How to create build in user without interactive mode or auto

Hi,

I need to automate create build in user for which I should use /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive or /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto

In first scenario I has to specify all password manually which is not really easy to automate and in second scenario it is hard to somehow save these values somewhere.

Do you have any solutions or it is not possible?

I though this could work: How to set passwords for built-in users in batch mode? but when I dont have elastic user password I cannot do that.

I would really appreciate any help.

I was thinking about using ansible:

  • name: Create new interactive
    shell: |
    /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive -b
    printf 'elastic' | 'Enter password for [elastic]:'
    when: (executor == 'yes')
    ignore_errors: yes

But no luck

1 Like

There is no supported way to run elasticsearch-setup-passwords in batch mode. It is a convenience utility for manually configuring a node.

If you want to automate this, then you should use the change password API.

In which case you need to configure the bootstrap password to be a value that you do know.

Something roughly like this will work (but for production usage you'd want to build something more reliable)

# Configure Bootstrap Password
BootstrapPassword="$( generate-random-password )"
printf "%s" "$BootstrapPassword" \
  | bin/elasticsearch-keystore add -x "bootstrap.password"

# Start ES & Wait for it to be available
bin/elasticsearch -d
while true
do
  curl --fail -u "elastic:$BootstrapPassword" \
    "http://localhost:9200/_cluster/health?wait_for_status=yellow" \
    && break
  sleep 5
done

# Set passwords for various users
for User in "kibana" "logstash_system" "apm_system" "beats_system" "elastic"
do
  UserPassword="$( generate-random-password )"
  curl -u "elastic:${BootstrapPassword}" \
    -XPOST "http://localhost:9200/_xpack/security/user/${User}/_password" \
    -d'{"password":"'"${UserPassword}"'"}' -H "Content-Type: application/json"
  printf "%s=%s\n" "$User" "$UserPassword" >> passwords.txt
done
2 Likes

Hi,

Thanks for letting me know. This should be run after the password is randomly generated? : /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto ??

Or I can just use the API change password? Because when I tried via your manual it always told me that I dont know the password for Elastic user so I cannot change password for kibana, logstash_system etc...

You take this approach (the change password API) instead of running setup-passwords.

The example I provided shows how you do that without having a password for the elastic user - you need to set the bootstrap.password to a value that you do know.

Ok thanks I will try it and before bootstrap I should stop Elasticsearch service? After bootstrap I should start Elasticsearch service?

I have tried but no luck

[root@DCVMESRMSTDEV01 ~]# # Configure Bootstrap Password
[root@DCVMESRMSTDEV01 ~]# BootstrapPassword="$( elastic )"
-bash: elastic: command not found
[root@DCVMESRMSTDEV01 ~]# printf "%s" "$BootstrapPassword" \

| /usr/share/elasticsearch/bin/elasticsearch-keystore add -x "bootstrap.password"
Exception in thread "main" java.lang.NullPointerException
at org.elasticsearch.common.settings.AddStringKeyStoreCommand.execute(AddStringKeyStoreCommand.java:87)
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:77)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
at org.elasticsearch.cli.Command.main(Command.java:90)
at org.elasticsearch.common.settings.KeyStoreCli.main(KeyStoreCli.java:41)

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.