kibanaserver password change request

[JinZSu]

Hey!

I saw that in Issue 289 there is a way to change the password for admin. I'm curious if there is also a process to change the kibanaserver password. I see that the internal_users.yml and 'dashboard-cred-secret.yaml' both contain a similar structure to admin, but the /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh seems to only apply to admin.

Any help would be appreciated

[teddytpc1]

Hi @JinZSu. The kibanaserver user password change is similar to the one described in #292. The securityadmin.sh uses the wazuh/indexer_stack/wazuh-indexer/indexer_conf/internal_users.yml file to get the passwords for the different users:

• In step 2 you will be changing the hash (password) for the kibanaserver user instead of admin.
• In step 3 you will change the password secret in the wazuh/secrets/dashboard-cred-secret.yaml.
• Steps 6 and 7 are not needed.
• You will need to re-create the Wazuh dashboard pod.

[NathanRodet]

Hi, I followed the instructions.

• I generated a strong password.
• I base64 encoded it using the command echo -n "newpassword" | base64.
• I modified wazuh/secrets/dashboard-cred.yaml on kibanaserver (assuming this was the wazuh dash user).
• I modified wazuh/indexer_stack/wazuh-indexer/indexer_conf/internal_users.yml (assuming this was the wazuh dash user, I tried admin user too) with the hash produced by docker run --rm -ti wazuh/wazuh-indexer:4.3.10 bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh.
• I deployed Wazuh.

And finally, I got an error : Wazuh dashboard server is not ready yet And this error does not get out. Anyone have an idea ?

My old ticket : https://github.com/wazuh/wazuh-kubernetes/issues/332

[vcerenu]

Hello @NathanRodet

The error you get is because Wazuh dashboard cannot connect with Wazuh indexer, this may be because the password has not been changed correctly or because the password parameter obtained from the secret does not match. I recommend that as a first instance you try the connection with Wazuh indexer with the password that you sent to hash in step 4 of your description, you can do it by connecting to any pod in the namespace and executing this command:

curl -XGET "https://<POD_INDEXER_IP>:9200/_cat/nodes" -u admin:<NEW_PASSWORD> -k -s

If you can't connect with this command then the password you are hashing and leaving in the internal_users.yml file is not correct or has not been updated if it is not a fresh deployment. Remember that if you have already executed the cluster and the PVs and PVCs that are assigned to the Wazuh indexer nodes were created, even if you delete the pods to make a new fresh deploy, if you do not delete the previous PVs and they are assigned again (in several cases k8s usually creates new PVs and this would not be the case) then you will have the data from the previous deploy and since it is not the first start the securityadmin.sh script will not be executed, which takes the values that you have assigned in the internal_users.yml file, that could cause that in Wazuh indexer you have the old password and Wazuh dashboard is trying to connect with the new password, so it would fail.

[Beeez]

I am having this same issue after changing passwords on all users in internal_users, as well as the passwords that are in secrets/ to match. It was a fresh deploy with no pre-existing PV's.

If I stand up the cluster with all the default passwords, everything starts up as it should. It is only when I update all the passwords that I have this problem.

The curl you provided to test the connection with, returned this for me:

10.42.1.55 34 65 9 1.18 1.13 1.13 dimr * wazuh-indexer-0

[CyDickey-msr]

I have been having trouble with this as well and get the same API and Index Pattern errors. It only successfully deploys if I use the defaults :(

Did you have any luck figuring it out?

[vcerenu]

Hello @Beeez and @CyDickey-msr

This error that you have is generated because Filebeat is not connecting, from the Wazuh manager pod with Wazuh indexer pod, due to this possibly not updating the configuration file.

Inside the Wazuh manager deploy, this is the assignment of this variable: https://github.com/wazuh/wazuh-kubernetes/blob/v4.4.4/wazuh/wazuh_managers/wazuh-worker-sts.yaml#L118-L119

The secret with which the INDEXER_PASSWORD variable is loaded is found in the wazuh/secrets/indexer-cred-secret.yaml file of the repository, it is necessary that you modify the value of the password by encrypting it previously and remember not to add the line break in the encoding of the new password (if the password ends in Cg== you may have a line break). It is necessary that after modifying this secret you apply the changes to the cluster and in case you already have the statefulset deployed, restart the pods so that it takes the changes.

After verifying the secret you can enter the Wazuh manager pod and run the filebeat test ouput command to verify that the connection between Filebeat and Wazuh indexer is correct.

[CyDickey-msr]

@vcerenu

I created the indexer-cred kubernetes secrets manually (before deploying the cluster's statefulsets) so I don't have to commit secrets/indexer-cred-secret.yaml to our repo. When I execed into the manager node and ran filebeat test output it says everything is ok. Any other ideas why the API connection might be failing?

[CyDickey-msr]

Ahhh I found the problem. I ran kubectl exec -it wazuh-manager-master-0 -n wazuh -c wazuh-manager -- bash and then cat ./var/ossec/logs/cluster.log. The logs said:

2023/06/30 18:35:47 ERROR: [Cluster] [Main] Error 3004 - Error in cluster configuration: Key must be 32 characters long and only have alphanumeric characters.

Now that I fixed that things worked :D