Version: Unreleased

Elasticsearch Credentials

This guide covers user credentials and management for Elasticsearch in the Moki development environment.

Default Credentials

Development Environment

Username	Password	Purpose
`elastic`	`moki`	Superuser for development

⚠️ Security Warning: These credentials are for development only. Never use them in production.

User Types

`elastic` - Superuser

The elastic user is the built-in superuser with full cluster privileges:

Can manage all indices
Can configure security settings
Can create and manage other users
Can access all API endpoints

Credential Storage

Environment Variables

Credentials should be stored in environment variables:

ES_USERNAME=elastic
ES_PASSWORD=moki
ES=https://es:9200/

Docker Compose

In docker-compose.dev.yml:

environment:
  - ES_PASSWORD=moki

Server Configuration

The Moki server stores credentials in .env:

ES_USERNAME=elastic
ES_PASSWORD=moki
ES=https://es:9200/

Changing the Password

Change `elastic` User Password

Using cURL:

# Change password via API
curl -X POST -u elastic:moki -H "Content-Type: application/json" https://localhost:9292/_security/user/elastic/_password \
  -d '{
    "password" : "new-secure-password"
  }'

Using the elasticsearch-reset-password tool:

docker compose exec es /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic -i

This will output a new password that you can use to update your configuration.

Creating New Users

Create Application User

For the Moki server to connect to Elasticsearch, you can create a dedicated user:

curl -X POST -u elastic:moki -H "Content-Type: application/json" https://localhost:9292/_security/user/moki \
  -d '{
    "password" : "strong-password-here",
    "roles" : [ "superuser" ],
    "full_name" : "Moki Application",
    "email" : "moki@example.com"
  }'

Create Read-Only User

For read-only access:

curl -X POST -u elastic:moki -H "Content-Type: application/json" https://localhost:9292/_security/user/readonly \
  -d '{
    "password" : "readonly-password",
    "roles" : [ "read_all" ],
    "full_name" : "Read Only User"
  }'

Custom Roles

You can create custom roles with specific privileges:

# Create custom role
curl -X POST -u elastic:moki -H "Content-Type: application/json" https://localhost:9292/_security/role/analytics \
  -d '{
    "indices" : [
      {
        "names" : [ "moki-*" ],
        "privileges" : [ "read", "view_index_metadata" ]
      }
    ]
  }'

# Create user with custom role
curl -X POST -u elastic:moki -H "Content-Type: application/json" https://localhost:9292/_security/user/analytics \
  -d '{
    "password" : "analytics-password",
    "roles" : [ "analytics" ]
  }'

Listing Users

curl -X GET -u elastic:moki https://localhost:9292/_security/user

Listing Roles

curl -X GET -u elastic:moki https://localhost:9292/_security/role

Revoking Access

Delete a User

curl -X DELETE -u elastic:moki https://localhost:9292/_security/user/username

Delete a Role

curl -X DELETE -u elastic:moki https://localhost:9292/_security/role/rolename

Best Practices

1. Use Dedicated Users

Don't use the elastic superuser in application code. Create dedicated users with minimal required privileges.

2. Strong Passwords

Use strong, random passwords:

# Generate random password
openssl rand -base64 32

3. Environment Variables

Never hardcode passwords in source code. Use environment variables or secret management tools.

4. Regular Rotation

Rotate passwords regularly, especially in shared environments.

5. Access Logging

Monitor authentication attempts and access patterns for security anomalies.

SSL/TLS Authentication

In addition to password authentication, Elasticsearch supports certificate-based authentication:

{
  "username": "moki-app",
  "roles": ["moki_role"],
  "full_name": "Moki Application",
  "email": "app@example.com",
  "metadata": {
    "ssl": {
      "subjectdn": "CN=moki-app,O=Organization,OU=IT"
    }
  }
}

Troubleshooting

Authentication Failed

{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "missing authentication credentials"
      }
    ]
  }
}

Solution: Verify username and password are correct and properly encoded.

Authorization Denied

{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials"}],"type":"security_exception","reason":"missing authentication credentials"}}

Solution: Check if user has required roles for the operation.

Password Reset Required

If the password expires or is reset by admin:

# Force password change on next login
curl -X POST -u elastic:moki -H "Content-Type: application/json" https://localhost:9292/_security/user/elastic/_password \
  -d '{"password" : "new-password"}'

API Reference

User Management

POST /_security/user/{username} - Create user
GET /_security/user/{username} - Get user
PUT /_security/user/{username} - Update user
DELETE /_security/user/{username} - Delete user
POST /_security/user/{username}/_password - Change password

Role Management

POST /_security/role/{name} - Create role
GET /_security/role/{name} - Get role
PUT /_security/role/{name} - Update role
DELETE /_security/role/{name} - Delete role

Token Management

POST /_security/oauth2/token - Get OAuth2 token
POST /_security/_token - Get API key

Default Credentials​

Development Environment​

User Types​

elastic - Superuser​

Credential Storage​

Environment Variables​

Docker Compose​

Server Configuration​

Changing the Password​

Change elastic User Password​

Creating New Users​

Create Application User​

Create Read-Only User​

Custom Roles​

Listing Users​

Listing Roles​

Revoking Access​

Delete a User​

Delete a Role​

Best Practices​

1. Use Dedicated Users​

2. Strong Passwords​

3. Environment Variables​

4. Regular Rotation​

5. Access Logging​

SSL/TLS Authentication​

Troubleshooting​

Authentication Failed​

Authorization Denied​

Password Reset Required​

API Reference​

User Management​

Role Management​

Token Management​