This is a revised version of this post
Help! I don't have the password for the elastic
user!
Pre-reading:
-
The password setup in Elasticsearch 6.x depends on a "bootstrap password" that is set on each node in your cluster. This password is documented here:
https://www.elastic.co/guide/en/x-pack/6.2/setting-up-authentication.html#bootstrap-elastic-passwords
If you do not have a fixed password for theelastic
user, then it uses the bootstrap password. -
X-Pack security includes an API to change the password of a user. This is documented here:
https://www.elastic.co/guide/en/elasticsearch/reference/6.2/security-api-change-password.html
Before you start
(This section was added July 2018 in response to seeing many mistakes from new users)
Just because authentication fails, that does not mean that you have the wrong password. Before you do anything read the Elasticsearch logs. If you don't know how to read the Elasticsearch logs on your platform, then find out how.
Launching into the steps below before you confirmed what is causing the problems is incredibly unwise and is unlikely to solve your problem.
Obviously, authentication will fail if you don't know the correct password, but it can also fail for other reasons such as:
- you have a storage problem that prevents ES from reading the security data
- you have a network problem that prevents ES from forming a cluster
If authentication is suddenly failing for no clear reason then you want to try and work out why before you start messing around with your cluster.
If you have an underlying infrastructure problem, then try and solve that first.
If this is a genuine case of a forgotten password, then read on...
Reseting the password for elastic
You have 4 options to resolve this, depending on the state of your cluster and what data you need to keep, and what data you're happy to throw away, and how much risk you're willing to take upon yourself.
Option 1 is the safest option, and the only that is recommended for production clusters. The other options may be suitable for trial or proof-of-concept clusters with non-production usage.
Only Option 1 is described here. Options 2, 3 and 4 are in a post below. If you care about your data, or you want to stick with officially supported options, then you should just read and follow option 1.
Option 1: Create a new superuser
This options involves, creating an alternate superuser and then authenticating as that user in order to change the password for elastic. This is safe to perform on production clusters.
Steps.
-
Shutdown every node in your Elasticsearch cluster.
-
Ensure that the file realm is available on your nodes. If you are using a default X-Pack configuration for authentication, then the file realm is available and you don't need to do anything.
However, if you have explicitly configured the authentication realms in yourelasticsearch.yml
file, then you may need to add afile
realm.
If you do this, then you should add it to on every node. -
Use the
bin/x-pack/users
command to create a new file-based superuser on every node:bin/x-pack/users useradd my_admin -p my_password -r superuser
This creates a user named
my_admin
with passwordmy_password
and thesuperuser
role (which is a builtin role within X-Pack security). -
Start all your nodes.
-
Reset the password for the elastic user:
curl -u my_admin -XPUT 'http://localhost:9200/_xpack/security/user/elastic/_password?pretty' -H 'Content-Type: application/json' -d' { "password": "new_password" }'
-
Verify the new password
curl -u elastic 'http://localhost:9200/_xpack/security/_authenticate?pretty'
-
If you wish, stop elasticsearch and then remove the file realm from your
elasticsearch.yml
and/or remove themy_admin
user from the file realm.
However, we do recommend that you keep this realm and user enabled, just in case you ever need to perform this sort of emergency maintenance in the future.