github-mirrors/elasticsearch
1
0
Fork 0
mirror of https://github.com/elastic/elasticsearch.git synced 2025-04-25 07:37:19 -04:00
Code Issues Projects Releases Packages Wiki Activity
elasticsearch/docs/reference/commands/reset-password.asciidoc
Ioannis Kakavas 537f371f34
URL option for BaseRunAsSuperuserCommand (#81025) 
Add a --url option for elasticsearch-reset-password and
elasticsearch-create-enrollment-token CLI Tools ( and any tools
that would extend BaseRunAsSuperuserCommand ).
The tools use CommandLineHttpClient internally, which tries its
best to deduce the URL of the local node based on the configuration
but there are certain cases where it either fails or returns an
unwanted result. Concretely:

- CommandLineHttpClient#getDefaultURL will always return a URL with
the port set to 9200, unless otherwise explicitly set in the
configuration. When running multiple nodes on the same host,
subsequent nodes get sequential port numbers after 9200 by default
and this means that the CLI tool will always connect the first of
n nodes in a given host. Since these tools depend on a file realm
local user, requests to other nodes would fail
- When an ES node binds and listens to many addresses, there can
be the case that not all of the IP addresses are added as SANs in
the certificate that is used for TLS on the HTTP layer.
CommandLineHttpClient#getDefaultURL will pick an address based on
a preference order but that address might not be in the SANs and
thus all requests to the node would fail due to failed hostname
verification.

Manually setting `--url` to an appropriate value allows users to
overcome these edge cases.
2021-11-29 23:49:27 +02:00

93 lines
3.3 KiB
Text
Raw Blame History

[roles="xpack"]
[[reset-password]]
== elasticsearch-reset-password
The `elasticsearch-reset-password` command resets the passwords of users in
the native realm and built-in users.
[discrete]
=== Synopsis
[source,shell]
----
bin/elasticsearch-reset-password
[-a, --auto] [-b, --batch] [-E <KeyValuePair]
[-f, --force] [-h, --help] [-i, --interactive]
[-s, --silent] [-u, --username] [--url] [-v, --verbose]
----
[discrete]
=== Description
Use this command to reset the password of any user in the native realm
or any built-in user. By default, a strong password is generated for you.
To explicitly set a password, run the tool in interactive mode with `-i`.
The command generates (and subsequently removes) a temporary user in the
<<file-realm,file realm>> to run the request that changes the user password.
IMPORTANT: You cannot use this tool if the file realm is disabled in your `elasticsearch.yml` file.
This command uses an HTTP connection to connect to the cluster and run the user
management requests. The command automatically attempts to establish the connection
over HTTPS by using the `xpack.security.http.ssl` settings in
the `elasticsearch.yml` file. If you do not use the default configuration directory
location, ensure that the `ES_PATH_CONF` environment variable returns the
correct path before you run the `elasticsearch-reset-password` command. You can
override settings in your `elasticsearch.yml` file by using the `-E` command
option. For more information about debugging connection failures, see
<<trb-security-setup>>.
[discrete]
[[reset-password-parameters]]
=== Parameters
`-a, --auto`:: Resets the password of the specified user to an auto-generated strong password. (Default)
`-b, --batch`:: Runs the reset password process without prompting the user for verification.
`-E <KeyValuePair>`:: Configures a standard {es} or {xpack} setting.
`-f, --force`:: Forces the command to run against an unhealthy cluster.
`-h, --help`:: Returns all of the command parameters.
`-i, --interactive`:: Prompts for the password of the specified user. Use this option to explicitly set a password.
`-s --silent`:: Shows minimal output in the console.
`-u, --username`:: The username of the native realm user or built-in user.
`--url`:: Specifies the base URL (hostname and port of the local node) that the tool uses to submit API
requests to {es}. The default value is determined from the settings in your
`elasticsearch.yml` file. If `xpack.security.http.ssl.enabled` is set to `true`,
you must specify an HTTPS URL.
`-v --verbose`:: Shows verbose output in the console.
[discrete]
=== Examples
The following example resets the password of the `elastic` user to an auto-generated value and
prints the new password in the console:
[source,shell]
----
bin/elasticsearch-reset-password -u elastic
----
The following example resets the password of a native user with username `user1` after prompting
in the terminal for the desired password:
[source,shell]
----
bin/elasticsearch-reset-password --username user1 -i
----
The following example resets the password of a native user with username `user2` to an auto-generated value
prints the new password in the console. The specified URL indicates where the elasticsearch-reset-password
tool attempts to reach the local {es} node:
[source,shell]
----
bin/elasticsearch-reset-password --url "https://172.0.0.3:9200" --username user2 -i
----
Reference in a new issue View git blame Copy permalink