Hello,
I'm currently testing out elastic-search on docker. I'm trying to change the default password for the elastic user.
I have the following entry in my docker-compose file:
po-esearch:
container_name: "po-esearch"
restart: unless-stopped
image:
docker.elastic.co/elasticsearch/elasticsearch:5.6.3
ports:
- "9200:9200"
- "9300:9300"
networks:
- "po-logging-net"
volumes:
- ./esearch/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- ./esearch/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties
environment:
- ELASTIC_PASSWORD=XXXXX
However, when i test the health API using basic auth i get the following:
{
"error": {
"root_cause": [
{
"type": "security_exception",
"reason": "failed to authenticate user [elastic]",
"header": {
"WWW-Authenticate": "Basic realm=\"security\" charset=\"UTF-8\""
}
}
],
"type": "security_exception",
"reason": "failed to authenticate user [elastic]",
"header": {
"WWW-Authenticate": "Basic realm=\"security\" charset=\"UTF-8\""
}
},
"status": 401
}
Setting the password from XXXXX to changeme results in a 200 response.
what are best practices to pass in my private password?
See:
# This file was generated from the template at templates/docker-compose-fragment.yml.j2
# The docker-compose fragment file provides settings that are specific to
# running the test suite. Some of the settings are useful as "canaries", for
# making assertions about the configuration.
---
version: '2.1'
services:
elasticsearch1:
# Let Testinfra infer the container name by making the hostname the same.
hostname: elasticsearch1
environment:
{% if image_flavor == 'platinum' -%}
# Specify the bootstrap password for elastic user.
- ELASTIC_PASSWORD=pleasechangeme
# Let us use the (insecure) prebundled TLS certs through a flag.
- ALLOW_INSECURE_DEFAULT_TLS_CERT=true
{% endif -%}
{% if image_flavor == 'platinum' -%}
# Enable Security audit logging so we can check the output for correctness.
- xpack.security.audit.enabled=true
This file has been truncated. show original
See:
#!/bin/bash
set -e
# Files created by Elasticsearch should always be group writable too
umask 0002
run_as_other_user_if_needed() {
if [[ "$(id -u)" == "0" ]]; then
# If running as root, drop to specified UID and run command
exec chroot --userspec=1000 / "${@}"
else
# Either we are running in Openshift with random uid and are a member of the root group
# or with a custom --user
exec "${@}"
fi
}
# Allow user specify custom CMD, maybe bin/elasticsearch itself
# for example to directly specify `-E` style parameters for elasticsearch on k8s
# or simply to run /bin/bash to check the image
This file has been truncated. show original
TimV
(Tim Vernum)
October 27, 2017, 7:05am
2
The ELASTIC_PASSWORD
environment variable is used in our docker images for the upcoming 6.0 release of Elasticsearch.
Since you are using 5.6.3
, there is no support for changing the password via an environment variable, you need to wait for the server to start and then change the password via the API.
system
(system)
Closed
November 24, 2017, 7:05am
3
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.