Set Elasticsearch built-in user passwords
# Reset the elastic superuser password (prints a new one)sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic
# Set passwords for the other built-in users interactivelysudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u kibana_systemWhy it matters
Section titled “Why it matters”Elasticsearch ships several built-in users, and one of them — elastic — is a
superuser with complete control: every index, every setting, user management, and
the ability to grant itself anything it doesn’t already have.
How its password starts depends on how the cluster came up:
- 8.x/9.x auto-configuration generates a random
elasticpassword and prints it once, at first startup. If nobody captured it, it’s not lost — you reset it — but it does mean the password is often an unknown, which is its own problem. - 7.x, or manual setup, starts with the built-in users effectively unusable
until you run
elasticsearch-setup-passwords, and clusters that were set up hastily sometimes have weak or shared passwords across all of them.
Either way, the elastic account is the keys to the cluster, and it should have a
strong, known, and rarely used password.
Don’t use elastic for anything routine
Section titled “Don’t use elastic for anything routine”This is the actual control, more than the password itself.
elastic is a superuser, and superusers should authenticate almost never —
emergencies and initial setup. Every routine consumer should have its own
credentials scoped to what it needs:
- Kibana uses the
kibana_systemservice account, notelastic. - Applications get an API key or a custom role,
not
elastic. - Logstash and Beats get their own users with write access to their indices and nothing else.
An application configured with the elastic credentials means a compromise of
that application is a compromise of the entire cluster — and it means the
superuser password is sitting in an application config file, probably in more than
one place. The least-privilege page
covers what to give them instead.
The other built-in users
Section titled “The other built-in users”Beyond elastic, the built-in service accounts each have a specific job:
kibana_system for Kibana’s own operations, logstash_system for monitoring,
beats_system, remote_monitoring_user, and others. They are not for humans and
not for applications — they exist so those components can function without a
superuser.
Set passwords for the ones you use, and don’t repurpose them. kibana_system is
scoped for Kibana’s needs; giving it to your app both over- and under-privileges
the app.
Related
Section titled “Related”- API keys and least privilege — what applications should use instead of elastic.
- Enable security — creates these users in the first place.