Skip to main content
Version: 5.0

User Password Change Guide

warning

Make sure to check all locations where the user's account might be used before changing the password, for example:

  • In pipeline configurations of the Search Anywhere Data Collector (SA Data Collector) component
  • In the opensearch_dashboards.yml configuration file of the Search Anywhere Web (SA Web) component
  • In the connection settings of the Inventory module
  • In the connection settings of the User Behavior Analytics module
  • Search Anywhere Engine (SA Engine) user settings in the password storage of Search Anywhere Data Storage (SA Data Storage) and Search Anywhere Master Node (SA Master Node)
  • Search Anywhere Engine Remote Execution (SA Engine RE) user settings in the password storage of Search Anywhere Data Storage (SA Data Storage) and Search Anywhere Master Node (SA Master Node)
  • Connection settings to the Search Anywhere Framework Beat Manager (SAF Beat Manager) in the opensearch_dashboards.yml configuration file of the Search Anywhere Web (SA Web) component
  • External scripts

It is recommended to use a separate service account for each service.

Generating a New Password Hash

Legend:

  • OS_HOME - the OpenSearch home directory, usually /app/opensearch/

  • OS_IP - the IP address of one of the OpenSearch cluster servers

info

Passwords for built-in users (admin, kibanaserver, logstash, sa) can only be changed using this method.

To begin, generate a new password hash using the following command:

JAVA_HOME=$OS_HOME/jdk/ $OS_HOME/plugins/opensearch-security/tools/hash.sh

If a file permission error occurs, make the file executable using the following command:

chmod +x $OS_HOME/plugins/opensearch-security/tools/hash.sh

Creating a Backup of the Security Configuration

warning

Before making any changes, be sure to create a backup of the security plugin configuration. We recommend creating two copies:

  • One in the backup directory, for example: /app/backup/opensearch-security-$(date +%Y%m%d)/

  • Another in the directory where changes will be made: ${OS_HOME}/config/opensearch-security/

Use the following command to create a backup in the ${OS_HOME}/config/opensearch-security/ directory. Before running it, make sure you have the admin certificates available (usually located on the first node of the SA Data Storage cluster):

JAVA_HOME=${OS_HOME}/jdk/ ${OS_HOME}/plugins/opensearch-security/tools/securityadmin.sh -h ${OS_IP} \
-cacert ${OS_HOME}/config/ca-cert.pem \
-cert ${OS_HOME}/config/admin-cert.pem \
-key ${OS_HOME}/config/admin-key.pem \
--accept-red-cluster -nhnv -icl \
-backup ${OS_HOME}/config/opensearch-security/

If a file permission error occurs, make the file executable using the following command:

chmod +x $OS_HOME/plugins/opensearch-security/tools/securityadmin.sh

Updating a User's Password

  1. Open the user configuration file: ${OS_HOME}/config/opensearch-security/internal_users.yml

Take note of the additional fields in the internal_users.yml file:

FieldDescription
reservedMarks the user, role, role mapping, or action group as reserved. These resources cannot be modified via REST API or SA Web
hiddenAllows users, roles, role mappings, and action groups to be hidden. Resources with this flag won't appear in SA Web or be returned by the REST API
hashThe user's password hash
opendistro_security_roleList of internal Search Anywhere Framework roles
backend_rolesRoles assigned based on the username
attributesAdditional user attributes (optional)
staticMarks the user as a system user (cannot be deleted)
descriptionUser description (optional)
new-user:
  hash: "$2y$12$88IFVl6IfIwCFh5aQYfOmuXVL9j2hz/GusQb35o.4sdTDAEMTOD.K"
  reserved: false
  hidden: false
  opendistro_security_roles:
    - "specify-some-security-role-here"
  backend_roles:
    - "specify-some-backend-role-here"
  attributes:
    attribute1: "value1"
  static: false
  description: "Demo admin user"

  1. Find the user by name (example: admin)

  2. Paste the newly generated password hash into the hash field. For example:

admin:
  hash: "$2y121212OLRmqL1CBHJDZkG0R4wxC.Ifb9bcqDMsZWO9780bW3lKw9nn95GjO"
  reserved: true
  backend_roles:
    - "admin"
  opendistro_security_roles:
    - "all_access"
  description: "Base admin user"
  1. Save the changes

Applying the Updated Configuration

warning

Make sure to update the password in all configurations and components where this user account is used.

After editing the configuration, apply the changes using the following command:

JAVA_HOME=${OS_HOME}/jdk/ ${OS_HOME}/plugins/opensearch-security/tools/securityadmin.sh -h ${OS_IP} \
-cacert ${OS_HOME}/config/ca-cert.pem \
-cert ${OS_HOME}/config/admin-cert.pem \
-key ${OS_HOME}/config/admin-key.pem \
-icl -nhnv \
-t internalusers \
-f ${OS_HOME}/config/opensearch-security/internal_users.yml \