Change the OpenSearch Password
2 minute read
Changing a User Password in OpenSearch
This guide explains how to change a user password in OpenSearch with SecurityConfig enabled and an external Kubernetes Secret for user credentials.
Steps to Change the Password Using an External Secret
Prerequisites
- Access to the Kubernetes cluster where OpenSearch is deployed.
- Permissions to view and modify secrets in the relevant namespace.
Step 1: Generate a New Password Hash
Execute the command below (replacing the placeholders) to generate a hashed version of your new password:
kubectl exec -it <opensearch_pod_name> -n <opensearch_pod_namespace> -- bash -c "sh /usr/share/opensearch/plugins/opensearch-security/tools/hash.sh -p <new_password>"
Step 2: Extract the Existing Secret and Update internal_users.yaml
Retrieve the existing secret containing internal_users.yml. The secret stores the configuration in base64 encoding, so extract and decode it:
kubectl get secrets -n <opensearch_pod_namespace> internal-users-config-secret -o jsonpath='{.data.internal_users\.yml}' | base64 -d > internal_users.yaml
Now, update the hashed password generated in Step 1 in the internal_users.yaml file for the inteded user.
Step 3: Patch the Secret with Updated internal_users.yml Data and Restart the Opensearch Pods
Encode the updated internal_users.yaml and apply it back to the secret.
cat internal_users.yaml | base64 -w 0 | xargs -I {} kubectl patch secret -n <opensearch_pod_namespace> internal-users-config-secret --patch '{"data": {"internal_users.yml": "{}"}}'
Restart the Opensearch pods to use the updated secret.
kubectl rollout restart statefulset opensearch-cluster-master -n <opensearch_pod_namespace>
NOTE: Please wait for the rollout to complete.
step 4: copy the internal users yaml
you can copy the modified users.yaml now into the container:
kubectl cp internal_users.yaml -n <opensearch_pod_namespace> <opensearch_pod_name>:/usr/share/opensearch/config/opensearch-security/internal_users.yml
Step 5: Run securityadmin.sh to Apply the Changes
This completes the password update process, ensuring that changes persist across OpenSearch pods.
kubectl exec -it <opensearch_pod_name> -n <opensearch_pod_namespace> -- bash -c "\
sh /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh \
-cd /usr/share/opensearch/config/opensearch-security/ \
-icl -nhnv \
-cacert /usr/share/opensearch/config/root-ca.pem \
-cert /usr/share/opensearch/config/kirk.pem \
-key /usr/share/opensearch/config/kirk-key.pem"
Important
You can also change the password by directly accessing the OpenSearch container and modifying theinternal_users.yml file. This can be done by generating a new password hash using the hash.sh script inside the container, then updating the internal_users.yml file with the new hash. Finally, the securityadmin.sh script must be executed to apply the changes and update the OpenSearch cluster. However, this method is not persistent across container or pod restarts, especially in Kubernetes, unless the changes are stored in a persistent volume or backed by external storage. In contrast, changing the password using a Kubernetes secret is persistent across pod restarts, as the password information is stored in a Kubernetes secret, which is managed by the cluster and survives pod/container restarts.