Change the OpenSearch Password
3 minute read
Changing a User Password in OpenSearch
This guide explains how to change a user password in OpenSearch with SecurityConfig enabled and an external Kubernetes Secret for user credentials.
Steps to Change the Password Using an External Secret
Prerequisites
- Access to the Kubernetes cluster where OpenSearch is deployed.
- Permissions to view and modify secrets in the relevant namespace.
Step 1: Generate a New Password Hash
Execute the command below (replacing the placeholders) to generate a hashed version of your new password:
kubectl exec -it <opensearch_pod_name> -n <opensearch_pod_namespace> -- bash -c "sh /usr/share/opensearch/plugins/opensearch-security/tools/hash.sh -p <new_password>"
Step 2: Extract the Existing Secret and Update internal_users.yaml
Retrieve the existing secret containing internal_users.yml. The secret stores the configuration in base64 encoding, so extract and decode it:
kubectl get secrets -n <opensearch_pod_namespace> internal-users-config-secret -o jsonpath='{.data.internal_users\.yml}' | base64 -d > internal_users.yaml
Open the exported file internal_users.yaml. Find the entry for the user whose password you want to change and replace the previous password hash with the new hash you generated in step 1. Then save the file.
Step 3: Patch the Secret with Updated internal_users.yml Data and Restart the Opensearch Pods
Encode the updated internal_users.yaml and apply it back to the secret.
cat internal_users.yaml | base64 -w 0 | xargs -I {} kubectl patch secret -n <opensearch_pod_namespace> internal-users-config-secret --patch '{"data": {"internal_users.yml": "{}"}}'
Restart the Opensearch pods to use the updated secret.
kubectl rollout restart statefulset opensearch-cluster-master -n <opensearch_pod_namespace>
Step 4: Copy the internal users yaml
You can copy the modified users.yaml now into the container with this command:
kubectl cp internal_users.yaml -n <opensearch_pod_namespace> <opensearch_pod_name>:/usr/share/opensearch/config/opensearch-security/internal_users.yml
Step 5: Run securityadmin.sh to Apply the Changes
This completes the password update process, ensuring that changes persist across OpenSearch pods.
kubectl exec -it <opensearch_pod_name> -n <opensearch_pod_namespace> -- bash -c "\
sh /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh \
-cd /usr/share/opensearch/config/opensearch-security/ \
-icl -nhnv \
-cacert /usr/share/opensearch/config/root-ca.pem \
-cert /usr/share/opensearch/config/kirk.pem \
-key /usr/share/opensearch/config/kirk-key.pem"
Important
You can also change the password by directly accessing the OpenSearch container and modifying theinternal_users.yml file. This can be done by generating a new password hash using the hash.sh script inside the container, then updating the internal_users.yml file with the new hash. Finally, the securityadmin.sh script must be executed to apply the changes and update the OpenSearch cluster. However, this method is not persistent across container or pod restarts, especially in Kubernetes, unless the changes are stored in a persistent volume or backed by external storage. In contrast, changing the password using a Kubernetes secret is persistent across pod restarts, as the password information is stored in a Kubernetes secret, which is managed by the cluster and survives pod/container restarts.