Question: purpose of the elasticsearch_bootstrap_pw variable

[frankhetterich]

Hello,

we did some tests with the collection and we expected that when we install a new cluster and the elasticsearch_bootstrap_pw variable is set, this password would be the future password of the elastic user.
But this seems not to be the case, the password of the user elastic after the installation is different.

So our question is now: What is the exact purpose of this variable?

[widhalmt]

The main reason is to have a local user with a known password if things go really wrong.

Please refer to https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html#bootstrap-elastic-passwords for details.

In the past setting the bootstrap password helped with logging into broken clusters where user information was broken and no passwort worked anymore.

[frankhetterich]

In the past setting the bootstrap password helped with logging into broken clusters where user information was broken and no passwort worked anymore.

Just to be clear: In our tests it turned out that the after the setup was complete the "elastic" user had a different password than the one given as ansible variable.
So is assume that the bootstrap password is only valid during the installation and can only be used when the installation with the collection fails.

Is this correct?

[widhalmt]

Mostly. In my experience it can also be used when (re-)building the cluster fails and a node stands on it's on. So you can "break in" to change the password of the elastic user in case you locked yourself out.

Since current versions have https://www.elastic.co/guide/en/elasticsearch/reference/current/reset-password.html it seems like you don't have to rely on the bootstrap password anymore.

To be honest, I haven't tried logging in via bootstrap password with any version of 7 or higher and I suppose it's really useless after the first setup, like the documentation said.