Opster and Elastic join forces to help users take charge of their search operations 💪 Read the announcement
Opensearch Guides > OpenSearch Security
By Opster Team
Updated: Nov 2, 2023
| 2 min readOpenSearch, a fork of Elasticsearch, is a powerful search and analytics engine that provides a wide range of features for handling large volumes of data. One of the critical aspects of managing an OpenSearch cluster is ensuring its security. This article will discuss the default username and password for OpenSearch and how to secure your cluster by changing these credentials and implementing additional security measures. If you want to learn about OpenSearch docker – how to spin up a cluster using docker, check out this guide.
When you install OpenSearch, it comes with a built-in security plugin that provides authentication and authorization features. By default, the security plugin is enabled, and it comes with a set of predefined users and roles. The default username and password for OpenSearch are:
These default credentials provide full access to the OpenSearch cluster, including the ability to manage indices, create and delete users, and modify cluster settings. It is crucial to change the default username and password to secure your OpenSearch cluster.
To change the default username and password in OpenSearch, follow these steps:
1. Locate the `opensearch.yml` configuration file in your OpenSearch installation directory. The file is usually located in the `config` folder.
2. Open the `opensearch.yml` file in a text editor.
3. Find the `plugins.security.authcz.admin_dn` setting in the file. This setting specifies the distinguished name (DN) of the admin user. By default, it should look like this:
plugins.security.authcz.admin_dn: "CN=admin,OU=client,O=client,L=test,C=de"
4. Change the DN to a unique value that represents your new admin user. For example:
plugins.security.authcz.admin_dn: "CN=my_new_admin,OU=client,O=client,L=test,C=de"
5. Save and close the `opensearch.yml` file.
6. Locate the `internal_users.yml` file in the `config` folder of your OpenSearch installation directory.
7. Open the `internal_users.yml` file in a text editor.
8. Find the `admin` user entry in the file. It should look like this:
admin:
hash: "$2y$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"
reserved: true9. Change the `admin` user entry to your new admin username and update the password hash. To generate a new password hash, you can use the `hash.sh` script provided by OpenSearch. Run the script with your desired password as an argument:
./hash.sh my_new_password
This will output a new password hash. Replace the existing hash in the `internal_users.yml` file with the new hash:
my_new_admin:
hash: "new_password_hash"
reserved: true10. Save and close the `internal_users.yml` file.
11. Restart your OpenSearch cluster for the changes to take effect.
Changing the default username and password is just the first step in securing your OpenSearch cluster. Here are some additional security measures you should consider implementing:
In conclusion, securing your OpenSearch cluster is essential to protect your data and maintain the integrity of your search and analytics operations. Changing the default username and password is a crucial first step, but implementing additional security measures will further strengthen your cluster’s security posture.
How helpful was this guide?
We are sorry that this post was not useful for you!
Let us improve this post!
Tell us how we can improve this post?
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
