IBM Cloud Docs
Managing users and roles

Managing users and roles

Databases for Elasticsearch deployments come with authentication enabled and use Elasticsearch's Built-in users.

Add users in the UI on the Service credentials page, with the Cloud Databases CLI plug-in, or the Cloud Databases API.

The admin user

When you provision a Databases for Elasticsearch deployment, an admin user is automatically created.

Set the admin password before using it to connect.

Setting the Admin password in the UI

Set your Admin password through the UI by selecting your instance from the Resource list. On the dashboard, select the Settings tab, then either enter or generate a new admin password and click the Change password button.

Setting the Admin password in the CLI

Use the cdb user-password command from the IBM Cloud CLI Cloud Databases plug-in to set the admin password.

For example, to set the admin password for a deployment named example-deployment, use the following command:

ibmcloud cdb user-password example-deployment admin <newpassword>

Setting the Admin password in the API

The Foundation endpoint that is shown on the Overview panel in the Deployment details section of your service provides the base URL to access this deployment through the API. Use it with the Set specified user's password endpoint to set the admin password.

curl -X PATCH `https://api.{region}.databases.cloud.ibm.com/v5/ibm/deployments/{id}/users/admin` \
-H `Authorization: Bearer <>` \
-H `Content-Type: application/json` \ 
-d `{"password":"newrootpasswordsupersecure21"}` \

The ibm_superuser role

For Elasticsearch versions 7.17.7 and later, all users, both new and existing, including the admin user, will be assigned the ibm_superuser role. The ibm_superuser role has the same privileges as superuser, except the ibm_superuser role cannot access hidden, internal, or restricted indexes. Restricting access to hidden indexes prevents users from inadvertently limiting their own access by closing security indexes.

While you have the permissions to change this role back to the original superuser, you should not do so. Changing ibm_superuser to superuser will disrupt your access to your Elasticsearch deployment.

Managing users and roles through the UI

  1. Go to the service dashboard for your service.
  2. Click Service credentials to open the page.
  3. Click New credential.
  4. Choose a descriptive name for your new credential.
  5. (Optional) Specify whether the new credentials use a public or private endpoint. Use either { "service-endpoints": "public" } / { "service-endpoints": "private" } in the Add Inline Configuration Parameters field to generate connection strings that use the specified endpoint. Use of the endpoint is not enforced. It just controls which hostnames are in the connection strings. Public endpoints are generated by default.
  6. Click Add to provision the new credentials. A username and password, and an associated Elasticsearch user is auto-generated.

The new credentials appear in the table, and the connection strings are available as JSON in a click-to-copy field under View credentials.

Creating a user from the CLI or API doesn't automatically populate that user's connection strings into Service credentials. If you want to add them there, you can create a new credential with the existing user information. Enter the username and password in the JSON field under Add Inline Configuration Parameters. For example, {"existing_credentials":{"username":"Robert","password":"supersecure"}}. Basically, you send in the username and password, and Service credentials generates the connection strings with the credentials filled in.

Generating credentials from an existing user does not check for or create that user.

If you need users that are created from Service credentials to have a different role, use theadmin user to change their role.

Managing users and roles through the CLI

If you need users to have a different role, you can use the admin user to change their role.

Users that are created directly from the CLI do not appear in Service credentials, but you can add them.

If you manage your service through the Cloud Databases CLI plug-in, create a new user with cdb user-create. For example, to create a new user for a deployment named example-deployment, use the following command:

ibmcloud cdb user-create example-deployment <newusername> <newpassword>

When the task finishes, retrieve the new user's connection strings with the ibmcloud cdb deployment-connections command, which looks like:

ibmcloud cdb deployment-connections [--user <userid>] [--password <password>] [--endpoint-type <endpoint type>] [--all] [--only] [--start] [--certroot <path>] [--json]

Managing users and roles through the API

If you need users to have a different role, use the admin user to change their role.

Users that are created directly from the API do not appear in Service credentials, but you can add them.

The Foundation endpoint that is shown on the Overview section of your service provides the base URL to access this deployment through the API. To create and manage users, use the base URL with the /users endpoint.

The command looks like:

curl -X POST 'https://api.{region}.databases.cloud.ibm.com/v4/ibm/deployments/{id}/users' \
-H "Authorization: Bearer $APIKEY" \
-H "Content-Type: application/json" \
-d '{"username":"jane_smith", "password":"newsupersecurepassword"}'

To retrieve a user's connection strings, use the base URL with the /users/{userid}/connections endpoint.

Elasticsearch-created users and roles

If the built-in users and roles do not suit your environment, create users and roles directly in Elasticsearch. The admin user for your deployment has the power to create any role or set of privileges for use on your deployment.