4

We just installed Elasticsearch 7.x. We want to use the x-pack security module. We already automated everything via Ansible but we have a problem creating/setting the built in users with password:

ElsticSearch how to:

Run on system: /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive or auto.

Then you are asked for a password for each user in ElasticSearch. Are there any possibilities to automate this? Like some autoanswer question in Ansible or anything else?

Thanks

Zeitounator
  • 38,476
  • 7
  • 53
  • 66
Jiří Šafář
  • 61
  • 2
  • 4

3 Answers3

1

You can try to use interactive mode and ansible expect module: https://docs.ansible.com/ansible/latest/modules/expect_module.html

ugly_animal
  • 11
  • 3
1
  hosts: all
  name: "Elasticsearch with SSL/TLS enabled"
  roles: 
    - 
      role: elastic.elasticsearch
  vars: 
    es_api_port: 9200
    es_config: 
      action.destructive_requires_name: true
      bootstrap.memory_lock: true
      cluster.name: lab
      discovery.seed_hosts: "0.0.0.0:9300"
      discovery.type: single-node
      http.port: 9200
      indices.query.bool.max_clause_count: 8192
      network.host: "0.0.0.0"
      node.data: true
      node.master: true
      node.ml: false
      node.name: lab1
      reindex.remote.whitelist: "*:*"
      search.max_buckets: 250000
      transport.port: 9300
      xpack.ilm.enabled: true
      xpack.ml.enabled: false
      xpack.monitoring.collection.enabled: true
      xpack.monitoring.collection.interval: 30s
      xpack.monitoring.enabled: true
      xpack.security.audit.enabled: false
      #xpack.security.enabled: true
      xpack.sql.enabled: true
      xpack.watcher.enabled: false
    es_api_basic_auth_username: "elastic"
    es_api_basic_auth_password: "changeme"
    es_data_dirs: 
      - /opt/elasticsearch/data
    es_heap_size: 2g
    es_plugins: 
      - 
        plugin: ingest-attachment
    es_validate_certs: false
    es_version: "7.17.0"
    es_users:
      native:
        elastic:
          password: helloakash1234
        kibana_system:
          password: hellokibana1234
        logstash_system:
          password: hellologs1234

This works fine for me!!

    es_users:
      native:
        elastic:
          password: helloakash1234

With the above mentioned code the username will be "elastic" and the password will be "helloakash1234"

Akash s
  • 97
  • 1
  • 10
0

If you use the auto mode, then random passwords are generated and written to the console that you can maybe read.

Another solution is to call the Change password API in order to change user passwords after the fact.

Val
  • 207,596
  • 13
  • 358
  • 360
  • Hi, is there any option to run it like: /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto -y ??? I dont want to be prompted. – Jiří Šafář May 29 '19 at 07:52
  • choosing `auto` will not prompt you, only `interactive` will – Val May 29 '19 at 08:19
  • I have tried to do it via API and got {"error":{"root_cause":[{"type":"security_exception","reason":"failed to authenticate user [elastic]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"failed to authenticate user [elastic]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}[root@DCVMESRMSTDEV01 ~]# curl -uelastic -XPUT -H 'Content-Type: application/json' 'http://localhost:9200/_xpack/security/user/ki – Jiří Šafář May 29 '19 at 20:08
  • 1
    Hi @JiříŠafář, you should avoid diluting this type of info in comments. Edit your question instead to enrich it with what you have tried and is still causing problems. You will get a much better chance to get your question answered accurately. – Zeitounator Feb 11 '20 at 08:12