Setup-passwords runs multiple times. It's not supposed to?

In the documentation on https://www.elastic.co/guide/en/x-pack/current/setting-up-authentication.html, it says, "After you set a password for the elastic user, the bootstrap password is no longer valid; you cannot run the setup-passwords command a second time." The second clause is untrue. I have run 'bin/x-pack/setup-passwords auto' multiple times, and it has reset the passwords each time. I don't know if this is a security problem, but thought I would bring it to your attention.

Can you provide more details about how you ran it?

There are some edge cases in the tool where it fails to change the passwords, but doesn't report the errors correctly. If that happens, then the tool will appear to run multiple times because it isn't actually doing anything. Those issues are due to be fixed in an upcoming patch release.

I ran it yesterday from the terminal, and then a few more times today. It output different passwords each time. As yet, I'm not sure how to test the passwords, as I'm just now learning this stuff. What other details can I provide?

I'm not sure how to test the passwords

The easiest way to test a password from the terminal is:

curl -uelastic http://localhost:9200/

That will prompt you for the password.
You may need to change the URL if you're running ES on a different port, or binding to a different address.

What other details can I provide?

Did you provide any command-line options to setup-passwords?
In particular, the --url option is known to cause problems if you don't pass the value in exactly the expected format.

I tried the command to test the password, but I'm not seeing success or fail in the response. It says:

{
  "name" : "oxyvoYJ",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "lYf60mkSSWmQiEXpNbVj9Q",
  "version" : {
    "number" : "6.0.0",
    "build_hash" : "8f0685b",
    "build_date" : "2017-11-10T18:41:22.859Z",
    "build_snapshot" : false,
    "lucene_version" : "7.0.1",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}

The command I used to reset paswords was exactly bin/x-pack/setup-passwords auto.

Today I started with a freshly installed instance of Elasticsearch, and installed x-pack before I ran it. I tried consecutive auto-setting the passwords again, and it didn't allow me to do it this time.

Failed to authenticate user 'elastic' against http://127.0.0.1:9200/_xpack/security/_authenticate?pretty
Possible causes include:
 * The password for the 'elastic' user has already been changed on this cluster
 * Your elasticsearch node is running against a different keystore
   This tool used the keystore at /usr/local/elastic-stack/elasticsearch-6.0.0/config/elasticsearch.keystore

I do still have the instance that was malfunctioning, if there's any more info you want from it.

That's a success. You get a fairly obvious error message if it fails, and anything else is a success.

I'll send you a private message.
Thanks.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.