Change the OpenSearch password

3 minute read

Changing the password of OpenSearch

Changing the password with default settings

If OpenSearch is installed without any SecurityConfig-settings, i.e. the SecurityConfig value is disabled inside the installation-values for OpenSearch, the following steps have to be taken in order to change password for a user.

Step 1: Generate a new passwordhash
Opensearch stores hashed passwords for authentication. In Order to change the password of a user we first have to generate the corresponding hash-value using the interactive hash.sh script, which can be found within the OpenSearch-container:

kubectl exec -it opensearch-cluster-master-0 -n kubeops -- bash

sh /usr/share/opensearch/plugins/opensearch-security/tools/hash.sh

Step 2: Save the new passwordhash in the internal_users.yaml file
By default, OpenSearch uses the internal_users.yaml file to save user-settings. To change the userpassword, one has to replace the hash-value for the specific user inside this file. Again, the needed file is located inside the OpenSearch-container. Use the following command to edit the internal_users.yaml file and replace the hash-entry with the newly generated one.

vi /usr/share/opensearch/config/opensearch-security/internal_users.yaml

Step 3: Update the OpenSearch-cluster:
Use the provided script securityadmin.sh, inside the OpenSearch-container to update the OpenSearch-cluster and persist the changes on the user-database:

sh /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/opensearch/config/opensearch-security/ -icl -nhnv -cacert /usr/share/opensearch/config/root-ca.pem -cert /usr/share/opensearch/config/kirk.pem -key /usr/share/opensearch/config/kirk-key.pem

Opensearch with external secret

If OpenSearch is instead deployed with the SecurityConfig enabled and has created a external Secret, some additional steps/changes are required to change a user password.

kubectl exec -it opensearch-cluster-master-0 -n kubeops -- bash

sh /usr/share/opensearch/plugins/opensearch-security/tools/hash.sh

Step 2: Localize the secret and extract the userdata
In this case, users and additional userdata is stored inside the internal-users-config-secret, a secret created within the kubernetes-cluster. It is stored in the same namespace as the OpenSearch-Deployment itself. Inside the Secret exists a data entry, which essentially contains the internal_users.yaml (a list of users and their userdata in yaml format) encoded in base64 as a String. The following commands will extract and decode the data, so the user can edit the local copy of the yaml-file, and replace the hash-entry with the newly generated one.

kubectl get secrets -n kubeops internal-users-config-secret -o jsonpath='{.data.internal_users\.yml}' | base64 -d > internal_users.yaml

vi internal_users.yaml

Step 3: Patch the secret and restart the OpenSearch pods
After editing the extracted data, it must be reencoded into base64, to then replace the old data inside the secret. After that, the OpenSearch pods need to be restarted in some way, for them to reload the secret.

cat internal_users.yaml | base64 -w 0 | xargs -I {} kubectl patch secret -n kubeops internal-users-config-secret --patch '{"data": {"internal_users.yml": "{}"}}'

kubectl rollout restart statefulset opensearch-cluster-master -n kubeops

Step 4: Update the OpenSearch-cluster:
Use the provided script securityadmin.sh, inside the OpenSearch-container to update the OpenSearch-cluster and persist the changes on the user-database. For the script to work properly, one must copy the internal_users.yaml into a certain directory, containing all the needed files.

cp /usr/share/opensearch/plugins/opensearch-security/securityconfig/internal_users.yml /usr/share/opensearch/config/opensearch-security/

sh /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/opensearch/config/opensearch-security/ -icl -nhnv -cacert /usr/share/opensearch/config/root-ca.pem -cert /usr/share/opensearch/config/kirk.pem -key /usr/share/opensearch/config/kirk-key.pem