how to change password for admin in community edition?

how can the password for admin user be changed?

we are using community edition and internal user database

can it be done through searchguard admin tool from kibana? if so, what are the steps and prerequisites

do we need to use sgadmin tool? if so, what are the steps and prerequisites

we have searchguard set up in a clustered environment of elasticsearch, kibana, and logstash

there are no issues, except that we want the admin and other default passwords changed

To be able to change it within Kibana, you need to remove the “readonly” setting from the admin user in sg_internal_users.yml.

To do it via sgadmin:
Use the hash.sh script to generate a hash for a new password as described in https://docs.search-guard.com/latest/internal-users-database
Copy that into the appropriate spot in the sg_internal_users.yml file for the “admin” user or whichever you want to change.

Push config to ES using the sgadmin.sh script.

···

admin:
readonly: “true”
roles:

  • “admin”
    hash: “$2y$12$…”
  1. to change from Kibana, your response is to remove the “readonly” setting from the admin user in sg_internal_users.yml

should this be done from the sg_internal_users.yml on the server kibana is running?

  1. on your response to do via sgadmin: same question as above. is the change to sg_internal_users.yml to be done on the server where kibana is running?

Appreciate your feedback

Thanks

Raghu

···

On Monday, October 15, 2018 at 6:21:07 AM UTC-5, James Beckett wrote:

To be able to change it within Kibana, you need to remove the “readonly” setting from the admin user in sg_internal_users.yml.

To do it via sgadmin:
Use the hash.sh script to generate a hash for a new password as described in https://docs.search-guard.com/latest/internal-users-database
Copy that into the appropriate spot in the sg_internal_users.yml file for the “admin” user or whichever you want to change.

Push config to ES using the sgadmin.sh script.

admin:
readonly: “true”
roles:

  • “admin”
    hash: “$2y$12$…”

That file doesn’t live on the Kibana host - you probably have it on one of your elasticsearch nodes - wherever you configured it in the first place. Did you push in a config with sgadmin, or leave files in the sgconfig directory to be picked up when you first started ES?

we did NOT push config using sgadmin. after setup we started the elasticsearch cluster and added some users using kibana. looking for the best way to 1) change passwords of one or more of the pre-defined internal users 2) add additional users.

Looks like there are two ways to do it a) through kibana after removing the read_only setting and b) updating the sg_internal_users (and may be a couple of other user definition files) and pushing through sg_admin

is my understanding correct?

···

On Monday, October 15, 2018 at 8:50:57 AM UTC-5, jbec...@ft-services.com wrote:

That file doesn’t live on the Kibana host - you probably have it on one of your elasticsearch nodes - wherever you configured it in the first place. Did you push in a config with sgadmin, or leave files in the sgconfig directory to be picked up when you first started ES?

This kind of depends on your use case. So let’s say you want to set up SG with some system or default users, and then allow others to add/change/delete users and roles. The most common way of doing so would be:

  1. Add your default users and roles to the SG config files, and mark those resources readonly that you do not want other users to change. Typically these would be system users for Kibana or Logstash.

  2. Remove all demo users / roles from the config files that you don’t need, and remove the readonly flag where appropriate

  3. Initialize your cluster with sgadmin.

  4. Then use the REST API or config GUI to add or change users and roles

Note that when you use sgadmin, it will overwrite the settings in the Search Guard index. So if you want to use sgadmin again, first download the current SG configuration from your cluster with the -r flag.

···

On Monday, October 15, 2018 at 4:51:06 PM UTC+2, Raghuram Govind wrote:

we did NOT push config using sgadmin. after setup we started the elasticsearch cluster and added some users using kibana. looking for the best way to 1) change passwords of one or more of the pre-defined internal users 2) add additional users.

Looks like there are two ways to do it a) through kibana after removing the read_only setting and b) updating the sg_internal_users (and may be a couple of other user definition files) and pushing through sg_admin

is my understanding correct?

On Monday, October 15, 2018 at 8:50:57 AM UTC-5, jbec...@ft-services.com wrote:

That file doesn’t live on the Kibana host - you probably have it on one of your elasticsearch nodes - wherever you configured it in the first place. Did you push in a config with sgadmin, or leave files in the sgconfig directory to be picked up when you first started ES?