How to Default Password Reset

I tried to change the password in three ways, but all failed.

First attempt
Viewed the document and changed the administrator password. An error occurred when I saw the article Apply configuration changes using securityadmin.sh

ERR: An unexpected IllegalStateException occured: failed to load plugin class [com.amazon.opendistroforelasticsearch.security.OpenDistroSecurityPlugin]
Trace:
java.lang.IllegalStateException: failed to load plugin class [com.amazon.opendistroforelasticsearch.security.OpenDistroSecurityPlugin]
        at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:722)
        at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:124)
        at org.elasticsearch.client.transport.TransportClient.newPluginService(TransportClient.java:114)
        at org.elasticsearch.client.transport.TransportClient.buildTemplate(TransportClient.java:139)
        at org.elasticsearch.client.transport.TransportClient.<init>(TransportClient.java:282)
        at com.amazon.opendistroforelasticsearch.security.tools.OpenDistroSecurityAdmin$TransportClientImpl.<init>(OpenDistroSecurityAdmin.java:1007)
        at com.amazon.opendistroforelasticsearch.security.tools.OpenDistroSecurityAdmin.execute(OpenDistroSecurityAdmin.java:520)
        at com.amazon.opendistroforelasticsearch.security.tools.OpenDistroSecurityAdmin.main(OpenDistroSecurityAdmin.java:157)
Caused by: java.lang.reflect.InvocationTargetException
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:64)
        at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500)
        at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:481)
        at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:713)
        ... 7 more
Caused by: ElasticsearchSecurityException[Error while initializing transport SSL layer from PEM: ElasticsearchException[Unable to read /etc/elasticsearch/kirk.pem (/etc/elasticsearch/kirk.pem). Please make sure this files exists and is readable regarding to permissions. Property: opendistro_security.ssl.transport.pemcert_filepath]]; nested: ElasticsearchException[Unable to read /etc/elasticsearch/kirk.pem (/etc/elasticsearch/kirk.pem). Please make sure this files exists and is readable regarding to permissions. Property: opendistro_security.ssl.transport.pemcert_filepath];
        at com.amazon.opendistroforelasticsearch.security.ssl.DefaultOpenDistroSecurityKeyStore.initTransportSSLConfig(DefaultOpenDistroSecurityKeyStore.java:409)
        at com.amazon.opendistroforelasticsearch.security.ssl.DefaultOpenDistroSecurityKeyStore.initSSLConfig(DefaultOpenDistroSecurityKeyStore.java:248)
        at com.amazon.opendistroforelasticsearch.security.ssl.DefaultOpenDistroSecurityKeyStore.<init>(DefaultOpenDistroSecurityKeyStore.java:169)
        at com.amazon.opendistroforelasticsearch.security.ssl.OpenDistroSecuritySSLPlugin.<init>(OpenDistroSecuritySSLPlugin.java:217)
        at com.amazon.opendistroforelasticsearch.security.OpenDistroSecurityPlugin.<init>(OpenDistroSecurityPlugin.java:246)
        ... 13 more
Caused by: ElasticsearchException[Unable to read /etc/elasticsearch/kirk.pem (/etc/elasticsearch/kirk.pem). Please make sure this files exists and is readable regarding to permissions. Property: opendistro_security.ssl.transport.pemcert_filepath]
        at com.amazon.opendistroforelasticsearch.security.ssl.DefaultOpenDistroSecurityKeyStore.checkPath(DefaultOpenDistroSecurityKeyStore.java:948)
        at com.amazon.opendistroforelasticsearch.security.ssl.DefaultOpenDistroSecurityKeyStore.resolve(DefaultOpenDistroSecurityKeyStore.java:227)
        at com.amazon.opendistroforelasticsearch.security.ssl.DefaultOpenDistroSecurityKeyStore.initTransportSSLConfig(DefaultOpenDistroSecurityKeyStore.java:386)
        ... 17 more


Second try
In order to approach it in a different way, we tried to change the password through ‘Internal users’ menu in ‘kibana’ but it also failed.

{"status":"FORBIDDEN","message":"Resource 'admin' is read-only."}


Last attempt

Although it was used to execute the ‘internal_users.yml’ docker container that was modified after reading the above article, This, too, failed.

node1 | [2021-04-05T05:02:05,046][WARN ][c.a.o.s.a.BackendRegistry] [15a978978631] Authentication finally failed for kibanaserver from ....

kibana | {"type":"log","@timestamp":"2021-04-05T05:02:05Z","tags":["error","elasticsearch","data"],"pid":1,"message":"[ResponseError]: Response Error"}

The above error occurred when trying to access the changed information after changing the password of the kibanaserver account for testing. I think the changed password is probably not applied correctly.




It’s okay if it’s not my approach. I want to know how to change the password. Can someone help me?

@dhhan Your first attempt is needed to change the admin password. You can’t change it using UI or API, as admin certificate is needed.
Assuming you used install_demo_configuration.sh and as a result were provided with admin cert and key (kirk.pem and kirk-key.pem most likely). Can you try to place these in the elasticsearch/config directory and rerun the securityadmin.sh using below arguments:

sh securityadmin.sh -cd /path/to/securityconfig/ -icl -nhnv -cacert /path/to/config/root-ca.pem -cert /path/to/config/kirk.pem -key /path/to/config/kirk-key.pem

1 Like

Do I need to create ‘kirk.pem’ file and ‘kirk-key.pem’ file separately?

I found out that two files do not exist inside the working ODE and ODK containers.

find / -name 'kirk.pem'
find / -name 'kirk-key.pem'

Work was in progress with reference to Docker - Open Distro for Elasticsearch Documentation

Isn’t the ‘install_demo_configuration’ you mentioned included in ‘openistro-for-elastic search:1.13.2’?

I have just copied the basic docker-compose.yml file from the link you provided and ran docker-compose up.

Once I connected to one of the two ES containers, in config folder I see the following structure:

elasticsearch.keystore
elasticsearch.yml
esnode-key.pem (node key)
esnode.pem (node cert)
jvm.options
jvm.options.d
kirk-key.pem (admin key)
kirk.pem (admin cert)
log4j2.properties
opendistro-reports-scheduler
root-ca.pem (root ca used to sign all of above certs)

These certs were created using demo script included in the odfe, which detected no security configuration and therefore was executed creating necessary certs and updating config in elasticsearch.yml

If custom configuration (and therefore certs) are being provided via volume mappings in docker-compose.yml file, these need to be placed in config directory and absolute path used in the securityadmin.sh script execution. Only admin cert/key can be used, therefore if you have not created such cert/key, I would recommend running default docker-compose.yml, extracting the certs and elasticsearch.yml file for comparison. You will notice below line in elasticsearch.yml:

opendistro_security.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=de

Which matched dn of the kirk cert and therefore makes that cert admin.

1 Like

@Anthony Thank you so much for your kind reply to my stupid question.

As you told me, I realized while running ‘default docker-compose.yml’ and comparing directories.

I forgot that I removed the files related to the demo certificate by referring to the Docker Security Configuration - Open Distro for Elasticsearch Documentation document to provide the certificate to ODFE.

After deleting demo file, I realized that ‘admin key’ and ‘admin cert’ were not created separately.

Thanks to you, I searched the document again and finally found Generate Certificates - Open Distro for Elasticsearch Documentation. I haven’t tried it yet, but I expect it to work out.

Once again, thank you for answering my stupid question.