elasticsearch-users

Add a new user interactively (prompts for password)

$ elasticsearch-users useradd [username]

$ elasticsearch-users useradd [username] -r [role1,role2]

$ elasticsearch-users passwd [username]

$ elasticsearch-users userdel [username]

$ elasticsearch-users list

elasticsearch-users <subcommand> [options] [arguments]

Common subcommands include:
elasticsearch-users add <username> -p <password> -r <role1> [-r <role2>...]
elasticsearch-users passwd <username> -p <new_password>
elasticsearch-users delete <username>
elasticsearch-users list
elasticsearch-users roles <username>

--help
    Displays help information for the command or a specific subcommand.

--verbose
    Enables verbose output, providing more detailed execution information.

--silent
    Suppresses all output messages, useful for scripting.

-p, --password
    Used with add and passwd subcommands to specify or set the user's password. Omitting this flag will prompt for secure password entry.

-r, --roles
    Used with the add subcommand to assign one or more roles to the new user. Can be specified multiple times for multiple roles.

--system
    (add subcommand only) Marks the new user as a system user, primarily for internal Elasticsearch processes.

--description
    (add subcommand only) Provides a descriptive text for the new user.

The elasticsearch-users command-line utility provides administrative functions for managing users within Elasticsearch's native and file security realms. It enables operations such as creating, deleting, and modifying users, changing passwords, and assigning roles directly from the terminal. This tool is particularly valuable for automating user management tasks or for scenarios where direct API interaction or Kibana's UI is not feasible. It interacts with Elasticsearch's security layer to ensure controlled access to cluster resources. While effective for its purpose, it's important to note its deprecation status in newer Elasticsearch versions, advocating for migration towards direct Security APIs or Kibana for more modern and integrated user management workflows. This utility is typically located in the Elasticsearch installation's bin directory and operates against a running Elasticsearch instance.

Deprecation: The elasticsearch-users command is deprecated in recent Elasticsearch versions (e.g., 7.x+) in favor of direct Elasticsearch Security APIs, Kibana's security management UI, or the newer elasticsearch-api-util CLI tool. Users are strongly encouraged to transition to these modern alternatives.
Realm Specificity: This utility primarily manages users within the native or file realms. It does not support user management for external realms like LDAP, Active Directory, or SAML.
Security: Providing passwords directly on the command line using -p can expose them in process listings (e.g., ps -ef). For enhanced security, omit the password flag to be prompted for a secure input.
Permissions: Proper file system permissions on the Elasticsearch installation directory and appropriate cluster privileges are required to execute this command successfully.

The elasticsearch-users command functions through a set of specific subcommands, each performing a distinct user management operation:
add <username>: Creates a new user, requiring a password (-p) and assigned roles (-r).
delete <username>: Removes an existing user from the realm.
passwd <username>: Changes the password for an existing user, requiring the new password (-p).
list: Displays a list of all users configured in the realm.
roles <username>: Shows the roles currently assigned to a specified user.

The elasticsearch-users command emerged as a key utility for command-line user management alongside the development and integration of X-Pack security features into Elasticsearch. It provided a direct and scriptable way to manage native and file realm users, filling a crucial need before more comprehensive API and UI tools matured. Its evolution reflects Elasticsearch's journey towards robust security, transitioning from specific CLI tools to a more API-first and integrated management approach, culminating in its deprecation as the Security APIs and Kibana's capabilities expanded.

curl(1), elasticsearch(1), kibana, elasticsearch-api-util