Setting passwords of builtin users to crypts

I'm working on chef recipes to install elasticsearch 7 (7.2.1) with all kinds of security enabled. I've gotten it to make self signed certificates. I've run the elasticsearch-setup-passwords to set the passwords of the system (reserved) accounts. And found the /_security/user/jacknich/_password API to set passwords. But I can't seem to find a way to give elasticsearch a crypt instead of a plaintext password when setting the passwords of the system accounts so that I don't need to store the passwords in plain text anywhere in chef.

I've found that I can define other users in a file store but elasticsearch protests loudly when I try to put any reserved user names in there.

So, any way I can put crypts into elasticsearch to set system account passwords?


Unfortunately there is nothing that satisfies your use case. The only API that allows you to pass a salted cryptographic hash of the the password instead of the plaintext password is the Create or Update Users API and this can't be used to update password of the built-in users.

We could support a password hash as input for our Change Password API, but frankly this has never been asked before AFAIK and there are currently no plans to introduce this functionality.

Thanks for your answer.

To explain my use case: Storing system plaintext passwords in a secure location and restricting the distribution of them is good security policy. Therefore I would like to avoid putting the plaintext password into Chef. This works perfectly for unix user accounts, mysql accounts, and many other things, because you can create accounts or change passwords using the crypted passwords instead of the plaintext.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.