I have a problem ...
I did Kibana and Elasticsearch after this tutorial
installed in an AKS (Azure Kubernetes cluster).
everything runs well until after 7 days the setup thinks to change all generated passwords ...
this leads to errors:
{"type":"log","@timestamp":"2021-05-27T10:22:58+00:00","tags":["warning","plugins","licensing"],"pid":7,"message":"License information could not be obtained from Elasticsearch due to [security_exception] unable to authenticate user [elastic] for REST request [/_xpack?accept_enterprise=true], with { header={ WWW-Authenticate=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } :: {\"path\":\"/_xpack?accept_enterprise=true\",\"statusCode\":401,\"response\":\"{\\\"error\\\":{\\\"root_cause\\\":[{\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"unable to authenticate user [elastic] for REST request [/_xpack?accept_enterprise=true]\\\",\\\"header\\\":{\\\"WWW-Authenticate\\\":\\\"Basic realm=\\\\\\\"security\\\\\\\" charset=\\\\\\\"UTF-8\\\\\\\"\\\"}}],\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"unable to authenticate user [elastic] for REST request [/_xpack?accept_enterprise=true]\\\",\\\"header\\\":{\\\"WWW-Authenticate\\\":\\\"Basic realm=\\\\\\\"security\\\\\\\" charset=\\\\\\\"UTF-8\\\\\\\"\\\"}},\\\"status\\\":401}\",\"wwwAuthenticateDirective\":\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"} error"}
I also tried to authenticate against Elasticsearch, unfortunately with no success because the PW's were changed.
The solution is to change the passwords and to change them wherever they are stored.
that kept the problem for another 7 days.
This problem sounds very similar to me, but unfortunately I can't find the solution in the topic ...
Elasticsearch does not automatically change or reset any password at all. I suspect there is something else going on. Based on the error message, you are using the elastic user which in most case is the builtin user. Did you change the password using the ChangePassword API? How did you do it when the previous password was changed and you didn't know what it was? Similarly, if you changed the password again, it does not seem possible for another process to change it again since it doesn't know the new password.
So I'll take a wild guess, if you use ILM or similar (curator?), could you please check whether you have some policy that automatically rolls over the security index every 7 days?
Hi @Yang_Wang,
thx for your Reply i had a look about your hint but i dont found some curator stuff or similar.
you have maybe a idea where or how to look about this ?
Alternatively, to test @Yang_Wang's theory about the security index being deleted every 7 days, login as the superuser (elastic) and run
GET /.security
Then look for the settings.index.creation_date field
On a newly created index you might have something like:
"creation_date": "1623047288776",
You can enter that timestamp here: Milliseconds to Date Converter (ms to date since epoch) to find out when your security index was created.
If that corresponds to when the password was change then it's a good sign that this is the problem.
Are you losing any other data every 7 days, or is it just the password?
Is it possible your nodes are being restarted and you don't have proper index storage setup?
not possible they change the passwords ... so i cant login with this credentials anymore i have to delete the Storages and make it new so i cant see the timestamp after 7Days
Are you losing any other data every 7 days, or is it just the password?
Is it possible your nodes are being restarted and you don't have proper index storage setup?
nodes are not restarting ... Kubectl is not showing any restart
and no i only lose the Passwords
If you have a paid (or trial) license, then you can enable audit logs and work out where the password change is coming from.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.