X-Pack Authentication issue

This is a revised version of this post

Help! I don't have the password for the elastic user!

Pre-reading:

Before you start

(This section was added July 2018 in response to seeing many mistakes from new users)

Just because authentication fails, that does not mean that you have the wrong password. Before you do anything read the Elasticsearch logs. If you don't know how to read the Elasticsearch logs on your platform, then find out how.
Launching into the steps below before you confirmed what is causing the problems is incredibly unwise and is unlikely to solve your problem.
Obviously, authentication will fail if you don't know the correct password, but it can also fail for other reasons such as:

  • you have a storage problem that prevents ES from reading the security data
  • you have a network problem that prevents ES from forming a cluster

If authentication is suddenly failing for no clear reason then you want to try and work out why before you start messing around with your cluster.

If you have an underlying infrastructure problem, then try and solve that first.
If this is a genuine case of a forgotten password, then read on...

Reseting the password for elastic

You have 4 options to resolve this, depending on the state of your cluster and what data you need to keep, and what data you're happy to throw away, and how much risk you're willing to take upon yourself.

Option 1 is the safest option, and the only that is recommended for production clusters. The other options may be suitable for trial or proof-of-concept clusters with non-production usage.

Only Option 1 is described here. Options 2, 3 and 4 are in a post below. If you care about your data, or you want to stick with officially supported options, then you should just read and follow option 1.

Option 1: Create a new superuser

This options involves, creating an alternate superuser and then authenticating as that user in order to change the password for elastic. This is safe to perform on production clusters.

Steps.

  1. Shutdown every node in your Elasticsearch cluster.

  2. Ensure that the file realm is available on your nodes. If you are using a default X-Pack configuration for authentication, then the file realm is available and you don't need to do anything.
    However, if you have explicitly configured the authentication realms in your elasticsearch.yml file, then you may need to add a file realm.
    If you do this, then you should add it to on every node.

  3. Use the bin/x-pack/users command to create a new file-based superuser on every node:

    bin/x-pack/users useradd my_admin -p my_password -r superuser
    

    This creates a user named my_admin with password my_password and thesuperuser role (which is a builtin role within X-Pack security).

  4. Start all your nodes.

  5. Reset the password for the elastic user:

    curl -u my_admin -XPUT 'http://localhost:9200/_xpack/security/user/elastic/_password?pretty' -H 'Content-Type: application/json' -d' 
    { "password": "new_password" }' 
    
  6. Verify the new password

    curl -u elastic 'http://localhost:9200/_xpack/security/_authenticate?pretty'
    
  7. If you wish, stop elasticsearch and then remove the file realm from your elasticsearch.yml and/or remove the my_admin user from the file realm.
    However, we do recommend that you keep this realm and user enabled, just in case you ever need to perform this sort of emergency maintenance in the future.

5 Likes