OD4FE ships with an advanced security plugin. The Security plugin stores its configuration—including users, roles, and permissions—in an index on the Elasticsearch cluster (.opendistro_security). Storing these settings in an index lets you change settings without restarting the cluster and eliminates the need to edit configuration files on every single node.
The plugin comes pre-configured with a number of different users and default passwords for them. Passwords for some of the preconfigured users—kibanaro, logstash, readall, and snapshotrestore—are available to change in the Security UI in Kibana. The admin and kibanaserver users are reserved users, and they must be changed in the security configuration files. Default location :
First run the hash tool to generate a new password hash.
$ sudo bash /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh [Password:] <type a new secure password> $2y$12$7f9DHLNLV1QkfhM9K5vhVeLpRxM2.7SMfZnAxUhLDJ5AYC/cs9y1S
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml in your favorite editor, and change the password string for the just the admin user with the hash created in the previous step.
After changing any of the configuration files in
plugins/opendistro_security/securityconfig, however, you must run
plugins/opendistro_security/tools/securityadmin.sh to load these new settings into the index.
Each node also includes the tool at
plugins/opendistro_security/tools/securityadmin.sh. Make the script executable before running it:
sudo chmod +x /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh
To load configuration changes to Security plugin, you must provide your admin certificate to the tool:
cd /usr/share/elasticsearch/plugins/opendistro_security/tools/ sudo ./securityadmin.sh -cd ../securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -key /etc/elasticsearch/kirk-key.pem Open Distro Security Admin v7 Will connect to localhost:9300 ... done Connected as CN=kirk,OU=client,O=client,L=test,C=de Elasticsearch Version: 7.2.1 Open Distro Security Version: 22.214.171.124 Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ... Clustername: od4es Clusterstate: GREEN Number of nodes: 7 Number of data nodes: 3 .opendistro_security index already exists, so we do not need to create one. Populate config from /usr/share/elasticsearch/plugins/opendistro_security/securityconfig Will update '_doc/config' with ../securityconfig/config.yml SUCC: Configuration for 'config' created or updated Will update '_doc/roles' with ../securityconfig/roles.yml SUCC: Configuration for 'roles' created or updated Will update '_doc/rolesmapping' with ../securityconfig/roles_mapping.yml SUCC: Configuration for 'rolesmapping' created or updated Will update '_doc/internalusers' with ../securityconfig/internal_users.yml SUCC: Configuration for 'internalusers' created or updated Will update '_doc/actiongroups' with ../securityconfig/action_groups.yml SUCC: Configuration for 'actiongroups' created or updated Will update '_doc/tenants' with ../securityconfig/tenants.yml SUCC: Configuration for 'tenants' created or updated Done with success
For further details on securityadmin.sh, please refer to the documentation.
We will create local users in the internal user database. We'll create 2 users – devops & itsupport
Login to kibana (
http://<client-node-ip>:5601/ ) with the new admin password.
For each user :