X-Pack Authentication issue

Elastic Stack Elasticsearch
8

WARNING WARNING WARNING

These are not official supported methods.
These steps may cause you to lose data that you care about.
Please read the post above and follow Option 1 instead.

Below are some other options for reseting the password for your elastic user.
They all involve manual manipulation of your data, and if you do something wrong you may end up in a state that was worse than where you started. The Create a new superuser option listed in the previous post is safe, and is the only officially supported option for reseting the elastic user's password.

Option 2: Delete all data

If you delete all data from your elasticsearch cluster, this will also reset the elastic password as if you had a completely fresh cluster. The elastic user will reset to using the bootstrap password.

WARNING: Deleting all data means, all data. You will lose everything. Every index. Every template. Every Kibana visualisation/dashboard. Every user/role. Every ML job. Every watcher alert. Everything goes away. Only do this if you really want to start from scratch.

Steps:

  1. Shut down every node.
  2. Go back and re-read the warning above. If you take the next step, then you will lose all your data.
  3. Delete the data directory for every node. The location of this directory depends on how you installed and configured Elasticsearch.
  4. Start every node.
  5. Your cluster is now empty, and the elastic user has been reset to use the bootstrap password.

Option 3: Delete all security data

The data for security is stored in a special index called .security-6 (this name applies to Elasticsearch 6.x. The details may vary between releases).
If you delete this index, then you will reset all of the X-Pack security data, and this will mean that the elastic user can authenticate using the bootstrap password.

WARNING: Deleting the security index means that you lose all of your security data. Every user, role, role mapping, etc. If you have created your own users roles in X-Pack security, then you probably don't want to follow this option.

WARNING: These steps include temporarily disabling security on your cluster. Don't do this on your production cluster. If you do this, then your cluster will be open and accessible to anyone that has network access to your cluster.

Steps:

  1. Shutdown every node in your cluster.
  2. Go back and re-read both of the warnings above. You are about disable all security on your cluster, and remove all your users, roles, passwords, etc. Do you really want to do this?
  3. On each node, disable all security by setting
    xpack.security.enabled: false
    in the elasticsearch.yml configuration file.
  4. Start your nodes.
  5. Delete the .security-6 index. You can do this with:
    curl -XDELETE "http://localhost:9200/.security-6"
    Depending on your configuration, you may need to change the host/port.
    You only need to do this once regardless of how many nodes are in your cluster.
  6. Stop all your nodes.
  7. Enable security on your cluster by changing xpack.security.enabled to true in your elasticsearch.yml configuration file on every node.
  8. Start your nodes.
  9. Your cluster no longer has any security data and the elastic user has been reset to use the bootstrap password.

Option 4: Delete the elastic user from your security data

The password for the elastic user is stored in a special document (reserved-user-elastic), in a special index called .security-6. (These names are applicable for Elasticsearch 6.x. The details may vary between releases).
If you delete this document, then you will reset the elastic user back to its "uninitialised" state, which will means you can authenticate using the bootstrap password.

WARNING: This requires performing manual operations against the security index. We do not support this. If you get this wrong, then you could make life very difficult for yourself. Do not do this on a production cluster. Use at your own risk.

WARNING: These steps include temporarily disabling security on your cluster. Don't do this on your production cluster. If you do this, then your cluster will be open and accessible to anyone that has network access to your cluster.

Steps:

  1. Shutdown every node in your cluster.
  2. Go back and re-read both of the warnings above. You are about disable all security on your cluster, and make low level changes to your security data. Do you really want to do this?
  3. On each node, disable all security by setting
    xpack.security.enabled: false
    in the elasticsearch.yml configuration file.
  4. Start your nodes.
  5. Delete the reserved-user-elastic document from the .security-6 index. You can do this with:
    curl -XDELETE "http://localhost:9200/.security-6/doc/reserved-user-elastic"
    Depending on your configuration, you may need to change the host/port.
    You only need to do this once regardless of how many nodes are in your cluster.
  6. Stop all your nodes.
  7. Enable security on your cluster by changing xpack.security.enabled to true in your elasticsearch.yml configuration file on every node.
  8. Start your nodes.
  9. The elastic user has been reset to use the bootstrap password.

WARNING WARNING WARNING

These are not official supported methods.
These steps may cause you to lose data that you care about.
Please read the post above and follow Option 1 instead.

4 Likes