Impossible to set password for elastic builtin superuser

Hi,

I just install elasticsearch 8.4.1 from elasticsearch-8.4.1-1.x86_64 RPM on a Red Hat Enterprise Linux release 8.6 (Ootpa) server.

Everything looks ok, elastic service is running.

But I cannot find the elastic user password.

In the logfile /var/log/elasticsearch/cluster.log, I found a line with this:

[2022-10-24T11:09:12,063][INFO ][o.e.x.s.InitialNodeSecurityAutoConfiguration] [servername.localdomain] Auto-configuration will not generate a password for the elastic bui
lt-in superuser, as we cannot  determine if there is a terminal attached to the elasticsearch process. You can use the `bin/elasticsearch-reset-password` tool to set
 the password for the elastic user.

But running bin/elasticsearch-reset-password returns an error:

bash-4.4$ cd /usr/share/elasticsearch/
bash-4.4$ bin/elasticsearch-reset-password -u elastic

ERROR: could not write file [/etc/elasticsearch/users_roles]

despite the fact the file is writable for the user elasticsearch:

bash-4.4$ id
uid=9999(elasticsearch) gid=9999(elasticsearch) groups=9999(elasticsearch) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
bash-4.4$ ls -l /etc/elasticsearch/users*
-rw-rw----. 1 root elasticsearch 0 Aug 26 14:16 /etc/elasticsearch/users
-rw-rw----. 1 root elasticsearch 0 Aug 26 14:16 /etc/elasticsearch/users_roles

bash-4.4$ ls -ln /etc/elasticsearch/users*
-rw-rw----. 1 0 9999 0 Aug 26 14:16 /etc/elasticsearch/users
-rw-rw----. 1 0 9999 0 Aug 26 14:16 /etc/elasticsearch/users_roles

And user elasticsearch can write in file:

bash-4.4$ ls -l users
-rw-rw----. 1 root elasticsearch     0 Aug 26 14:16 users
bash-4.4$ touch users
bash-4.4$ ls -l users
-rw-rw----. 1 root elasticsearch 0 Oct 24 13:21 users

Also, SElinux is enable on the server:

bash-4.4$ ls -Z /etc/elasticsearch/users*
system_u:object_r:etc_t:s0 /etc/elasticsearch/users  system_u:object_r:etc_t:s0 /etc/elasticsearch/users_roles
bash-4.4$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Any suggestion ?

Regards,

JM

Is it possible I am the only one facing this issue ?

What user are you running that as?

Can you please check whether the directories (/etc/elasticsearch and /etc) hosting the files are writable for the elasticsearch user?

I use the elasticsearch user.

the elasticsearch user can write into existing files but not create new ones.

$ sudo -u elasticsearch /usr/bin/bash
Creating home directory for elasticsearch.

bash-4.4$ id
uid=983(elasticsearch) gid=983(elasticsearch) groups=983(elasticsearch) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

bash-4.4$ cd /etc/elasticsearch/

bash-4.4$ pwd
/etc/elasticsearch

bash-4.4$ cat > trying
bash: trying: Permission denied

bash-4.4$ echo trying > trying
bash: trying: Permission denied

bash-4.4$ vim elasticsearch.yml
bash-4.4$ grep line elasticsearch.yml
# Adding a line into this file
bash-4.4$ vim elasticsearch.yml
bash-4.4$ grep line elasticsearch.yml

bash-4.4$ ls -la
total 60
drwxr-s---.   4 root elasticsearch   253 Oct 21 10:16 .
drwxr-xr-x. 128 root root           8192 Oct 21 10:16 ..
drwxr-x---.   2 root elasticsearch    62 Oct 21 10:16 certs
-rw-rw----.   1 root elasticsearch   536 Oct 21 10:16 elasticsearch.keystore
-rw-rw----.   1 root elasticsearch  1042 Aug 26 14:16 elasticsearch-plugins.example.yml
-rw-rw----.   1 root elasticsearch  4292 Oct 25 14:14 elasticsearch.yml
-rw-rw----.   1 root elasticsearch  2617 Aug 26 14:16 jvm.options
drwxr-s---.   2 root elasticsearch     6 Aug 26 14:19 jvm.options.d
-rw-rw----.   1 root elasticsearch 17417 Aug 26 14:16 log4j2.properties
-rw-rw----.   1 root elasticsearch   473 Aug 26 14:16 role_mapping.yml
-rw-rw----.   1 root elasticsearch   197 Aug 26 14:16 roles.yml
-rw-rw----.   1 root elasticsearch     0 Oct 24 13:21 users
-rw-rw----.   1 root elasticsearch     0 Aug 26 14:16 users_roles

bash-4.4$

You need fix file permission of the parent folder (I believe it is /etc/elasticsearch/) to create any new files. It is currently owned by root:root as oppose to root:elasticsearch.

parent folder is /etc.

I will not change the ownership of /etc to root:elasticsearch.

But you are right, as /etc/elasticsearch directory gets drwxr-s--- permissions, meaning the elasticsearch user cannot create any files in it.

But it is still not explaining the error message saying:

ERROR: could not write file [/etc/elasticsearch/users_roles]

This file is writable for the user elasticsearch.

Something else is going on here is my fully functional
Which appears to be aligned with your settings...

root@stephenb-es-8-test:/etc/elasticsearch# ls -la
total 72
drwxr-sr-x  4 root elasticsearch  4096 Oct 23 19:25 .
drwxr-xr-x 98 root root           4096 Oct 27 02:11 ..
drwxr-xr-x  2 root elasticsearch  4096 Oct  7 19:09 certs
-rw-rw----  1 root elasticsearch  1042 Jun  8 22:28 elasticsearch-plugins.example.yml
-rw-rw----  1 root elasticsearch   536 Jun 27 18:30 elasticsearch.keystore
-rw-rw----  1 root elasticsearch  4296 Oct  7 19:10 elasticsearch.yml
-rw-rw----  1 root elasticsearch  2617 Sep 14 16:33 jvm.options
drwxr-s---  2 root elasticsearch  4096 Jun  8 22:28 jvm.options.d
-rw-rw----  1 root elasticsearch 17417 Sep 14 16:33 log4j2.properties
-rw-rw----  1 root elasticsearch   473 Jun  8 22:28 role_mapping.yml
-rw-rw----  1 root elasticsearch   197 Jun  8 22:28 roles.yml
-rw-rw----  1 root elasticsearch    84 Oct 23 19:25 users
-rw-rw----  1 root elasticsearch    33 Oct 23 19:25 users_roles

have you simply tried

sudo bin/elasticsearch-reset-password -u elastic

and I just changed my password...

root@stephenb-es-8-test:/etc/elasticsearch# sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic -url https://elasticsearch.mydomain.net:9200
This tool will reset the password of the [elastic] user to an autogenerated value.
The password will be printed in the console.
Please confirm that you would like to continue [y/N]y


Password for the [elastic] user successfully reset.
New value: askljfdhasldkfjhasflkasjdfh

then Tested It

# curl -u elastic https://elasticsearch.mydomain.net:9200
Enter host password for user 'elastic':
{
  "name" : "stephenb-es-8-test",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "asdfsadfasdfasdf",
  "version" : {
    "number" : "8.4.3",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "42f05b9372a9a4a470db3b52817899b99a76ee73",
    "build_date" : "2022-10-04T07:17:24.662462378Z",
    "build_snapshot" : false,
    "lucene_version" : "9.3.0",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}

and you can see it updated the files

root@stephenb-es-8-test:/etc/elasticsearch# ls -lart
total 72
-rw-rw----  1 root elasticsearch   197 Jun  8 22:28 roles.yml
-rw-rw----  1 root elasticsearch   473 Jun  8 22:28 role_mapping.yml
drwxr-s---  2 root elasticsearch  4096 Jun  8 22:28 jvm.options.d
-rw-rw----  1 root elasticsearch  1042 Jun  8 22:28 elasticsearch-plugins.example.yml
-rw-rw----  1 root elasticsearch   536 Jun 27 18:30 elasticsearch.keystore
-rw-rw----  1 root elasticsearch 17417 Sep 14 16:33 log4j2.properties
-rw-rw----  1 root elasticsearch  2617 Sep 14 16:33 jvm.options
drwxr-xr-x  2 root elasticsearch  4096 Oct  7 19:09 certs
-rw-rw----  1 root elasticsearch  4296 Oct  7 19:10 elasticsearch.yml
drwxr-xr-x 98 root root           4096 Oct 27 02:11 ..
-rw-rw----  1 root elasticsearch   168 Oct 27 05:58 users
-rw-rw----  1 root elasticsearch    56 Oct 27 05:58 users_roles
drwxr-sr-x  4 root elasticsearch  4096 Oct 27 05:58 .

Hi Stephen,

I am not admin of the server and have no sudo on it.

I requested privileged access and planned to try this once done.

It is too bad you have to be root to change elastic builtin user password.

The CLI tools always try to write the file atomicly. To do that, it internally creates a temporary file and write changes to the temp file. It then copies the file to overwrite the actual file to achieve atomicity. So what the error really means is that it cannot create the temp file which is a new file.

I asked to an admin to add a 'w' permission on /etc/elasticsearch/ at group level.

Now, running $ sudo -u elasticsearch bin/elasticsearch-reset-password -u elastic, I get this message:

WARNING: Owner of file [/etc/elasticsearch/users] used to be [root], but now is [elasticsearch]
WARNING: Owner of file [/etc/elasticsearch/users_roles] used to be [root], but now is [elasticsearch]
This tool will reset the password of the [elastic] user to an autogenerated value.
The password will be printed in the console.
Please confirm that you would like to continue [y/N]

and the /etc/elasticsearch/users* files ownership changed from root:elasticsearch to elasticsearch:elasticsearch.

And the reset works:

Password for the [elastic] user successfully reset.
New value: xxx

So, solution: allow elasticsearch user to write in /etc/elasticsearch/ directory.

Note, writting into /etc/elasticsearch/users* files seems to be temporary because once the reset done, files are emptied. I guess the system uses the native solution storing users+passwords in a dedicated index.

Do you think this should be in the Elastic documentation ? The fact you have to be root to reset password ?

Or maybe just put the right /etc/elasticsearch/ directory permission when instaling from a package ?

JM

That's was my first assomption, the tool trying to create a temp file into /etc/elasticsearch/ directory.

Error message is not clear and misleading. It will be very helpfull saying, i.e., Cannot create Temp file into /etc/elasticsearch/.

If it was like this, the problem was solved in 1 minute.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.