Linux ps command shows Elasticsearch password

We are running docker versions of Kibana and Elasticsearch. When kibana is running, you can use a Linux "ps" command to see the Elasticsearch password.

geo 233087 232961 6 21:11 ? 00:00:06 /usr/share/kibana/bin/../node/bin/node --no-warnings --max-http-header-size=65536 /usr/share/kibana/bin/../src/cli --cpu.cgroup.path.override=/ --cpuacct.cgroup.path.override=/ --elasticsearch.password=xxxxxxxx --elasticsearch.username=xxxxxxxx

We are not using xpack.

I tried modifying kibana.yml and removing elasticsearch.password. While this removes it from the Linux run line, Kibana must have the password to connect to Elasticsearch.

Is there any way to mask the password, or pass it to Kibana another way.

You can use the Kibana keystore

@silentfilm Can you verify you are not setting the ELASTICSEARCH_USERNAME and ELASTICSEARCH_PASSWORD environment variables?

They are normally set when passed in as parameters:
[root@kibana-aln-nbadev4 kibana]# env | grep ELASTICSEARCH ELASTICSEARCH_USERNAME=kibanaserver ELASTICSEARCH_PASSWORD=xxxxxxxx

If I remove elasticsearch.password from the variables listed in the kibana-docker file, kibana runs and the ps display does not include the password.:
geo 349877 349740 12 15:33 ? 00:00:05 /usr/share/kibana/bin/../node/bin/node --no-warnings --max-http-header-size=65536 /usr/share/kibana/bin/../src/cli --cpu.cgroup.path.override=/ --cpuacct.cgroup.path.override=/ --elasticsearch.username=kibanaserver

However, my browser says "Kibana is not ready yet."

The Kibana docker image still has these environment variables set:
[root@kibana-aln-nbadev4 kibana]# env | grep ELASTICSEARCH ELASTICSEARCH_USERNAME=kibanaserver ELASTICSEARCH_PASSWORD=xxxxxxxx

The Kibana log says,
{"log":"{\"type\":\"log\",\"@timestamp\":\"2020-05-27T19:36:47Z\",\"tags\":[\"fatal\",\"root\"],\"pid\":15,\"message\":\"{ Error: \\\"elasticsearch-password\\\" setting was not applied. Check for spelling errors and ensure that expected plugins are installed.\\n at KbnServer.exports.default (/usr/share/kibana/src/server/config/complete.js:88:17) code: 'InvalidConfig', processExitCode: 64 }\"}\n","stream":"stdout","time":"2020-05-27T19:36:47.531180187Z"} {"log":"\n","stream":"stderr","time":"2020-05-27T19:36:47.534092211Z"} {"log":" FATAL Error: \"elasticsearch-password\" setting was not applied. Check for spelling errors and ensure that expected plugins are installed.\n","stream":"stderr","time":"2020-05-27T19:36:47.534137206Z"}

OK, I think I follow all this now.

This is expected behavior. The environment variables end up as command line options for the Kibana process. We are going to update the documentation to make this more clear moving forward.

The easiest way to solve this problem is to bind mount a kibana.yml file into your container that contains the username and password. The docs for doing this can be found here

You can also use the Kibana keystore but it's more involved than bind mounting a configuration file.

I hope this helps.


Thanks, his does work, as defining elasticsearch.password in the bind-mounted kibana.yml file will allow Kibana to run without is being shown in the "ps -ef" display. I'm actually defining it as

elasticsearch.password: ${ELASTICSEARCH_PASSWORD:}

However, I also have to edit the kibana-docker file (inside the docker container) and remove the elasticsearch.password line there. This keeps the password from being included on the run line (and the ps display line). Where is this file created? I can't find it in our source code. Is it part of the docker image?

If you use a different environment variable name it shouldn't show up in the ps command. The kibana-docker script is designed to look for specific environment variables, ELASTICSEARCH_PASSWORD is one of them.

The script itself comes from here

Good luck

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.