From e288a1a4af60fcea72943de3a2498953e619785f Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Thu, 21 Oct 2021 20:36:05 +0300 Subject: [PATCH] Deprecate setup-passwords tool (#76902) With Security ON by default project where the `elastic` user password is auto-generated, we have decided to deprecate the setup-passwords tool and consider removing it in a future version. Users will get a password for the `elastic` built-in user when the node starts for the first time and they can also use the newly introduced elastisearch-reset-elastic-password tool to set or reset that password. With credentials for the elastic user available, the password for the rest of the built-in users can be set using the Change Password API, or via Kibana. --- .../commands/setup-passwords.asciidoc | 2 ++ .../esnative/tool/SetupPasswordTool.java | 19 +++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/docs/reference/commands/setup-passwords.asciidoc b/docs/reference/commands/setup-passwords.asciidoc index 7a443b492d470..45f79eebee884 100644 --- a/docs/reference/commands/setup-passwords.asciidoc +++ b/docs/reference/commands/setup-passwords.asciidoc @@ -3,6 +3,8 @@ [[setup-passwords]] == elasticsearch-setup-passwords +deprecated[8.0, "The `elasticsearch-setup-passwords` tool is deprecated and will be removed in a future release. To manually reset the password for the `elastic` user, use the <>. To change passwords for other users, use either {kib} or the {es} change passwords API."] + The `elasticsearch-setup-passwords` command sets the passwords for the <>. diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordTool.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordTool.java index c657140e42154..be417f544e939 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordTool.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordTool.java @@ -65,7 +65,11 @@ * mode prompts for each individual user's password. This tool only runs once, * if successful. After the elastic user password is set you have to use the * `security` API to manipulate passwords. + * + * @deprecated Use {@link ResetBuiltinPasswordTool} for setting the password of the + * elastic user and the ChangePassword API for setting the password of the rest of the built-in users when needed. */ +@Deprecated public class SetupPasswordTool extends LoggingAwareMultiCommand { private static final char[] CHARS = ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789").toCharArray(); @@ -134,6 +138,11 @@ protected void execute(Terminal terminal, OptionSet options, Environment env) th checkClusterHealth(terminal); if (shouldPrompt) { + terminal.println("******************************************************************************"); + terminal.println("Note: The 'elasticsearch-setup-passwords' tool has been deprecated. This " + + " command will be removed in a future release."); + terminal.println("******************************************************************************"); + terminal.println(""); terminal.println("Initiating the setup of passwords for reserved users " + String.join(",", USERS) + "."); terminal.println("The passwords will be randomly generated and printed to the console."); boolean shouldContinue = terminal.promptYesNo("Please confirm that you would like to continue", false); @@ -180,6 +189,11 @@ protected void execute(Terminal terminal, OptionSet options, Environment env) th checkClusterHealth(terminal); if (shouldPrompt) { + terminal.println("******************************************************************************"); + terminal.println("Note: The 'elasticsearch-setup-passwords' tool has been deprecated. This " + + " command will be removed in a future release."); + terminal.println("******************************************************************************"); + terminal.println(""); terminal.println("Initiating the setup of passwords for reserved users " + String.join(",", USERS) + "."); terminal.println("You will be prompted to enter passwords as the process progresses."); boolean shouldContinue = terminal.promptYesNo("Please confirm that you would like to continue", false); @@ -314,6 +328,11 @@ void checkElasticKeystorePasswordValid(Terminal terminal, Environment env) throw terminal.errorPrintln(" * Your elasticsearch node is running against a different keystore"); terminal.errorPrintln(" This tool used the keystore at " + KeyStoreWrapper.keystorePath(env.configFile())); terminal.errorPrintln(""); + terminal.errorPrintln( + "You can use the `elasticsearch-reset-elastic-password` CLI tool to reset the password of the '" + elasticUser + + "' user" + ); + terminal.errorPrintln(""); throw new UserException(ExitCodes.CONFIG, "Failed to verify bootstrap password"); } else if (httpCode != HttpURLConnection.HTTP_OK) { terminal.errorPrintln("");