Security Exception against elastic user

I have an 3 node ES Cluster (version 5.6.3). I have deleted the data from each Node and tried to bring up the cluster (as I am still experimenting with the cluster, the data is not important).

I get the below error:

[2018-01-05T09:41:26,410][ERROR][o.e.x.s.a.e.ReservedRealm] [c2-5a-c1-c2-d3-93] failed to retrieve password hash for reserved user [elastic]
[2018-01-05T09:41:26,411][WARN ][o.e.x.s.a.AuthenticationService] [c2-5a-c1-c2-d3-93] An error occurred while attempting to authenticate [elastic] against realm [reserved] - ElasticsearchSecurityException[failed to authenticate user [elastic]]

How can I fix this? With the data deleted, I would have thought this would been seen as a clean cluster?

I can't seem to amend the elastic user password through ../bin/x-pack/users command as it is a reserved user. It seems the password is corrupt? How can I reset this?

How did you delete the data?

There should be more context to this error message. The code that produces this error also reports on the problem that caused it. Can you check your logs to see if there is additional information?

I deleted the data by shutting down all the ES Nodes and then delete the data folder.

The logs are only filled with single line WARN messages.

To get around the issue I had to create a new SuperUser, by running the /usr/share/elasticsearch/bin/x-pack/users command.

But the default user should have worked for me.


This introduction on how security works for the Elastic stack might be helpful. Also, this page from our documentation would help explain that by deleting all the indices (deleting the data dir), you deleted the .security index too, that's where builtin users are stored and this is why you can't use them anymore.

Running the users command, you created new a super user in the File Realm

1 Like

Hi Thanks for your reply. but if I had reprovision the VMs. This means the environment has been reset back to the default? The data folder would be recreated by ES as per the elasticsearch.yml.

This is where my confusion is. I thought resetting the entire environment should mean I would be back to square one.

Then use the APIs, don't just delete things from the filesystem like that.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.