We are running docker versions of Kibana and Elasticsearch. When kibana is running, you can use a Linux "ps" command to see the Elasticsearch password.
I tried modifying kibana.yml and removing elasticsearch.password. While this removes it from the Linux run line, Kibana must have the password to connect to Elasticsearch.
Is there any way to mask the password, or pass it to Kibana another way.
They are normally set when passed in as parameters: [root@kibana-aln-nbadev4 kibana]# env | grep ELASTICSEARCH ELASTICSEARCH_USERNAME=kibanaserver ELASTICSEARCH_PASSWORD=xxxxxxxx
If I remove elasticsearch.password from the variables listed in the kibana-docker file, kibana runs and the ps display does not include the password.: geo 349877 349740 12 15:33 ? 00:00:05 /usr/share/kibana/bin/../node/bin/node --no-warnings --max-http-header-size=65536 /usr/share/kibana/bin/../src/cli --cpu.cgroup.path.override=/ --cpuacct.cgroup.path.override=/ --elasticsearch.username=kibanaserver
However, my browser says "Kibana is not ready yet."
The Kibana docker image still has these environment variables set: [root@kibana-aln-nbadev4 kibana]# env | grep ELASTICSEARCH ELASTICSEARCH_USERNAME=kibanaserver ELASTICSEARCH_PASSWORD=xxxxxxxx
The Kibana log says, {"log":"{\"type\":\"log\",\"@timestamp\":\"2020-05-27T19:36:47Z\",\"tags\":[\"fatal\",\"root\"],\"pid\":15,\"message\":\"{ Error: \\\"elasticsearch-password\\\" setting was not applied. Check for spelling errors and ensure that expected plugins are installed.\\n at KbnServer.exports.default (/usr/share/kibana/src/server/config/complete.js:88:17) code: 'InvalidConfig', processExitCode: 64 }\"}\n","stream":"stdout","time":"2020-05-27T19:36:47.531180187Z"} {"log":"\n","stream":"stderr","time":"2020-05-27T19:36:47.534092211Z"} {"log":" FATAL Error: \"elasticsearch-password\" setting was not applied. Check for spelling errors and ensure that expected plugins are installed.\n","stream":"stderr","time":"2020-05-27T19:36:47.534137206Z"}
This is expected behavior. The environment variables end up as command line options for the Kibana process. We are going to update the documentation to make this more clear moving forward.
Thanks, his does work, as defining elasticsearch.password in the bind-mounted kibana.yml file will allow Kibana to run without is being shown in the "ps -ef" display. I'm actually defining it as
However, I also have to edit the kibana-docker file (inside the docker container) and remove the elasticsearch.password line there. This keeps the password from being included on the run line (and the ps display line). Where is this file created? I can't find it in our source code. Is it part of the docker image?
If you use a different environment variable name it shouldn't show up in the ps command. The kibana-docker script is designed to look for specific environment variables, ELASTICSEARCH_PASSWORD is one of them.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.