Skip to content

Commit

Permalink
[Reverts] Demo configuration script requires admin password (opensear…
Browse files Browse the repository at this point in the history
…ch-project#3510)

[Reverts] Demo configuration script requires admin password
  • Loading branch information
DarshitChanpura authored Oct 9, 2023
1 parent 56fedec commit b3f1a29
Show file tree
Hide file tree
Showing 5 changed files with 21 additions and 153 deletions.
13 changes: 2 additions & 11 deletions .github/actions/start-opensearch-with-one-plugin/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,6 @@ inputs:
description: 'The name of the setup script you want to run i.e. "setup" (do not include file extension). Leave empty to indicate one should not be run.'
required: false

admin-password:
description: 'The admin password uses for the cluster'
required: true

runs:
using: "composite"
steps:
Expand Down Expand Up @@ -76,11 +72,6 @@ runs:
'y' | .\opensearch-${{ inputs.opensearch-version }}-SNAPSHOT\bin\opensearch-plugin.bat install file:$(pwd)\${{ inputs.plugin-name }}.zip
shell: pwsh

- name: Write password to initialAdminPassword location
run:
echo ${{ inputs.admin-password }} >> ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/initialAdminPassword.txt
shell: bash

# Run any configuration scripts
- name: Run Setup Script for Linux
if: ${{ runner.os == 'Linux' && inputs.setup-script-name != '' }}
Expand Down Expand Up @@ -115,13 +106,13 @@ runs:
# Verify that the server is operational
- name: Check OpenSearch Running on Linux
if: ${{ runner.os != 'Windows'}}
run: curl https://localhost:9200/_cat/plugins -u 'admin:${{ inputs.admin-password }}' -k -v --fail-with-body
run: curl https://localhost:9200/_cat/plugins -u 'admin:admin' -k -v
shell: bash

- name: Check OpenSearch Running on Windows
if: ${{ runner.os == 'Windows'}}
run: |
$credentialBytes = [Text.Encoding]::ASCII.GetBytes("admin:${{ inputs.admin-password }}")
$credentialBytes = [Text.Encoding]::ASCII.GetBytes("admin:admin")
$encodedCredentials = [Convert]::ToBase64String($credentialBytes)
$baseCredentials = "Basic $encodedCredentials"
$Headers = @{ Authorization = $baseCredentials }
Expand Down
6 changes: 1 addition & 5 deletions .github/workflows/plugin_install.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,6 @@ jobs:
runs-on: ${{ matrix.os }}

steps:
- id: random-password
uses: peternied/random-name@v1

- name: Set up JDK
uses: actions/setup-java@v3
with:
Expand Down Expand Up @@ -54,10 +51,9 @@ jobs:
opensearch-version: ${{ env.OPENSEARCH_VERSION }}
plugin-name: ${{ env.PLUGIN_NAME }}
setup-script-name: setup
admin-password: ${{ steps.random-password.outputs.generated_name }}

- name: Run sanity tests
uses: gradle/gradle-build-action@v2
with:
cache-disabled: true
arguments: integTestRemote -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername="opensearch" -Dhttps=true -Duser=admin -Dpassword=${{ steps.random-password.outputs.generated_name }} -i
arguments: integTestRemote -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername="opensearch" -Dhttps=true -Duser=admin -Dpassword=admin
53 changes: 18 additions & 35 deletions DEVELOPER_GUIDE.md
Original file line number Diff line number Diff line change
Expand Up @@ -153,52 +153,35 @@ extension_hw_greet:
- "hw-user"
```
### Initializing admin user with custom password
A password is required for the admin account to run the demo setup. You can do this with one of the following 2 options:
1. By setting an environment variable. `export initialAdminPassword=<custom-admin-password>`
2. By adding a single line as password in a file `initialAdminPassword.txt` under `$OPENSEARCH_HOME/config` directory.

If neither of these are provided, the password defaults to `admin`. However, this will be removed in future releases, and a custom password will be required in order to use demo config.


### Installing demo configuration

To install the demo certificates and default configuration, answer `y` to the first two questions and `n` to the last one. The log should look like below:


```bash
➜ export initialAdminPassword=blebleble
➜ ./tools/install_demo_configuration.sh -y -i -s
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755 **
**************************************************************************
./tools/install_demo_configuration.sh
OpenSearch Security Demo Installer
** Warning: Do not use on production or public reachable systems **
Basedir: /Users/XXXXX/opensearch-3.0.0-SNAPSHOT
Install demo certificates? [y/N] y
Initialize Security Modules? [y/N] y
Cluster mode requires maybe additional setup of:
- Virtual memory (vm.max_map_count)
Enable cluster mode? [y/N] n
Basedir: /Users/XXXXX/Test/opensearch-*
OpenSearch install type: .tar.gz on
OpenSearch config dir: /Users/XXXXX/opensearch-3.0.0-SNAPSHOT/config
OpenSearch config file: /Users/XXXXX/opensearch-3.0.0-SNAPSHOT/config/opensearch.yml
OpenSearch bin dir: /Users/XXXXX/opensearch-3.0.0-SNAPSHOT/bin
OpenSearch plugins dir: /Users/XXXXX/opensearch-3.0.0-SNAPSHOT/plugins
OpenSearch lib dir: /Users/XXXXX/opensearch-3.0.0-SNAPSHOT/lib
Detected OpenSearch Version: x-content-3.0.0-SNAPSHOT
Detected OpenSearch Security Version: 3.0.0.0-SNAPSHOT
***************************************************
*** ADMIN PASSWORD SET TO: blebleble ***
***************************************************
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755 **
**************************************************************************
OpenSearch config dir: /Users/XXXXX/Test/opensearch-*/config
OpenSearch config file: /Users/XXXXX/Test/opensearch-*/config/opensearch.yml
OpenSearch bin dir: /Users/XXXXX/Test/opensearch-*/bin
OpenSearch plugins dir: /Users/XXXXX/Test/opensearch-*/plugins
OpenSearch lib dir: /Users/XXXXX/Test/opensearch-*/lib
Detected OpenSearch Version: x-content-*
Detected OpenSearch Security Version: *
### Success
### Execute this script now on all your nodes and then start all nodes
### OpenSearch Security will be automatically initialized.
### If you like to change the runtime configuration
### change the files in ../../../config/opensearch-security and execute:
"/Users/XXXXX/opensearch-3.0.0-SNAPSHOT/plugins/opensearch-security/tools/securityadmin.sh" -cd "/Users/XXXXX/opensearch-3.0.0-SNAPSHOT/config/opensearch-security" -icl -key "/Users/XXXXX/config/kirk-key.pem" -cert "/Users/XXXXX/opensearch-3.0.0-SNAPSHOT/config/kirk.pem" -cacert "/Users/XXXXX/opensearch-3.0.0-SNAPSHOT/config/root-ca.pem" -nhnv
### change the files in ../config and execute:
"/Users/XXXXX/Test/opensearch-*/plugins/opensearch-security/tools/securityadmin.sh" -cd "/Users/XXXXX/Test/opensearch-*/config/opensearch-security/" -icl -key "/Users/XXXXX/Test/opensearch-*/config/kirk-key.pem" -cert "/Users/XXXXX/Test/opensearch-*/config/kirk.pem" -cacert "/Users/XXXXX/Test/opensearch-*/config/root-ca.pem" -nhnv
### or run ./securityadmin_demo.sh
### To use the Security Plugin ConfigurationGUI
### To access your secured cluster open https://<hostname>:<HTTP port> and log in with admin/admin.
Expand Down
58 changes: 0 additions & 58 deletions tools/install_demo_configuration.bat
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,6 @@ cd %CUR%
echo Basedir: %BASE_DIR%

set "OPENSEARCH_CONF_FILE=%BASE_DIR%config\opensearch.yml"
set "INTERNAL_USERS_FILE"=%BASE_DIR%config\opensearch-security\internal_users.yml"
set "OPENSEARCH_CONF_DIR=%BASE_DIR%config\"
set "OPENSEARCH_BIN_DIR=%BASE_DIR%bin\"
set "OPENSEARCH_PLUGINS_DIR=%BASE_DIR%plugins\"
Expand Down Expand Up @@ -320,63 +319,6 @@ echo plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_a
echo plugins.security.system_indices.enabled: true >> "%OPENSEARCH_CONF_FILE%"
echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*"] >> "%OPENSEARCH_CONF_FILE%"

setlocal enabledelayedexpansion

set "ADMIN_PASSWORD_FILE=%OPENSEARCH_CONF_DIR%initialAdminPassword.txt"
set "INTERNAL_USERS_FILE=%OPENSEARCH_CONF_DIR%opensearch-security\internal_users.yml"

echo "what is in the config directory"
dir %OPENSEARCH_CONF_DIR%

echo "what is in the password file"
type "%ADMIN_PASSWORD_FILE%"


if "%initialAdminPassword%" NEQ "" (
set "ADMIN_PASSWORD=!initialAdminPassword!"
) else (
for /f %%a in ('type "%ADMIN_PASSWORD_FILE%"') do set "ADMIN_PASSWORD=%%a"
)

if not defined ADMIN_PASSWORD (
REM Commenting this out in favor of: https://github.com/opensearch-project/security/issues/3489
REM echo Unable to find the admin password for the cluster. Please set initialAdminPassword or create a file %ADMIN_PASSWORD_FILE% with a single line that contains the password.
REM exit /b 1
set "ADMIN_PASSWORD=admin"
echo "Unable to find custom admin password. Continuing with the default password for admin."
echo "You can set the custom admin password in one of the following two ways:"
echo "1. Run 'export initialAdminPassword=<your_password>' before script execution."
echo "2. Create a file $ADMIN_PASSWORD_FILE with a single line that contains the password."
)

echo " ***************************************************"
echo " *** ADMIN PASSWORD SET TO: %ADMIN_PASSWORD% ***"
echo " ***************************************************"

set "HASH_SCRIPT=%OPENSEARCH_PLUGINS_DIR%\opensearch-security\tools\hash.bat"

REM Run the command and capture its output
for /f %%a in ('%HASH_SCRIPT% -p !ADMIN_PASSWORD!') do (
set "HASHED_ADMIN_PASSWORD=%%a"
)

if errorlevel 1 (
echo Failed to hash the admin password
exit /b 1
)

set "default_line= hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG""
set "search=%default_line%"
set "replace= hash: "%HASHED_ADMIN_PASSWORD%""

setlocal enableextensions
for /f "delims=" %%i in ('type "%INTERNAL_USERS_FILE%" ^& break ^> "%INTERNAL_USERS_FILE%" ') do (
set "line=%%i"
setlocal enabledelayedexpansion
>>"%INTERNAL_USERS_FILE%" echo(!line:%search%=%replace%!
endlocal
)

:: network.host
>nul findstr /b /c:"network.host" "%OPENSEARCH_CONF_FILE%" && (
echo network.host already present
Expand Down
44 changes: 0 additions & 44 deletions tools/install_demo_configuration.sh
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,6 @@ if [ -d "$BASE_DIR" ]; then
else
echo "DEBUG: basedir does not exist"
fi

OPENSEARCH_CONF_FILE="$BASE_DIR/config/opensearch.yml"
OPENSEARCH_BIN_DIR="$BASE_DIR/bin"
OPENSEARCH_PLUGINS_DIR="$BASE_DIR/plugins"
Expand Down Expand Up @@ -388,49 +387,6 @@ echo 'plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_
echo 'plugins.security.system_indices.enabled: true' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null

## Read the admin password from the file or use the initialAdminPassword if set
ADMIN_PASSWORD_FILE="$OPENSEARCH_CONF_DIR/initialAdminPassword.txt"
INTERNAL_USERS_FILE="$OPENSEARCH_CONF_DIR/opensearch-security/internal_users.yml"

if [[ -n "$initialAdminPassword" ]]; then
ADMIN_PASSWORD="$initialAdminPassword"
elif [[ -f "$ADMIN_PASSWORD_FILE" && -s "$ADMIN_PASSWORD_FILE" ]]; then
ADMIN_PASSWORD=$(head -n 1 "$ADMIN_PASSWORD_FILE")
else
# Commenting in favor of: https://github.com/opensearch-project/security/issues/3489
# echo "Unable to find the admin password for the cluster. Please run 'export initialAdminPassword=<your_password>' or create a file $ADMIN_PASSWORD_FILE with a single line that contains the password."
# exit 1
ADMIN_PASSWORD="admin"
echo "Unable to find custom admin password. Continuing with the default password for admin."
echo "You can set the custom admin password in one of the following two ways:"
echo "1. Run 'export initialAdminPassword=<your_password>' before script execution."
echo "2. Create a file $ADMIN_PASSWORD_FILE with a single line that contains the password."
fi

echo " ***************************************************"
echo " *** ADMIN PASSWORD SET TO: $ADMIN_PASSWORD ***"
echo " ***************************************************"

$SUDO_CMD chmod +x "$OPENSEARCH_PLUGINS_DIR/opensearch-security/tools/hash.sh"

# Use the Hasher script to hash the admin password
HASHED_ADMIN_PASSWORD=$($OPENSEARCH_PLUGINS_DIR/opensearch-security/tools/hash.sh -p "$ADMIN_PASSWORD" | tail -n 1)

if [ $? -ne 0 ]; then
echo "Hash the admin password failure, see console for details"
exit 1
fi

# Find the line number containing 'admin:' in the internal_users.yml file
ADMIN_HASH_LINE=$(grep -n 'admin:' "$INTERNAL_USERS_FILE" | cut -f1 -d:)

awk -v hashed_admin_password="$HASHED_ADMIN_PASSWORD" '
/^ *hash: *"\$2a\$12\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR\/YFJcgHp0UGns5JDymv..TOG"/ {
sub(/"\$2a\$12\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR\/YFJcgHp0UGns5JDymv..TOG"/, "\"" hashed_admin_password "\"");
}
{ print }
' "$INTERNAL_USERS_FILE" > temp_file && mv temp_file "$INTERNAL_USERS_FILE"

#network.host
if $SUDO_CMD grep --quiet -i "^network.host" "$OPENSEARCH_CONF_FILE"; then
: #already present
Expand Down

0 comments on commit b3f1a29

Please sign in to comment.