X-Pack Authentication issue

I have recently uninstalled and again reinstalled X-Pack. But when I followed the same tutorial used before, now I am getting error messages.

I have installed X-Pack with sudo permission. When I use the below command to generate password,

bin/x-pack/setup-passwords auto

I am getting the following error message.

Failed to authenticate user 'elastic' against http://127.0.0.1:9200/_xpack/security/_authenticate?pretty
Possible causes include:

  • The password for the 'elastic' user has already been changed on this cluster
  • Your elasticsearch node is running against a different keystore
    This tool used the keystore at /home/suryakumar/elasticsearch/config/elasticsearch.keystore

Please help me out!

I am using Ubuntu 16.04 LTS

Thanks,
Suryakumar.

1 Like

I assume that you installed X-Pack, ran setup-passwords, and then uninstalled X-Pack, and then reinstalled X-Pack and are now trying to run setup-passwords again.

That doesn't work. When you uninstall X-Pack it does not remove the X-Pack data, so the passwords that you setup the first time through still exist.

Tim - I have the same issue.
You are correct in your assessment. But what is the solution? how can we reset the old passwords?

This is so frustrating to deal with, nothing works. Trying to setup passwords interactively doesn't work.
Trying the API to change passwords fails because of keystore issues.

I saw your answer to this on another thread, great answer, thank you.
In my case I get this error:
Security index is not on the current version. Security features relying on the index will not be available until the upgrade API is run on the security index

Update: problem solved in my case after upgrading the indices (security indices) using this link.

All of this took 4 hours, lots of research and time wasted. I think the scenarios that happened here should be part of a QA session to get better error messages, and to handle things like upgrading the security indices automatically. I, as a user, should not even know this has taken place. Once I did the upgrade and installed x-pack, why do I need to learn (4 hours later) that the root of my issue is something that was not upgraded? how could I have known?

Thank you

2 Likes

Tim,

Thank you for your reply! Yes I understood this is the problem and what is the solution for it? How can I proceed? Can you please elaborate the possible options?

Thanks in advance,
Suryakumar.

I have the same situation. Tried time ago to install x-pack. Issues on configuring / making it running. Then I removed it and now I'm giving another try, without success...

./setup-passwords interactive

Failed to authenticate user 'elastic' against http://10.150.2.116:9302/_xpack/security/_authenticate?pretty
Possible causes include:

  • The password for the 'elastic' user has already been changed on this cluster
  • Your elasticsearch node is running against a different keystore
    This tool used the keystore at /opt/software/elasticsearch-6.1.2/config/elasticsearch.keystore

ERROR: Failed to verify bootstrap password

I've also done a reset of the user elastic:

/opt/software/elasticsearch-6.1.2/bin/x-pack/users useradd my_admin -p my_pwd -r superuser

curl -u my_admin -XPUT 'http://kibana:9302/_xpack/security/user/elastic/_password?pretty' -H 'Content-Type: application/json' -d'
{
"password" : "newpassword"
}
'

How can be fixed it? Please, help.

Marco

@Suryakumar and @HansCama - did you happen to read the update on my reply? I solved my issue.
The erros may actually be in the elastic-search logs. In my case, just like you @HansCama I uninstalled xpack and now tried it again. The link I used is on my updated post.

This is a revised version of this post

Help! I don't have the password for the elastic user!

Pre-reading:

Before you start

(This section was added July 2018 in response to seeing many mistakes from new users)

Just because authentication fails, that does not mean that you have the wrong password. Before you do anything read the Elasticsearch logs. If you don't know how to read the Elasticsearch logs on your platform, then find out how.
Launching into the steps below before you confirmed what is causing the problems is incredibly unwise and is unlikely to solve your problem.
Obviously, authentication will fail if you don't know the correct password, but it can also fail for other reasons such as:

  • you have a storage problem that prevents ES from reading the security data
  • you have a network problem that prevents ES from forming a cluster

If authentication is suddenly failing for no clear reason then you want to try and work out why before you start messing around with your cluster.

If you have an underlying infrastructure problem, then try and solve that first.
If this is a genuine case of a forgotten password, then read on...

Reseting the password for elastic

You have 4 options to resolve this, depending on the state of your cluster and what data you need to keep, and what data you're happy to throw away, and how much risk you're willing to take upon yourself.

Option 1 is the safest option, and the only that is recommended for production clusters. The other options may be suitable for trial or proof-of-concept clusters with non-production usage.

Only Option 1 is described here. Options 2, 3 and 4 are in a post below. If you care about your data, or you want to stick with officially supported options, then you should just read and follow option 1.

Option 1: Create a new superuser

This options involves, creating an alternate superuser and then authenticating as that user in order to change the password for elastic. This is safe to perform on production clusters.

Steps.

  1. Shutdown every node in your Elasticsearch cluster.

  2. Ensure that the file realm is available on your nodes. If you are using a default X-Pack configuration for authentication, then the file realm is available and you don't need to do anything.
    However, if you have explicitly configured the authentication realms in your elasticsearch.yml file, then you may need to add a file realm.
    If you do this, then you should add it to on every node.

  3. Use the bin/x-pack/users command to create a new file-based superuser on every node:

    bin/x-pack/users useradd my_admin -p my_password -r superuser
    

    This creates a user named my_admin with password my_password and thesuperuser role (which is a builtin role within X-Pack security).

  4. Start all your nodes.

  5. Reset the password for the elastic user:

    curl -u my_admin -XPUT 'http://localhost:9200/_xpack/security/user/elastic/_password?pretty' -H 'Content-Type: application/json' -d' 
    { "password": "new_password" }' 
    
  6. Verify the new password

    curl -u elastic 'http://localhost:9200/_xpack/security/_authenticate?pretty'
    
  7. If you wish, stop elasticsearch and then remove the file realm from your elasticsearch.yml and/or remove the my_admin user from the file realm.
    However, we do recommend that you keep this realm and user enabled, just in case you ever need to perform this sort of emergency maintenance in the future.

5 Likes

WARNING WARNING WARNING

These are not official supported methods.
These steps may cause you to lose data that you care about.
Please read the post above and follow Option 1 instead.

Below are some other options for reseting the password for your elastic user.
They all involve manual manipulation of your data, and if you do something wrong you may end up in a state that was worse than where you started. The Create a new superuser option listed in the previous post is safe, and is the only officially supported option for reseting the elastic user's password.

Option 2: Delete all data

If you delete all data from your elasticsearch cluster, this will also reset the elastic password as if you had a completely fresh cluster. The elastic user will reset to using the bootstrap password.

WARNING: Deleting all data means, all data. You will lose everything. Every index. Every template. Every Kibana visualisation/dashboard. Every user/role. Every ML job. Every watcher alert. Everything goes away. Only do this if you really want to start from scratch.

Steps:

  1. Shut down every node.
  2. Go back and re-read the warning above. If you take the next step, then you will lose all your data.
  3. Delete the data directory for every node. The location of this directory depends on how you installed and configured Elasticsearch.
  4. Start every node.
  5. Your cluster is now empty, and the elastic user has been reset to use the bootstrap password.

Option 3: Delete all security data

The data for security is stored in a special index called .security-6 (this name applies to Elasticsearch 6.x. The details may vary between releases).
If you delete this index, then you will reset all of the X-Pack security data, and this will mean that the elastic user can authenticate using the bootstrap password.

WARNING: Deleting the security index means that you lose all of your security data. Every user, role, role mapping, etc. If you have created your own users roles in X-Pack security, then you probably don't want to follow this option.

WARNING: These steps include temporarily disabling security on your cluster. Don't do this on your production cluster. If you do this, then your cluster will be open and accessible to anyone that has network access to your cluster.

Steps:

  1. Shutdown every node in your cluster.
  2. Go back and re-read both of the warnings above. You are about disable all security on your cluster, and remove all your users, roles, passwords, etc. Do you really want to do this?
  3. On each node, disable all security by setting
    xpack.security.enabled: false
    
    in the elasticsearch.yml configuration file.
  4. Start your nodes.
  5. Delete the .security-6 index. You can do this with:
    curl -XDELETE "http://localhost:9200/.security-6" 
    
    Depending on your configuration, you may need to change the host/port.
    You only need to do this once regardless of how many nodes are in your cluster.
  6. Stop all your nodes.
  7. Enable security on your cluster by changing xpack.security.enabled to true in your elasticsearch.yml configuration file on every node.
  8. Start your nodes.
  9. Your cluster no longer has any security data and the elastic user has been reset to use the bootstrap password.

Option 4: Delete the elastic user from your security data

The password for the elastic user is stored in a special document (reserved-user-elastic), in a special index called .security-6. (These names are applicable for Elasticsearch 6.x. The details may vary between releases).
If you delete this document, then you will reset the elastic user back to its "uninitialised" state, which will means you can authenticate using the bootstrap password.

WARNING: This requires performing manual operations against the security index. We do not support this. If you get this wrong, then you could make life very difficult for yourself. Do not do this on a production cluster. Use at your own risk.

WARNING: These steps include temporarily disabling security on your cluster. Don't do this on your production cluster. If you do this, then your cluster will be open and accessible to anyone that has network access to your cluster.

Steps:

  1. Shutdown every node in your cluster.
  2. Go back and re-read both of the warnings above. You are about disable all security on your cluster, and make low level changes to your security data. Do you really want to do this?
  3. On each node, disable all security by setting
    xpack.security.enabled: false
    
    in the elasticsearch.yml configuration file.
  4. Start your nodes.
  5. Delete the reserved-user-elastic document from the .security-6 index. You can do this with:
    curl -XDELETE "http://localhost:9200/.security-6/doc/reserved-user-elastic" 
    
    Depending on your configuration, you may need to change the host/port.
    You only need to do this once regardless of how many nodes are in your cluster.
  6. Stop all your nodes.
  7. Enable security on your cluster by changing xpack.security.enabled to true in your elasticsearch.yml configuration file on every node.
  8. Start your nodes.
  9. The elastic user has been reset to use the bootstrap password.

WARNING WARNING WARNING

These are not official supported methods.
These steps may cause you to lose data that you care about.
Please read the post above and follow Option 1 instead.

4 Likes

Did you try this Command if not then try its may be give something :slight_smile:

bin/x-pack/setup-passwords auto -u "http://YOUR_ELASTIC_IP:9200"

Thanks & Regards,
Krunal.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.