LinuxCommandLibrary

elasticsearch-users

Manage Elasticsearch file realm users

TLDR

Add a new user interactively (prompts for password)

$ elasticsearch-users useradd [username]
copy

Add a new user and specify roles
$ elasticsearch-users useradd [username] -r [role1,role2]
copy

Change the password for an existing user
$ elasticsearch-users passwd [username]
copy

Delete a user
$ elasticsearch-users userdel [username]
copy

List all users in the native realm
$ elasticsearch-users list
copy

SYNOPSIS

elasticsearch-users action [username] [options]

PARAMETERS

-h, --help
    Show help message and exit

-s, --silent
    Run in silent mode, suppressing non-error output

-v, --verbose
    Run with verbose output

-V, --version
    Show Elasticsearch version

-p, --password <PASSWORD>
    Set or update user password (useradd, set-password)

-r, --roles <ROLE1,ROLE2,...>
    Assign roles to user (useradd, set-roles)

-E, --setting <KEY=VALUE>
    Set arbitrary metadata key-value pair (useradd)

-t, --template <TEMPLATE>
    Template for listing users (list)

-i
    Interactive password input (hasher)

DESCRIPTION

The elasticsearch-users command is a CLI tool bundled with Elasticsearch distributions for managing users in the native security realm. It enables administrators to add, delete, list, update passwords, roles, and other settings for users when basic or standard security features are enabled. This tool interacts with the users file or native realm storage, typically located in the Elasticsearch config directory.

Primarily used in single-node setups or for initial user bootstrapping in production clusters, it supports actions like creating users with roles (e.g., superuser, kibana_admin), changing passwords interactively or non-interactively, listing all users, and viewing assigned roles. Passwords are hashed using PBKDF2 by default for security. The tool requires Elasticsearch to be stopped or uses file-based storage to avoid conflicts.

It is essential for enabling security without external directories like LDAP or Active Directory, providing a simple file-based user management solution. Always run it as the elasticsearch user and ensure proper file permissions on the config directory.

CAVEATS

Requires Elasticsearch security enabled; run as elasticsearch user; cluster must be stopped for some actions to avoid conflicts. Passwords are irreversibly hashed.

COMMON ACTIONS

useradd user -p pass -r superuser
passwd user
list
roles user

LOCATION

Typically at $ES_HOME/bin/elasticsearch-users; uses $ES_HOME/config/users file.

HISTORY

Introduced in Elasticsearch 6.8.0 (2019) with basic license security features; enhanced in 7.x and 8.x for production use with native realms.

SEE ALSO

useradd(8), userdel(8), passwd(1)

Copied to clipboard