Lab 3 : Security Plugin
Change admin password
OD4FE ships with an advanced security plugin. The Security plugin stores its configuration—including users, roles, and permissions—in an index on the Elasticsearch cluster (.opendistro_security). Storing these settings in an index lets you change settings without restarting the cluster and eliminates the need to edit configuration files on every single node.
The plugin comes pre-configured with a number of different users and default passwords for them. Passwords for some of the preconfigured users—kibanaro, logstash, readall, and snapshotrestore—are available to change in the Security UI in Kibana. The admin and kibanaserver users are reserved users, and they must be changed in the security configuration files. Default location :
First run the hash tool to generate a new password hash.
$ sudo bash /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh [Password:] <type a new secure password> $2y$12$7f9DHLNLV1QkfhM9K5vhVeLpRxM2.7SMfZnAxUhLDJ5AYC/cs9y1S
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml in your favorite editor, and change the password string for the just the admin user with the hash created in the previous step.
After changing any of the configuration files in
plugins/opendistro_security/securityconfig, however, you must run
plugins/opendistro_security/tools/securityadmin.sh to load these new settings into the index.
Each node also includes the tool at
plugins/opendistro_security/tools/securityadmin.sh. Make the script executable before running it:
sudo chmod +x /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh
To load configuration changes to Security plugin, you must provide your admin certificate to the tool:
cd /usr/share/elasticsearch/plugins/opendistro_security/tools/ sudo ./securityadmin.sh -cd ../securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -key /etc/elasticsearch/kirk-key.pem Open Distro Security Admin v7 Will connect to localhost:9300 ... done Connected as CN=kirk,OU=client,O=client,L=test,C=de Elasticsearch Version: 7.2.1 Open Distro Security Version: 188.8.131.52 Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ... Clustername: od4es Clusterstate: GREEN Number of nodes: 7 Number of data nodes: 3 .opendistro_security index already exists, so we do not need to create one. Populate config from /usr/share/elasticsearch/plugins/opendistro_security/securityconfig Will update '_doc/config' with ../securityconfig/config.yml SUCC: Configuration for 'config' created or updated Will update '_doc/roles' with ../securityconfig/roles.yml SUCC: Configuration for 'roles' created or updated Will update '_doc/rolesmapping' with ../securityconfig/roles_mapping.yml SUCC: Configuration for 'rolesmapping' created or updated Will update '_doc/internalusers' with ../securityconfig/internal_users.yml SUCC: Configuration for 'internalusers' created or updated Will update '_doc/actiongroups' with ../securityconfig/action_groups.yml SUCC: Configuration for 'actiongroups' created or updated Will update '_doc/tenants' with ../securityconfig/tenants.yml SUCC: Configuration for 'tenants' created or updated Done with success
- The -cd option specifies where the Security plugin configuration files to upload to the cluster can be found.
- The -icl (--ignore-clustername) option tells the Security plugin to upload the configuration regardless of the cluster name. As an alternative, you can also specify the cluster name with the -cn (--clustername) option.
- Because the demo certificates are self-signed, we also disable hostname verification with the -nhnv (--disable-host-name-verification) option.
- The -cacert, -cert and -key options define the location of your root CA certificate, the admin certificate, and the private key for the admin certificate.
For further details on securityadmin.sh, please refer to the documentation.
We will create local users in the internal user database. We'll create 2 users – devops & itsupport
Login to kibana (
http://<client-node-ip>:5601/ ) with the new admin password.
For each user :
- Choose Security , Internal User Database , and Add a new internal user ( blue + button ).
- Provide the username and choose a password. The Security plugin automatically hashes the password and stores it in the .opendistro_security index.