmm-afonso,

Whenever you run securityadmin.sh to update configuration it will overite everything from opensearch-security/<config>.yml files, so any change made in your UI will be changed back to what is in .yml.

I would strongly recommend to use ./securityadmin.sh -backup my-backup-directory \ whenever you update configuration in UI this will allow you to keep opensearch-security/<config>.yml files in sync with UI changes.

When it comes to the admin password you can change it directly in the opensearch-security/internal_users.yml. To generate a hash, run plugins/opensearch-security/tools/hash.sh -p <new-password> and don’t forget to update the configuration using securityadmin.sh.

Let me know if you have any further questions.


Consider setting a unique user as admin or implementing stricter access controls to balance security and password flexibility in OpenSearch.