I have a bash script that automates the installation and configuration of Elastic, Kibana, Logstash, and filebeat.
I am currently trying to secure my Kibana. I have enabled xpack in my elastic.yml: xpack.security.enabled: true.
And have included bin/elasticsearch-setup-passwords auto to the script, but this would still require the user to manually copy the password into the kibana.yml file. Is there any way to specifically set what I want my password to be in the script and just put whatever I have set in my kibana.yml file so everything is still automated?
Frist thing would be to start using elasticsearch-reset-password, the elasticsearch-setup-passwords is deprecated in version 8, the new tool is elasticsearch-reset-password.
Then you would need to run it in the interactive mode and try to combine it with the expect tool in your bash script, this way you may be able to provide a custom password.
It would be best to not use a username and password in Kibana, but use a service account, there is also a CLI tool. to create the service account.
If I make this user an admin, Would they be able to access the Kibana dashboard without any restrictions? Also, would I still need to add the below lines in kibana.yml?
Those lines are for system user that connects Kibana to Elasticsearch.
If you would like to create a new admin user you do not have to change those values.
Here's another idea. when you run manually the elasticsearch-keystore or the reset password it will generate an encrypted keystore file stored in your system, maybe you can store them in a vault together with the encryption key so when you deploy them automatically you also deploy the keystore and the encryption key.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.