I'm working on chef recipes to install elasticsearch 7 (7.2.1) with all kinds of security enabled. I've gotten it to make self signed certificates. I've run the elasticsearch-setup-passwords to set the passwords of the system (reserved) accounts. And found the /_security/user/jacknich/_password API to set passwords. But I can't seem to find a way to give elasticsearch a crypt instead of a plaintext password when setting the passwords of the system accounts so that I don't need to store the passwords in plain text anywhere in chef.
I've found that I can define other users in a file store but elasticsearch protests loudly when I try to put any reserved user names in there.
So, any way I can put crypts into elasticsearch to set system account passwords?
Unfortunately there is nothing that satisfies your use case. The only API that allows you to pass a salted cryptographic hash of the the password instead of the plaintext password is the Create or Update Users API and this can't be used to update password of the built-in users.
We could support a password hash as input for our Change Password API, but frankly this has never been asked before AFAIK and there are currently no plans to introduce this functionality.
To explain my use case: Storing system plaintext passwords in a secure location and restricting the distribution of them is good security policy. Therefore I would like to avoid putting the plaintext password into Chef. This works perfectly for unix user accounts, mysql accounts, and many other things, because you can create accounts or change passwords using the crypted passwords instead of the plaintext.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.