Updating internal user passwords via Kibana Ui or REST api?

Is there a way to update the password for the internal users (admin and kibanaserver) via the REST api or Kibana UI?

When initializing the searchguard index, the values from the yaml files in the sgconfig dir are applied to the cluster but I was wondering if there is a way to update the values without using the configs?

The kibana ui lets you modify/delete other internal users but not the admin or kibanaserver users since they’re protected.

I’m using version 6.2.3 of elasticsearch and the searchguard plugins.

Sure, this is possible, but probably not very useful.

You can mark any resource that you can edit with the config GUI as “reserved/readonly”. This is done in the Search Guard config files. In the demo configuration we ship some of the users and roles are marked “reserved/readonly”, but you can simply remove the respective flag in the demo config files, and upload the changed configuration with sgadmin again. Then you can edit them also in the config GUI. For an example, have a look here:

However, changing the password of the kibanaserver with the Kibana config GUI would not be very useful. The config GUI runs in Kibana, and Kibana uses the “kibanaserver” user under the hood. If you change the password, you also need to change it in kibana.yml. Hence, if you use the config GUI and change the password, Kibana will stop working.

With the admin user it’s similar: The demo config allows the admin role to use the config GUI. If you change the admin user’s groups for example, this can lead to the config GUI not being accessible anymore. If you change the password, you would also be logged out immediately.

So, it is possible, but probably not useful in real life. That’s why some of the roles and users are not changeable by default with the config GUI.