Scripting password setup after install

Hi all,

I'm trying to figure out how to script setup of passwords. I'm using the below:

printf "password" | elasticsearch-keystore add "boostrap.password"
curl -uelastic:"password" -XPUT -H 'Content-Type: application/json' 'http://localhost:9200/_xpack/security/user/kibana/_password' -d '{ "password":"password" }'

However, the result I get from the curl call is:

{"error":{"root_cause":[{"type":"security_exception","reason":"failed to authenticate user [elastic]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"failed to authenticate user [elastic]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}

This is based on the @TimV supplied this answer back in 2018, but it seems to no longer work with ES7.3.0: How to set passwords for built-in users in batch mode?

It seems that elasticsearch-setup-passwords is supposed to have a -b flag to batch run, but while it's in the documentation (https://www.elastic.co/guide/en/elasticsearch/reference/current/setup-passwords.html) it does not actually exist in the command.

Thanks!

I seem to able to do it by installing expect and using the below script, but this doesn't seem like the best way to handle things.

#!/usr/bin/expect -f
 
set timeout -1
spawn bin/elasticsearch-setup-passwords interactive
expect "N]"
send -- "y\n"
expect "elastic]: "
send -- "password\n"
expect "elastic]: "
send -- "password\n"
expect "apm_system]: " 
send -- "password\n"
expect "apm_system]: " 
send -- "password\n"
expect "kibana]: "
send -- "password\n"
expect "kibana]: "
send -- "password\n"
expect "logstash_system]: "
send -- "password\n"
expect "logstash_system]: "
send -- "password\n"
expect "beats_system]: "
send -- "password\n"
expect "beats_system]: "
send -- "password\n"
expect "remote_monitoring_user]: "
send -- "password\n"
expect "remote_monitoring_user]: "
send -- "password\n"
expect eof

This process still works just fine, so I would assume that something went wrong when you attempted to run the commands you share. The bootstrap.password is only taken into consideration when the elastic user doesn't already have a password.

Do you get any error messages when running the elasticsearch-keystore-add command ? Can you verify that bootstrap.password is in the keystore with elasticsearch-keystore-list ?

It does exist but what it does is that it prevents the CLI from outputting verification messages to the user. You wouldn't be able to use a CLI tool in interactive mode if it doesn't prompt you for input :slight_smile:

As Tim mentioned in the original post, the elasticsearch-setup-password is not designed to be scriptable, so the proper way to achieve what you are after is the original suggestion.

printf "password" | elasticsearch-keystore add "boostrap.password"

You have misspelt bootstrap here, and you need to pass -x to elasticsearch-keystore add if you want it to read from stdin.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.