Skip to main content
Version: 5.2

User Password Change Guide

warning

Make sure to check all locations where the user's account might be used before changing the password, for example:

  • in pipeline configurations of the Smart Monitor Data Collector (SM Data Collector) component
  • in the opensearch_dashboards.yml configuration file of the Smart Monitor Web (SM Web) component
  • in the connection settings of the Inventory module
  • in the connection settings of the User Behavior Analytics module
  • Smart Monitor Engine (SM Engine) user settings in the password storage of Smart Monitor Data Storage (SM Data Storage) and Smart Monitor Master Node (SM Master Node)
  • Smart Monitor Engine Remote Execution (SME-RE) user settings in the password storage of Smart Monitor Data Storage (SM Data Storage) and Smart Monitor Master Node (SM Master Node)
  • connection settings to the Smart Beat Manager (SBM) in the opensearch_dashboards.yml configuration file of the Smart Monitor Web (SM Web) component
  • external scripts

It is recommended to use a separate service account for each service.

Generating a New Password Hash

Symbols:

  • OS_HOME - the OpenSearch home directory, usually /app/opensearch/

  • OS_IP - the IP address of one of the OpenSearch cluster servers

info

Passwords for built-in users (admin, kibanaserver, logstash, sa) can only be changed using this method. For all other users, passwords can be modified via the web interface (Main menu - Settings - Security - Internal users).

To begin, generate a new password hash using the following command:

JAVA_HOME=$OS_HOME/jdk/ $OS_HOME/plugins/opensearch-security/tools/hash.sh

If a file permission error occurs, make the file executable using the following command:

chmod +x $OS_HOME/plugins/opensearch-security/tools/hash.sh

Creating a Backup of the Security Configuration

warning

Before making any changes, be sure to create a backup of the security plugin configuration. We recommend creating two copies:

  • one in the backup directory, for example: /app/backup/opensearch-security-$(date +%Y%m%d)/

  • another in the directory where changes will be made: ${OS_HOME}/config/opensearch-security/

Use the following command to create a backup in the ${OS_HOME}/config/opensearch-security/ directory. Before running it, make sure you have the admin certificates available (usually located on the first node of the SM Data Storage cluster):

JAVA_HOME=${OS_HOME}/jdk/ ${OS_HOME}/plugins/opensearch-security/tools/securityadmin.sh -h ${OS_IP} \
-cacert ${OS_HOME}/config/ca-cert.pem \
-cert ${OS_HOME}/config/admin-cert.pem \
-key ${OS_HOME}/config/admin-key.pem \
--accept-red-cluster -nhnv -icl \
-backup ${OS_HOME}/config/opensearch-security/

If a file permission error occurs, make the file executable using the following command:

chmod +x $OS_HOME/plugins/opensearch-security/tools/securityadmin.sh

Updating a User's Password

  1. Open the user configuration file: ${OS_HOME}/config/opensearch-security/internal_users.yml

Take note of the additional fields in the internal_users.yml file:

FieldDescription
reservedMarks the user, role, role mapping, or action group as reserved. These resources cannot be modified via REST API or SM Web
hiddenAllows users, roles, role mappings, and action groups to be hidden. Resources with this flag won't appear in SM Web or be returned by the REST API
hashThe user's password hash
opendistro_security_roleList of internal Smart Monitor roles
backend_rolesRoles assigned based on the username
attributesAdditional user attributes (optional)
staticMarks the user as a system user (cannot be deleted)
descriptionUser description (optional)
new-user:
  hash: "$2y$12$88IFVl6IfIwCFh5aQYfOmuXVL9j2hz/GusQb35o.4sdTDAEMTOD.K"
  reserved: false
  hidden: false
  opendistro_security_roles:
    - "specify-some-security-role-here"
  backend_roles:
    - "specify-some-backend-role-here"
  attributes:
    attribute1: "value1"
  static: false
  description: "Demo admin user"

  1. Find the user by name (example: admin)

  2. Paste the newly generated password hash into the hash field. For example:

admin:
  hash: "$2y121212OLRmqL1CBHJDZkG0R4wxC.Ifb9bcqDMsZWO9780bW3lKw9nn95GjO"
  reserved: true
  backend_roles:
    - "admin"
  opendistro_security_roles:
    - "all_access"
  description: "Base admin user"
  1. Save the changes

Applying the Updated Configuration

warning

Make sure to update the password in all configurations and components where this user account is used.

After editing the configuration, apply the changes using the following command:

JAVA_HOME=${OS_HOME}/jdk/ ${OS_HOME}/plugins/opensearch-security/tools/securityadmin.sh -h ${OS_IP} \
-cacert ${OS_HOME}/config/ca-cert.pem \
-cert ${OS_HOME}/config/admin-cert.pem \
-key ${OS_HOME}/config/admin-key.pem \
-icl -nhnv \
-t internalusers \
-f ${OS_HOME}/config/opensearch-security/internal_users.yml \