Base changes

Signed-off-by: Stephen Crawford <[email protected]>
opensearch-project · Sep 13, 2023 · 37f5fc4 · 37f5fc4
1 parent c9e109f
commit 37f5fc4
Show file tree

Hide file tree

Showing 8 changed files with 101 additions and 6 deletions.
diff --git a/config/internal_users.yml b/config/internal_users.yml
@@ -11,7 +11,7 @@ _meta:
 ## Demo users
 
 admin:
-  hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"
+  hash:
   reserved: true
   backend_roles:
   - "admin"

diff --git a/config/opensearch.yml.example b/config/opensearch.yml.example
@@ -38,6 +38,10 @@ plugins.security.authcz.admin_dn:
 # BOTH - backend roles are mapped to Security roles mapped directly and via roles_mapping.yml in addition
 plugins.security.roles_mapping_resolution: MAPPING_ONLY
 
+# Specify the default password for the admin user
+# Note: This setting is required for using the default admin user account
+plugins.security.bootstrap.admin.password:
+
 ############## REST Management API configuration settings ##############
 # Enable or disable role based access to the REST management API
 # Default is that no role is allowed to access the REST management API.

diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -289,6 +289,10 @@ public OpenSearchSecurityPlugin(final Settings settings, final Path configPath)
 
         transportPassiveAuthSetting = new TransportPassiveAuthSetting(settings);
 
+        if (settings.get(ConfigConstants.SECURITY_BOOTSTRAP_ADMIN_DEFAULT_PASSWORD) == null) {
+            throw new RuntimeException("A default admin password must be provided in the opensearch.yml file.");
+        }
+
         if (disabled) {
             this.sslCertReloadEnabled = false;
             log.warn(
@@ -1205,6 +1209,10 @@ public List<Setting<?>> getSettings() {
                 )
             ); // not filtered here
 
+            settings.add(
+                    Setting.simpleString(ConfigConstants.SECURITY_BOOTSTRAP_ADMIN_DEFAULT_PASSWORD, Property.NodeScope, Property.Filtered)
+            );
+
             settings.add(Setting.simpleString(ConfigConstants.SECURITY_CONFIG_INDEX_NAME, Property.NodeScope, Property.Filtered));
             settings.add(Setting.groupSetting(ConfigConstants.SECURITY_AUTHCZ_IMPERSONATION_DN + ".", Property.NodeScope)); // not filtered
                                                                                                                             // here

diff --git a/src/main/java/org/opensearch/security/support/ConfigConstants.java b/src/main/java/org/opensearch/security/support/ConfigConstants.java
@@ -139,6 +139,7 @@ public class ConfigConstants {
     public static final String SECURITY_INTERCLUSTER_REQUEST_EVALUATOR_CLASS = "plugins.security.cert.intercluster_request_evaluator_class";
     public static final String OPENDISTRO_SECURITY_ACTION_NAME = OPENDISTRO_SECURITY_CONFIG_PREFIX + "action_name";
 
+    public static final String SECURITY_BOOTSTRAP_ADMIN_DEFAULT_PASSWORD = "plugins.security.bootstrap.admin.password";
     public static final String SECURITY_AUTHCZ_ADMIN_DN = "plugins.security.authcz.admin_dn";
     public static final String SECURITY_CONFIG_INDEX_NAME = "plugins.security.config_index_name";
     public static final String SECURITY_AUTHCZ_IMPERSONATION_DN = "plugins.security.authcz.impersonation_dn";

diff --git a/src/test/java/org/opensearch/security/InitializationIntegrationTests.java b/src/test/java/org/opensearch/security/InitializationIntegrationTests.java
@@ -283,8 +283,8 @@ public void testDefaultConfig() throws Exception {
         RestHelper rh = nonSslRestHelper();
         Thread.sleep(10000);
 
-        Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("admin", "admin")).getStatusCode());
-        HttpResponse res = rh.executeGetRequest("/_cluster/health", encodeBasicHeader("admin", "admin"));
+        Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("admin", "testPassword")).getStatusCode());
+        HttpResponse res = rh.executeGetRequest("/_cluster/health", encodeBasicHeader("admin", "testPassword"));
         Assert.assertEquals(res.getBody(), HttpStatus.SC_OK, res.getStatusCode());
     }
 
@@ -300,14 +300,14 @@ public void testInvalidDefaultConfig() throws Exception {
             Thread.sleep(10000);
             Assert.assertEquals(
                 HttpStatus.SC_SERVICE_UNAVAILABLE,
-                rh.executeGetRequest("", encodeBasicHeader("admin", "admin")).getStatusCode()
+                rh.executeGetRequest("", encodeBasicHeader("admin", "testPassword")).getStatusCode()
             );
 
             ClusterHelper.updateDefaultDirectory(defaultInitDirectory);
             restart(Settings.EMPTY, null, settings, false);
             rh = nonSslRestHelper();
             Thread.sleep(10000);
-            Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("admin", "admin")).getStatusCode());
+            Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("admin", "testPassword")).getStatusCode());
         } finally {
             ClusterHelper.resetSystemProperties();
         }

diff --git a/src/test/java/org/opensearch/security/test/SingleClusterTest.java b/src/test/java/org/opensearch/security/test/SingleClusterTest.java
@@ -80,7 +80,8 @@ protected void setup(
         Settings nodeOverride,
         boolean initSecurityIndex
     ) throws Exception {
-        setup(initTransportClientSettings, dynamicSecuritySettings, nodeOverride, initSecurityIndex, ClusterConfiguration.DEFAULT);
+        Settings settings = Settings.builder().put(nodeOverride).put("plugins.security.bootstrap.admin.password", "testPassword").build();
+        setup(initTransportClientSettings, dynamicSecuritySettings, settings, initSecurityIndex, ClusterConfiguration.DEFAULT);
     }
 
     protected void restart(

diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat
@@ -75,6 +75,7 @@ cd %CUR%
 echo Basedir: %BASE_DIR%
 
 set "OPENSEARCH_CONF_FILE=%BASE_DIR%config\opensearch.yml"
+set "INTERNAL_USERS_FILE"=%BASE_DIR%config\internal_users.yml"
 set "OPENSEARCH_CONF_DIR=%BASE_DIR%config\"
 set "OPENSEARCH_BIN_DIR=%BASE_DIR%bin\"
 set "OPENSEARCH_PLUGINS_DIR=%BASE_DIR%plugins\"
@@ -319,6 +320,62 @@ echo plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_a
 echo plugins.security.system_indices.enabled: true >> "%OPENSEARCH_CONF_FILE%"
 echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"] >> "%OPENSEARCH_CONF_FILE%"
 
+
+for /f "tokens=2 delims=: " %%a in ('findstr /r "plugins.security.bootstrap.admin.password:" "%OPENSEARCH_CONF_FILE%"') do (
+    set "ADMIN_PASSWORD=%%a"
+)
+
+REM If ADMIN_PASSWORD is empty, check the environment variable as a fallback
+if not defined ADMIN_PASSWORD (
+    if defined ENV_ADMIN_PASSWORD (
+        set "ADMIN_PASSWORD=!ENV_ADMIN_PASSWORD!"
+    ) else (
+        echo Admin password not found in %OPENSEARCH_CONF_FILE% and ENV_ADMIN_PASSWORD is not set.
+        exit /b 1
+    )
+)
+
+
+set "salt="
+for /l %%i in (1,1,16) do (
+    set /a "rand=!random! %% 16"
+    set "salt=!salt!!rand!"
+)
+
+openssl passwd -bcrypt -salt !salt! "!ADMIN_PASSWORD!" > tmp_hash.txt
+
+set "HASHED_ADMIN_PASSWORD="
+for /f %%a in (tmp_hash.txt) do (
+    set "HASHED_ADMIN_PASSWORD=%%a"
+)
+
+del tmp_hash.txt
+
+for /f "tokens=1 delims=:" %%b in ('findstr /n "admin:" "%INTERNAL_USERS_FILE%"') do (
+    set "ADMIN_HASH_LINE=%%b"
+)
+
+(for /f "delims=" %%c in ('type "%INTERNAL_USERS_FILE%" ^| findstr /n "^"') do (
+    set "line=%%c"
+    setlocal enabledelayedexpansion
+    echo(!line:%ADMIN_HASH_LINE%:=! | findstr "^"
+    endlocal
+)) > tmp_internal_users.yml
+
+(for /f "delims=" %%d in ('type "tmp_internal_users.yml" ^| findstr /n "^"') do (
+    set "line=%%d"
+    setlocal enabledelayedexpansion
+    if !line:^%ADMIN_HASH_LINE%^=! neq !line! (
+        echo !line!
+    ) else (
+        echo !line!
+        echo hash: "!HASHED_ADMIN_PASSWORD!"
+    )
+    endlocal
+)) > "%INTERNAL_USERS_FILE%"
+
+del tmp_internal_users.yml
+
 :: network.host
 >nul findstr /b /c:"network.host" "%OPENSEARCH_CONF_FILE%" && (
     echo network.host already present

diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh
@@ -109,6 +109,7 @@ else
     echo "DEBUG: basedir does not exist"
 fi
 OPENSEARCH_CONF_FILE="$BASE_DIR/config/opensearch.yml"
+INTERNAL_USERS_FILE = "$BASE_DIR/config/internal_users.yml"
 OPENSEARCH_BIN_DIR="$BASE_DIR/bin"
 OPENSEARCH_PLUGINS_DIR="$BASE_DIR/plugins"
 OPENSEARCH_MODULES_DIR="$BASE_DIR/modules"
@@ -387,6 +388,29 @@ echo 'plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_
 echo 'plugins.security.system_indices.enabled: true' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
 echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
 
+ADMIN_PASSWORD=$(grep -oP 'plugins.security.bootstrap.admin.password:\s*\K.+' "$OPENSEARCH_CONF_FILE" | awk '{print $1}'
+
+if [ -z "$ADMIN_PASSWORD" ]; then
+  if [ -n "$ENV_ADMIN_PASSWORD" ]; then
+    ADMIN_PASSWORD="$ENV_ADMIN_PASSWORD"
+  else
+    echo "Admin password not found in $OPENSEARCH_YML_PATH and ENV_ADMIN_PASSWORD is not set."
+    exit 1
+  fi
+fi
+
+salt=$(openssl rand -hex 8)
+
+# Generate the hash using OpenBSD-style Blowfish-based bcrypt
+HASHED_ADMIN_PASSWORD=$(openssl passwd -bcrypt -salt $salt "$ADMIN_PASSWORD")
+
+# Clear the clearTextPassword variable
+unset ADMIN_PASSWORD
+
+ADMIN_HASH_LINE=$(grep -n 'admin:' "$INTERNAL_USERS_FILE" | cut -f1 -d:)
+
+sed -i "${ADMIN_HASH_LINE}s/.*/  hash: \"$HASHED_ADMIN_PASSWORD\"/" "$INTERNAL_USERS_FILE"
+
 #network.host
 if $SUDO_CMD grep --quiet -i "^network.host" "$OPENSEARCH_CONF_FILE"; then
 	: #already present