elasticsearch-reset-password

Reset the password of the user to an auto-generated value and print it in the console

$ elasticsearch-reset-password [[-u|--username]] [user]

$ elasticsearch-reset-password [[-u|--username]] [user] [[-i|--interactive]]

$ elasticsearch-reset-password --url [host]:[port] [[-u|--username]] [user] [[-i|--interactive]]

elasticsearch-reset-password [options] -u <username>

-u <username> / --username <username>
    Specifies the username for which the password needs to be reset. This is a mandatory option.

--batch
    Runs the command in non-interactive mode. The command will automatically generate a new, strong password and print it to standard output. Useful for scripting.

--stdin
    Reads the new password from standard input (stdin). This is useful when piping a password to the command, avoiding exposure in shell history.

--silent
    Suppresses most informational messages, only showing critical output (e.g., the new password in batch mode).

--config <path>
    Specifies the path to the Elasticsearch configuration directory. Useful if the default path is not applicable.

--url <url>
    Specifies the URL of the Elasticsearch instance to connect to. By default, it connects to http://localhost:9200.

-v / --verbose
    Increases verbosity of output, providing more detailed information during execution.

The elasticsearch-reset-password command is a crucial utility provided by Elasticsearch to securely reset passwords for both built-in users (like elastic, kibana_system, logstash_system, beats_system) and any custom users created within the Elasticsearch security realm. This command is typically found in the bin directory of your Elasticsearch installation. It's essential for regaining access to your cluster if user passwords are lost or for rotating security credentials as part of regular security practices. By default, it operates interactively, prompting the user for the new password. However, it also supports non-interactive modes for scripting and automation, where it can either generate a strong, random password or accept a password via standard input. Using this tool ensures that passwords are reset safely without direct manipulation of configuration files or the need for API calls that might expose credentials.

Permissions: The command must be executed with sufficient privileges, typically by the user running the Elasticsearch process (e.g., elasticsearch user) or root.
Elasticsearch State: The Elasticsearch cluster must be running and accessible for the password reset to succeed.
Generated Passwords: When using --batch, a cryptographically strong, random password is generated. Ensure you securely store this password as it will not be displayed again.
Built-in Users: Exercise extreme caution when resetting passwords for built-in users like elastic, as they have extensive privileges and are critical for cluster operation.
Java Dependency: Requires a compatible Java Runtime Environment (JRE) to be installed and accessible via the PATH or configured via the JAVA_HOME environment variable.

The command is usually located in the $ES_HOME/bin directory, where $ES_HOME is the root directory of your Elasticsearch installation. It's recommended to run it from this directory or add $ES_HOME/bin to your system's PATH.

./elasticsearch-reset-password -u elastic
(This will prompt you to enter the new password twice)

./elasticsearch-reset-password -u kibana_system --batch
(This will output a new, random password for the kibana_system user)

echo "MyStrongNewPassword" | ./elasticsearch-reset-password -u logstash_system --stdin
(This sets "MyStrongNewPassword" for the logstash_system user)

The elasticsearch-reset-password utility is part of Elasticsearch's X-Pack security features, which became a core part of the default distribution starting with Elasticsearch 6.8 (basic security tier) and fully open-sourced for basic features in 7.0. Its development reflects the growing need for robust, built-in security mechanisms within the Elasticsearch ecosystem, enabling administrators to manage user credentials directly from the command line without relying solely on API calls or external tools.

No direct standard Linux manual pages for this application-specific utility. However, it is an integral part of Elasticsearch security, functionally similar to system user password tools like passwd(1) but for the Elasticsearch realm.