Changing admin password in internal_users has no effect

I’m using odfe 1.12, I ran with the default configuration, copied that over from the docker container to the local file system and mounted the directories at the correct places for the docker container:

docker run -d --name odfe-elasticsearch --network custombridge -p 9200:9200 -p 9600:9600 -e "discovery.type=single-node" -e DISABLE_INSTALL_DEMO_CONFIG=true -v /opt/odfe-elasticsearch/config:/usr/share/elasticsearch/config/ -v /opt/odfe-elasticsearch/securityconfig/:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -v /etc/localtime:/etc/localtime:ro -v /opt/odfe-elasticsearch/data:/usr/share/elasticsearch/data --restart always amazon/opendistro-for-elasticsearch:latest

Password test, hash: $2y$12$pQr3HmQ0HI8hmYJy017GXOR0JHDuMIlU7LRWOxtFe0jdqQBxjRveq

Used the hash tool to generate a hash, saved it in the file and validated by entering the running docker container:
docker exec -it odfe-elasticsearch /bin/bash
[root@a0af00b42b19 securityconfig]# ls -al
total 68
drwxrwxrwx 2 elasticsearch root 4096 Dec 21 10:37 .
drwxrwxr-x 1 elasticsearch root 4096 Dec 14 22:47 …
-rwxrwxrwx 1 elasticsearch root 49 Dec 14 22:47 action_groups.yml
-rwxrwxrwx 1 elasticsearch root 2541 Dec 14 22:47 audit.yml
-rwxrwxrwx 1 elasticsearch root 9956 Dec 14 22:47 config.yml
-rwxrwxrwx 1 elasticsearch root 12057 Dec 14 22:47 elasticsearch.yml.example
-rwxrwxrwx 1 elasticsearch root 1319 Dec 21 10:46 internal_users.yml
-rwxrwxrwx 1 elasticsearch root 154 Dec 14 22:47 nodes_dn.yml
-rwxrwxrwx 1 elasticsearch root 3198 Dec 14 22:47 roles.yml
-rwxrwxrwx 1 elasticsearch root 856 Dec 14 22:47 roles_mapping.yml
-rwxrwxrwx 1 elasticsearch root 170 Dec 14 22:47 tenants.yml
-rwxrwxrwx 1 elasticsearch root 1982 Dec 14 22:47 whitelist.yml
[root@a0af00b42b19 securityconfig]# cat internal_users.yml

# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/

  type: "internalusers"
  config_version: 2

# Define your internal users here

## Demo users

  hash: "$2y$12$pQr3HmQ0HI8hmYJy017GXOR0JHDuMIlU7LRWOxtFe0jdqQBxjRveq"
  reserved: true
  - "admin"
  description: "Demo admin user"

  hash: "$2y$12$pQr3HmQ0HI8hmYJy017GXOR0JHDuMIlU7LRWOxtFe0jdqQBxjRveq"
  reserved: true
  description: "Demo kibanaserver user"

root@neo-server:/opt/odfe-elasticsearch# docker restart odfe-elasticsearch


root@neo-server:/opt/odfe-elasticsearch# curl -XGET https://localhost:9200 -u 'admin:test' --insecure
root@neo-server:/opt/odfe-elasurl -XGET https://localhost:9200 -u 'admin:admin' --insecure
  "name" : "a0af00b42b19",
  "cluster_name" : "docker-cluster",
  "cluster_uuid" : "KFQfY5jpR0m8-it_qoIS0w",
  "version" : {
    "number" : "7.10.0",
    "build_flavor" : "oss",
    "build_type" : "tar",
    "build_hash" : "51e9d6f22758d0374a0f3f5c6e8f3a7997850f96",
    "build_date" : "2020-11-09T21:30:33.964949Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  "tagline" : "You Know, for Search"

I’m confused, why doesn’t pick up the new settings?

edit: even deleting the admin user has no effect. When entering the docker container I can see the admin entry is gone, but still it persists in Kibana and can be used to execute http calls…

You need to run

sh -cd …/securityconfig/ -icl -nhnv -cacert …/…/…/config/root-ca.pem -cert …/…/…/config/kirk.pem -key …/…/…/config/kirk-key.pem

after changing the password.

a tiny bit convoluted but it worked! :slight_smile:

Thanks @neographikal

I’m running in K8s and the exact procedure was:

kubectl -n opendistro exec -it opendistro-es-master-2 -- bash
cd /usr/share/elasticsearch/plugins/opendistro_security/tools/
sh /usr/share/elasticsearch/plugins/opendistro_security/tools/ -cd ../securityconfig/ -icl -nhnv -cacert ../../../config/root-ca.pem -cert ../../../config/kirk.pem -key ../../../config/kirk-key.pem