Kibana Elasticsearch -> after 7 Days elastic user pw changed

Hello Community
Hello dear community,

I have a problem ...
I did Kibana and Elasticsearch after this tutorial

installed in an AKS (Azure Kubernetes cluster).
everything runs well until after 7 days the setup thinks to change all generated passwords ...

this leads to errors:

{"type":"log","@timestamp":"2021-05-27T10:22:58+00:00","tags":["warning","plugins","licensing"],"pid":7,"message":"License information could not be obtained from Elasticsearch due to [security_exception] unable to authenticate user [elastic] for REST request [/_xpack?accept_enterprise=true], with { header={ WWW-Authenticate=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } :: {\"path\":\"/_xpack?accept_enterprise=true\",\"statusCode\":401,\"response\":\"{\\\"error\\\":{\\\"root_cause\\\":[{\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"unable to authenticate user [elastic] for REST request [/_xpack?accept_enterprise=true]\\\",\\\"header\\\":{\\\"WWW-Authenticate\\\":\\\"Basic realm=\\\\\\\"security\\\\\\\" charset=\\\\\\\"UTF-8\\\\\\\"\\\"}}],\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"unable to authenticate user [elastic] for REST request [/_xpack?accept_enterprise=true]\\\",\\\"header\\\":{\\\"WWW-Authenticate\\\":\\\"Basic realm=\\\\\\\"security\\\\\\\" charset=\\\\\\\"UTF-8\\\\\\\"\\\"}},\\\"status\\\":401}\",\"wwwAuthenticateDirective\":\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"} error"}

I also tried to authenticate against Elasticsearch, unfortunately with no success because the PW's were changed.

The solution is to change the passwords and to change them wherever they are stored.
that kept the problem for another 7 days.

This problem sounds very similar to me, but unfortunately I can't find the solution in the topic ...

Hello,

nobody any Idee or questions ?

Elasticsearch does not automatically change or reset any password at all. I suspect there is something else going on. Based on the error message, you are using the elastic user which in most case is the builtin user. Did you change the password using the ChangePassword API? How did you do it when the previous password was changed and you didn't know what it was? Similarly, if you changed the password again, it does not seem possible for another process to change it again since it doesn't know the new password.

So I'll take a wild guess, if you use ILM or similar (curator?), could you please check whether you have some policy that automatically rolls over the security index every 7 days?

2 Likes

Hi @Yang_Wang,
thx for your Reply i had a look about your hint but i dont found some curator stuff or similar.
you have maybe a idea where or how to look about this ?

If you have a paid (or trial) license, then you can enable audit logs and work out where the password change is coming from.

Alternatively, to test @Yang_Wang's theory about the security index being deleted every 7 days, login as the superuser (elastic) and run

GET /.security

Then look for the settings.index.creation_date field

On a newly created index you might have something like:

        "creation_date": "1623047288776",

You can enter that timestamp here: Milliseconds to Date Converter (ms to date since epoch) to find out when your security index was created.
If that corresponds to when the password was change then it's a good sign that this is the problem.

Are you losing any other data every 7 days, or is it just the password?
Is it possible your nodes are being restarted and you don't have proper index storage setup?

1 Like

Hi TimV,

login as the superuser ( elastic ) and run

not possible they change the passwords ... so i cant login with this credentials anymore i have to delete the Storages and make it new so i cant see the timestamp after 7Days

Are you losing any other data every 7 days, or is it just the password?
Is it possible your nodes are being restarted and you don't have proper index storage setup?

nodes are not restarting ... Kubectl is not showing any restart
and no i only lose the Passwords

If you have a paid (or trial) license, then you can enable audit logs and work out where the password change is coming from.

so i have to make a fresh install of the System like posted in the First -> https://www.studytonight.com/post/setup-elasticsearch-with-authentication-xpack-security-enabled-on-kubernetes

and have to activate the Trial and then i have to wait 7 days again ? ^^

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.