Describe the issue:
So I tried to change my internal_user “admin” 's password and it failed with the following error:
{“status”:“FORBIDDEN”,“message”:“Resource ‘admin’ is reserved.”}
So I edited the internal_user.yaml file to change the “reserved” parameter from “true” to “false”, I ran the secrurityadmin.sh script and changed the password.
All good so far, but now I don’t want to leave my admin as not reserved since it might pose a security concern.
My problem is that when I try to change “reserved” back to false after changing the password and I run securityadmin.sh once more the password automatically reverts to its original value “admin”. So it’s either keep admin user marked as not reserved but I get to change its password, or admin is a reserved user but every person that can access opensearch-dashboards can get creative if they so choose.
Is there any other way to get around this problem?
Thank you very much,
side note: I’ve been really enjoying working with opensearch, the project seems to be in good hands, a big thank you to the devs and to the community supporting it
I edited my internal_users.yml and changed reserved from “true” to “false” and ran the securityadmin.sh script.
Changed the admin password then I ran the securityadmin.sh script with -backup to save every current opensearch-security file to a volume I mounted inside my containers.
I edited the internal_users.yml I just backed up and made admin reserved again. Then I ran securityadmin.sh once more with -cd and specifying the path to my backed up files and now I have my reserved admin with my a different password.
I forgot to mention I was running this on k8s cluster on my initial post. This thread can be closed
Whenever you run securityadmin.sh to update configuration it will overite everything from opensearch-security/<config>.yml files, so any change made in your UI will be changed back to what is in .yml.
I would strongly recommend to use ./securityadmin.sh -backup my-backup-directory \ whenever you update configuration in UI this will allow you to keep opensearch-security/<config>.yml files in sync with UI changes.
When it comes to the admin password you can change it directly in the opensearch-security/internal_users.yml. To generate a hash, run plugins/opensearch-security/tools/hash.sh -p <new-password> and don’t forget to update the configuration using securityadmin.sh.