Home > Mobile >  Change Elasticsearch password with Ansible
Change Elasticsearch password with Ansible

Time:01-24

I've installed Elasticsearch on Windows server with ansible AWX. Now I'm trying to reset initial password to my new password (with ansible as well).

I know I can do it manually with:

D:\elasticsearch-8.6.0\bin\elasticsearch-reset-password -b -u elastic -i

but I can't find a way to do it / read it via ansible.

I can also send API request with ansible:

    - name: Push password
      ansible.windows.win_uri:
        url: http://localhost:9200/_security/user/_password?pretty
        method: PUT
        url_username: elastic
        url_password: my_password
        body:
          password: my_new_password
        headers:
          Content-Type: "application/json"

but it requires me providing old password, which I don't know before I reset it manually (and this is what I'm trying to automate).

Is there a way to do it with ansible?

CodePudding user response:

The most efficient way would be to reset the password directly to the target one. But since you can only do that interactively with elasticsearch-reset-password, this would require using the ansible.builtin.expect module which is unfortunately available only for linux hosts

So under windows, I'm affraid the only alternative is to:

  1. reset to a random password and read it in a variable
  2. change the random password to the one you want to configure

Issuing the following command:

elasticsearch-reset-password -u elastic -b

Outputs something like the following on stdout:

Password for the [elastic] user successfully reset.
New value: dTrR*tAdnCCkTZ4 Edgd

So the information we are looking for is on the last line

Taking this into account, the (untested) following playbook should do what you expect (or at the very least put you on the good track).

- name: Reset elastic user password to random
  ansible.builtin.win_command: elasticsearch-reset-password -u elastic -b
  register: reset_cmd

- name: Push password
  vars:
    my_password: "{{ reset_cmd.stdout_lines[-1]
      | regex_replace('^New value: (.*)$', '\\1') }}"
  ansible.windows.win_uri:
    url: http://localhost:9200/_security/user/_password?pretty
    method: PUT
    url_username: elastic
    url_password: "{{ my_password }}"
    body:
      password: "verysecurenewpassword"
    headers:
      Content-Type: "application/json"
  • Related