Skip to content

Set Elasticsearch built-in user passwords

Severity: highApplies to: Elasticsearch 8.x / 9.xApplies to: Elasticsearch 7.x
The fix
Terminal window
# Reset the elastic superuser password (prints a new one)
sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic
# Set passwords for the other built-in users interactively
sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u kibana_system

Elasticsearch ships several built-in users, and one of them — elastic — is a superuser with complete control: every index, every setting, user management, and the ability to grant itself anything it doesn’t already have.

How its password starts depends on how the cluster came up:

  • 8.x/9.x auto-configuration generates a random elastic password and prints it once, at first startup. If nobody captured it, it’s not lost — you reset it — but it does mean the password is often an unknown, which is its own problem.
  • 7.x, or manual setup, starts with the built-in users effectively unusable until you run elasticsearch-setup-passwords, and clusters that were set up hastily sometimes have weak or shared passwords across all of them.

Either way, the elastic account is the keys to the cluster, and it should have a strong, known, and rarely used password.

This is the actual control, more than the password itself.

elastic is a superuser, and superusers should authenticate almost never — emergencies and initial setup. Every routine consumer should have its own credentials scoped to what it needs:

  • Kibana uses the kibana_system service account, not elastic.
  • Applications get an API key or a custom role, not elastic.
  • Logstash and Beats get their own users with write access to their indices and nothing else.

An application configured with the elastic credentials means a compromise of that application is a compromise of the entire cluster — and it means the superuser password is sitting in an application config file, probably in more than one place. The least-privilege page covers what to give them instead.

Beyond elastic, the built-in service accounts each have a specific job: kibana_system for Kibana’s own operations, logstash_system for monitoring, beats_system, remote_monitoring_user, and others. They are not for humans and not for applications — they exist so those components can function without a superuser.

Set passwords for the ones you use, and don’t repurpose them. kibana_system is scoped for Kibana’s needs; giving it to your app both over- and under-privileges the app.