Add kibana_system role to users_roles array

[coalpig]

Fix: Allow kibana_system password update in docker-compose setup

Problem

When using docker-compose up setup to update the kibana_system password in an existing ELK cluster, the password was not applied correctly.
The logs show:

Instead of updating the password like logstash_internal:

This issue is caused by kibana_system not being assigned a role in the users_roles array.

---

Solution

Add kibana_system to the users_roles array:

users_roles=(
  [logstash_internal]='logstash_internal'
  [kibana_system]='kibana_system'  # Fix password update issue
  # other users...
)

[+] User 'kibana_system'
⠿ User exists, setting password

---
If you like, I can add a ** more concise Chinese version ** of the description to make it easier for domestic open source project maintainers to understand it quickly. Do you want me to add it?

[antoineco]

Thank you for your contribution 🙌

kibana_system is a built-in user. It should pre-exist in Elasticsearch and does not need to be created by docker-elk.

This part of the setup script specifically checks whether the user exists, and if so, sets its password:

docker-elk/setup/entrypoint.sh

Lines 105 to 109 in 1308388

	user_exists="$(check_user_exists "$user")"
	if ((user_exists)); then
	sublog 'User exists, setting password'
	set_user_password "$user" "${users_passwords[$user]}"

The only reason I can think of why the password could not be updated is that the kibana_system user was manually deleted. In this case, docker-elk indeed doesn't recreate it.
Did you delete that user?

[coalpig]

I didn't delete my user. You can test this by first setting the password in .env and then running docker-compose up setup.
Then change the password for KIBANA_SYSTEM_PASSWORD in .env. Run docker-compose up setup again and you'll see that the password hasn't changed.

You can verify this by running:
Step 1

docker-compose exec -it kibana bash
Step 2

curl -u "kibana_system:youchangepasswd" http://elasticsearch:9200/

[coalpig]

You can see line 108 of setup/entrypoint.sh

bash ```
if ((user_exists)); then
sublog 'User exists, setting password'
set_user_password "$user" "${users_passwords[$user]}"
else
if [[ -z "${users_roles[$user]:-}" ]]; then
suberr ' No role defined, skipping creation'
continue
fi

If I don't add [kibana_system]='kibana_system'
Then the output result

[+] User 'kibana_system'
⠍ No role defined, skipping creation

Password change failed

[coalpig]

Sorry, it seems kibana_system is a system user. The modification works fine without adding any code.😅
Thank you for your answer🎈

[antoineco]

Exactly. You're never supposed to see "No role defined" for kibana_system, because this user is always expected to already exist and have the required role pre-assigned by Elasticsearch.

You can see the expected output here: https://github.com/deviantony/docker-elk/actions/runs/18436687193/job/52531082071#step:6:63

In case the link becomes invalid in the future, here is a copy of the linked text:

Attaching to setup-1
setup-1  | [+] Waiting for availability of Elasticsearch. This can take several minutes.
setup-1  |    ⠿ Elasticsearch is running
setup-1  | [+] Waiting for initialization of built-in users
setup-1  |    ⠿ Built-in users were initialized
setup-1  | [+] Role 'logstash_writer'
setup-1  |    ⠿ Creating/updating
setup-1  | [+] User 'logstash_internal'
setup-1  |    ⠿ User does not exist, creating
setup-1  | [+] User 'kibana_system'
setup-1  |    ⠿ User exists, setting password   <--------- kibana_system requires no creation