OD4FE ships with an advanced security plugin. The Security plugin stores its configuration—including users, roles, and permissions—in an index on the Elasticsearch cluster (.opendistro_security). Storing these settings in an index lets you change settings without restarting the cluster and eliminates the need to edit configuration files on every single node.
The plugin comes pre-configured with a number of different users and default passwords for them. Passwords for some of the preconfigured users—kibanaro, logstash, readall, and snapshotrestore—are available to change in the Security UI in Kibana. The admin and kibanaserver users are reserved users, and they must be changed in the security configuration files. Default location : /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
First run the hash tool to generate a new password hash.
$ sudo bash /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh
[Password:] <type a new secure password>
$2y$12$7f9DHLNLV1QkfhM9K5vhVeLpRxM2.7SMfZnAxUhLDJ5AYC/cs9y1S
Now open /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
in your favorite editor, and change the password string for the just the admin user with the hash created in the previous step.
After changing any of the configuration files in plugins/opendistro_security/securityconfig
, however, you must run plugins/opendistro_security/tools/securityadmin.sh
to load these new settings into the index.
Each node also includes the tool at plugins/opendistro_security/tools/securityadmin.sh
. Make the script executable before running it:
sudo chmod +x /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh
To load configuration changes to Security plugin, you must provide your admin certificate to the tool:
cd /usr/share/elasticsearch/plugins/opendistro_security/tools/
sudo ./securityadmin.sh -cd ../securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -key /etc/elasticsearch/kirk-key.pem
Open Distro Security Admin v7
Will connect to localhost:9300 ... done
Connected as CN=kirk,OU=client,O=client,L=test,C=de
Elasticsearch Version: 7.2.1
Open Distro Security Version: 1.2.1.0
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: od4es
Clusterstate: GREEN
Number of nodes: 7
Number of data nodes: 3
.opendistro_security index already exists, so we do not need to create one.
Populate config from /usr/share/elasticsearch/plugins/opendistro_security/securityconfig
Will update '_doc/config' with ../securityconfig/config.yml
SUCC: Configuration for 'config' created or updated
Will update '_doc/roles' with ../securityconfig/roles.yml
SUCC: Configuration for 'roles' created or updated
Will update '_doc/rolesmapping' with ../securityconfig/roles_mapping.yml
SUCC: Configuration for 'rolesmapping' created or updated
Will update '_doc/internalusers' with ../securityconfig/internal_users.yml
SUCC: Configuration for 'internalusers' created or updated
Will update '_doc/actiongroups' with ../securityconfig/action_groups.yml
SUCC: Configuration for 'actiongroups' created or updated
Will update '_doc/tenants' with ../securityconfig/tenants.yml
SUCC: Configuration for 'tenants' created or updated
Done with success
For further details on securityadmin.sh, please refer to the documentation.
We will create local users in the internal user database. We'll create 2 users – devops & itsupport
Login to kibana ( http://<client-node-ip>:5601/
) with the new admin password.
For each user :