Best practices for managing the admin user

Hello,

I don’t really understand how the management of internal users in OpenDistro is supposed to work.

After the initial setup it’s not possible to change the password of the admin user from the default of admin. It’s not possible to change the password of this user, as it’s only met with an error: Failed to reset password. {"status":"FORBIDDEN","message":"Resource 'admin' is read-only."}. From my understanding the only way to change this password is to change the password hash in the securityconfig/internal_users.yml file? I might be mistaken though, but I can’t really find any details regarding the default users in the documentation.

Now the problem I see with this for future reference is that if I understand it correctly, the only way to change the password of this super-user is with the securityadmin.sh script to read the configuration again, but it seems that this will overwrite all internal users? So any extra individual users user would be overwritten at this point, meaning that you can’t really change the admin password without resetting all users/passwords in the entire system?

The documentation recommends against using the yaml files past initial setup, I imagine at least in part for the reason listed above. But doesn’t that mean that you’ll end up with a admin user whose password can never be changed? This seems like a very insecure setup to me, so I really hope that I’ve missed anything.

Hello,

I guess the simplest way is using the create_user API or the patch_user API, depending whether you want to “replace” the entry or update part of it. As it states there, you can either define the password you want or the hash version of it.

However, it is also possible with yaml files import. You can use the /opendistro_security/tools/hash.sh script in order to create a hash for any new password you want. Then you can indeed place that hash into the internal_users.yml and import it using the securityadmin.sh script. I guess this is part of the initial setup and meant to be done early on (before you create other users or start actually using the cluster).

In any case, the securityadmin.sh script supports retrieving the current yaml files (i.e. it downloads the current internal_users, roles, etc.) into your local filesystem using -backup argument and then you can modify those (e.g. change the hash for admin) and import them back. Note that if you want, you can only import 1 file (e.g. only internal_users.yml) and not all of them, using the -f and -t arguments.

You can find more details on this here.

The reason you can’t update the admin users is because it is marked as reserved API - Open Distro for Elasticsearch Documentation .

In my environment I define all “service” and admin users with internal_users.yml and I have them all marked as reserved since I don’t want them to be updated from the API. I have no “normal users” configured locally since all normal users comes from LDAP.

So if I wanted to make it possible to update the admin users password from the API, I would follow Spapadop’s suggestion but instead of updating the admin user’s hash I would modify the admin user to not be reserved anymore.