I just install elasticsearch 8.4.1 from elasticsearch-8.4.1-1.x86_64 RPM on a Red Hat Enterprise Linux release 8.6 (Ootpa) server.
Everything looks ok, elastic service is running.
But I cannot find the elastic user password.
In the logfile /var/log/elasticsearch/cluster.log, I found a line with this:
[2022-10-24T11:09:12,063][INFO ][o.e.x.s.InitialNodeSecurityAutoConfiguration] [servername.localdomain] Auto-configuration will not generate a password for the elastic bui
lt-in superuser, as we cannot determine if there is a terminal attached to the elasticsearch process. You can use the `bin/elasticsearch-reset-password` tool to set
the password for the elastic user.
But running bin/elasticsearch-reset-password returns an error:
bash-4.4$ cd /usr/share/elasticsearch/
bash-4.4$ bin/elasticsearch-reset-password -u elastic
ERROR: could not write file [/etc/elasticsearch/users_roles]
despite the fact the file is writable for the user elasticsearch:
bash-4.4$ id
uid=9999(elasticsearch) gid=9999(elasticsearch) groups=9999(elasticsearch) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
bash-4.4$ ls -l /etc/elasticsearch/users*
-rw-rw----. 1 root elasticsearch 0 Aug 26 14:16 /etc/elasticsearch/users
-rw-rw----. 1 root elasticsearch 0 Aug 26 14:16 /etc/elasticsearch/users_roles
bash-4.4$ ls -ln /etc/elasticsearch/users*
-rw-rw----. 1 0 9999 0 Aug 26 14:16 /etc/elasticsearch/users
-rw-rw----. 1 0 9999 0 Aug 26 14:16 /etc/elasticsearch/users_roles
And user elasticsearch can write in file:
bash-4.4$ ls -l users
-rw-rw----. 1 root elasticsearch 0 Aug 26 14:16 users
bash-4.4$ touch users
bash-4.4$ ls -l users
-rw-rw----. 1 root elasticsearch 0 Oct 24 13:21 users
Also, SElinux is enable on the server:
bash-4.4$ ls -Z /etc/elasticsearch/users*
system_u:object_r:etc_t:s0 /etc/elasticsearch/users system_u:object_r:etc_t:s0 /etc/elasticsearch/users_roles
bash-4.4$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
You need fix file permission of the parent folder (I believe it is /etc/elasticsearch/) to create any new files. It is currently owned by root:root as oppose to root:elasticsearch.
root@stephenb-es-8-test:/etc/elasticsearch# sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic -url https://elasticsearch.mydomain.net:9200
This tool will reset the password of the [elastic] user to an autogenerated value.
The password will be printed in the console.
Please confirm that you would like to continue [y/N]y
Password for the [elastic] user successfully reset.
New value: askljfdhasldkfjhasflkasjdfh
The CLI tools always try to write the file atomicly. To do that, it internally creates a temporary file and write changes to the temp file. It then copies the file to overwrite the actual file to achieve atomicity. So what the error really means is that it cannot create the temp file which is a new file.
I asked to an admin to add a 'w' permission on /etc/elasticsearch/ at group level.
Now, running $ sudo -u elasticsearch bin/elasticsearch-reset-password -u elastic, I get this message:
WARNING: Owner of file [/etc/elasticsearch/users] used to be [root], but now is [elasticsearch]
WARNING: Owner of file [/etc/elasticsearch/users_roles] used to be [root], but now is [elasticsearch]
This tool will reset the password of the [elastic] user to an autogenerated value.
The password will be printed in the console.
Please confirm that you would like to continue [y/N]
and the /etc/elasticsearch/users* files ownership changed from root:elasticsearch to elasticsearch:elasticsearch.
And the reset works:
Password for the [elastic] user successfully reset.
New value: xxx
So, solution: allow elasticsearch user to write in /etc/elasticsearch/ directory.
Note, writting into /etc/elasticsearch/users* files seems to be temporary because once the reset done, files are emptied. I guess the system uses the native solution storing users+passwords in a dedicated index.
Do you think this should be in the Elastic documentation ? The fact you have to be root to reset password ?
Or maybe just put the right /etc/elasticsearch/ directory permission when instaling from a package ?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.