Deprecate setup-passwords tool (#76902)

With Security ON by default project where the `elastic` user password is auto-generated, we have decided to deprecate the setup-passwords tool and consider removing it in a future version. Users will get a password for the `elastic` built-in user when the node starts for the first time and they can also use the newly introduced elastisearch-reset-elastic-password tool to set or reset that password. With credentials for the elastic user available, the password for the rest of the built-in users can be set using the Change Password API, or via Kibana.
elastic · Oct 21, 2021 · e288a1a · e288a1a
1 parent 6fb40a8
commit e288a1a
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/docs/reference/commands/setup-passwords.asciidoc b/docs/reference/commands/setup-passwords.asciidoc
@@ -3,6 +3,8 @@
 [[setup-passwords]]
 == elasticsearch-setup-passwords
 
+deprecated[8.0, "The `elasticsearch-setup-passwords` tool is deprecated and will be removed in a future release. To manually reset the password for the `elastic` user, use the <<reset-elastic-password,`elasticsearch-reset-elastic-password` tool>>. To change passwords for other users, use either {kib} or the {es} change passwords API."]
+
 The `elasticsearch-setup-passwords` command sets the passwords for the
 <<built-in-users,built-in users>>.
 

diff --git a/...src/main/java/org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordTool.java b/...src/main/java/org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordTool.java
@@ -65,7 +65,11 @@
  * mode prompts for each individual user's password. This tool only runs once,
  * if successful. After the elastic user password is set you have to use the
  * `security` API to manipulate passwords.
+ *
+ * @deprecated Use {@link ResetBuiltinPasswordTool} for setting the password of the
+ * elastic user and the ChangePassword API for setting the password of the rest of the built-in users when needed.
  */
+@Deprecated
 public class SetupPasswordTool extends LoggingAwareMultiCommand {
 
     private static final char[] CHARS = ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789").toCharArray();
@@ -134,6 +138,11 @@ protected void execute(Terminal terminal, OptionSet options, Environment env) th
             checkClusterHealth(terminal);
 
             if (shouldPrompt) {
+                terminal.println("******************************************************************************");
+                terminal.println("Note: The 'elasticsearch-setup-passwords' tool has been deprecated. This " +
+                                 "      command will be removed in a future release.");
+                terminal.println("******************************************************************************");
+                terminal.println("");
                 terminal.println("Initiating the setup of passwords for reserved users " + String.join(",", USERS) + ".");
                 terminal.println("The passwords will be randomly generated and printed to the console.");
                 boolean shouldContinue = terminal.promptYesNo("Please confirm that you would like to continue", false);
@@ -180,6 +189,11 @@ protected void execute(Terminal terminal, OptionSet options, Environment env) th
             checkClusterHealth(terminal);
 
             if (shouldPrompt) {
+                terminal.println("******************************************************************************");
+                terminal.println("Note: The 'elasticsearch-setup-passwords' tool has been deprecated. This " +
+                                 "      command will be removed in a future release.");
+                terminal.println("******************************************************************************");
+                terminal.println("");
                 terminal.println("Initiating the setup of passwords for reserved users " + String.join(",", USERS) + ".");
                 terminal.println("You will be prompted to enter passwords as the process progresses.");
                 boolean shouldContinue = terminal.promptYesNo("Please confirm that you would like to continue", false);
@@ -314,6 +328,11 @@ void checkElasticKeystorePasswordValid(Terminal terminal, Environment env) throw
                     terminal.errorPrintln(" * Your elasticsearch node is running against a different keystore");
                     terminal.errorPrintln("   This tool used the keystore at " + KeyStoreWrapper.keystorePath(env.configFile()));
                     terminal.errorPrintln("");
+                    terminal.errorPrintln(
+                        "You can use the `elasticsearch-reset-elastic-password` CLI tool to reset the password of the '" + elasticUser
+                            + "' user"
+                    );
+                    terminal.errorPrintln("");
                     throw new UserException(ExitCodes.CONFIG, "Failed to verify bootstrap password");
                 } else if (httpCode != HttpURLConnection.HTTP_OK) {
                     terminal.errorPrintln("");