Deprecate setup-passwords tool #76902
Conversation
With Security ON by default project where the `elastic` user password is auto-generated, we have decided to deprecate the setup-passwords tool and consider removing it in a future version. Users will get a password for the `elastic` built-in user when the node starts for the first time and they can also use the newly introduced elastisearch-reset-elastic-password tool to set or reset that password. With credentials for the elastic user available, the password for the rest of the built-in users can be set using the Change Password API, or via Kibana.
jkakavas
added
>deprecation
:Security/Authentication
|
Pinging @elastic/es-security (Team:Security) |
|
I am uncertain of the "in favor of " and "replaced by" wording as the new tool has a subset of the old functionality, happy to get suggestions! |
...ty/src/main/java/org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordTool.java
Outdated
Show resolved
Hide resolved
...ty/src/main/java/org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordTool.java
Outdated
Show resolved
Hide resolved
...ty/src/main/java/org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordTool.java
Outdated
Show resolved
Hide resolved
Co-authored-by: Adam Locke <adam.locke@elastic.co>
| @@ -3,6 +3,8 @@ | |||
| [[setup-passwords]] | |||
| == elasticsearch-setup-passwords | |||
|
|
|||
| deprecated[7.16,"Replaced by <<reset-elastic-password,`elasticsearch-reset-elastic-password`>>."] | |||
There was a problem hiding this comment.
Do we want to deprecate in 7.16 now?
We haven't backported elasticsearch-reset-elastic-password to 7.x yet have we?
It seems premature to indicate that it's deprecated as of 7.16 when we aren't ready to actually deprecate it in 7.x
There was a problem hiding this comment.
I don't think this is the ideal terminology (though I don't have a better set of words).
There's 3 points:
- In 8.0 it's "replaced" mostly by security on by default so this utility isn't needed anymore.
- For some scenarios,
elasticsearch-reset-elastic-passwordis a replacement, but not in most - For non-elastic users, the replacement is either automated setup (kibana and fleet) or manual use of the change password API
I don't know how we capture that, but I worry that simply pointing to elasticsearch-reset-elastic-password will confuse some people.
There was a problem hiding this comment.
@tvernum, I appreciate your insights, as always. I'd like to avoid version-specific language in this message if possible to avoid pinning to a particular version if we need to change when we're deprecating the tool. Perhaps we can cover the two main scenarios that this tool was used for (changing passwords for built-in users and created users) and offer users the alternative options.
The
elasticsearch-setup-passwordstool is deprecated and will be removed in a future release. To manually reset the password for theelasticuser, use the 'elasticsearch-reset-elastic-password' tool. To change passwords for other users, use either Kibana or the Elasticsearch change passwords API.
There was a problem hiding this comment.
Thanks for the suggestions both, I'll add Adam's text here and remove the version
| @@ -134,6 +138,12 @@ protected void execute(Terminal terminal, OptionSet options, Environment env) th | |||
| checkClusterHealth(terminal); | |||
|
|
|||
| if (shouldPrompt) { | |||
| terminal.println("******************************************************************************"); | |||
| terminal.println("Note: The 'elasticsearch-setup-passwords' tool has been deprecated"); | |||
| terminal.println(" and might be removed in a future release."); | |||
There was a problem hiding this comment.
I don't love "might". I think we should say "will be" or "is intended to be"
| terminal.println("******************************************************************************"); | ||
| terminal.println("Note: The 'elasticsearch-setup-passwords' tool has been deprecated"); | ||
| terminal.println(" and might be removed in a future release."); | ||
| terminal.println(" Use the 'elasticsearch-reset-elastic-password' tool instead. "); |
There was a problem hiding this comment.
See my comment above - not every use of setup-passwords can switch to "elasticsearch-reset-elastic-password" and I worry about confusion.
|
@elasticmachine run elasticsearch-ci/docs |
| @@ -314,6 +328,11 @@ void checkElasticKeystorePasswordValid(Terminal terminal, Environment env) throw | |||
| terminal.errorPrintln(" * Your elasticsearch node is running against a different keystore"); | |||
| terminal.errorPrintln(" This tool used the keystore at " + KeyStoreWrapper.keystorePath(env.configFile())); | |||
| terminal.errorPrintln(""); | |||
| terminal.errorPrintln( | |||
| "You can use `elasticsearch-reset-elastic-password` CLI tool to reset the password of the '" + elasticUser | |||
There was a problem hiding this comment.
| "You can use `elasticsearch-reset-elastic-password` CLI tool to reset the password of the '" + elasticUser | |
| "You can use the `elasticsearch-reset-elastic-password` CLI tool to reset the password of the '" + elasticUser |
|
@elasticmachine update branch |
| @@ -3,6 +3,8 @@ | |||
| [[setup-passwords]] | |||
| == elasticsearch-setup-passwords | |||
|
|
|||
| deprecated[8.0, "The `elasticsearch-setup-passwords` tool is deprecated and will be removed in a future release. To manually reset the password for the `elastic` user, use the <<reset-elastic-password,`elasticsearch-reset-elastic-password` tool>>. To change passwords for other users, use either {kib} or the {es} change passwords API."] | |||
There was a problem hiding this comment.
Drive-by comment: We should also add a deprecation notice to the 8.0 breaking changes.
There isn't a deprecations section yet, but we can use the 7.15 one as a template.
@lockewritesdocs Do you mind assisting and ensuring this gets added?
We'll also want to remove the 7.16 label if the elasticsearch-reset-elastic-password tool won't be in 7.x.
|
@jkakavas, should we remove the |
|
@elasticmachine update branch |
With Security ON by default project where the `elastic` user password is auto-generated, we have decided to deprecate the setup-passwords tool and consider removing it in a future version. Users will get a password for the `elastic` built-in user when the node starts for the first time and they can also use the newly introduced elastisearch-reset-elastic-password tool to set or reset that password. With credentials for the elastic user available, the password for the rest of the built-in users can be set using the Change Password API, or via Kibana.
With Security ON by default project where the
elasticuserpassword is auto-generated, we have decided to deprecate the
setup-passwords tool and consider removing it in a future version.
Users will get a password for the
elasticbuilt-in user when thenode starts for the first time and they can also use the newly
introduced elastisearch-reset-elastic-password tool to set or
reset that password. With credentials for the elastic user
available, the password for the rest of the built-in users can be
set using the Change Password API, or via Kibana.