Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Demo configuration script requires admin password #3329

Merged
merged 112 commits into from
Sep 27, 2023
Merged

Demo configuration script requires admin password #3329

merged 112 commits into from
Sep 27, 2023

Conversation

stephen-crawford
Copy link
Contributor

@stephen-crawford stephen-crawford commented Sep 7, 2023
edited by RyanL1997
Loading

Description

This change introduces an alternative to the default credentials admin:admin the security plugin currently uses.
In this implementation, a new setting is added to the opensearch.yml file. This setting, plugins.security.authcz.admin.password is parsed on plugin start up and then propagated into the internal user store of each node when they launch. During the set up of the security demo config, it will ask user to provide an initial admin password. User can either provide that by defining an environment variable 'initialAdminPassword' with a password string, or create a file 'initialAdminPassword.txt' with a single line that contains the password string and place it under the config folder. The absent of this 'initialAdminPassword' will lead to the failure of the demo config script.

The setting is used for input into a method in the UserService which updates the internal user store entry for the admin account. It will replace the hash field of the account with the hash of the password provided in the yml file.

Issues Resolved

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

peternied
peternied reviewed Sep 10, 2023
View reviewed changes
Copy link
Member

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see how that password from the config is used, how were you planning on resolving it?

I feel like changes around default credentials or default setup should be focused around The configuration repositories startup workflow so only if its a new security index the default admin user / password is added. Within this thread:

security/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java

Line 121 in 72c6186

bgThread = new Thread(() -> {

config/internal_users.yml Outdated Show resolved Hide resolved
@stephen-crawford
Copy link
Contributor Author

Hi @peternied, thanks for taking a minute to look things over.

I am still working on how to use it. It is not used right now because I have not found where I can populate it and guarantee the configurations are live before it tries to access them.

It is in draft because I am not quite ready for review--not that I don't appreciate you looking--I just am still working on it and wanted to be able to more easily review changes for my own work then what IntelliJ offers for the git diffs.

@stephen-crawford
Copy link
Contributor Author

I tried adding modifying the configuration repository to include a method that creates an admin user and updates the configuration for the internal users on bootstrap. Unfortunately, this led to several issues.

This is what I implemented:


    private void createAdminUser() throws IOException {
        String plaintextPassword = this.settings.get(ConfigConstants.SECURITY_AUTHCZ_ADMIN_DEFAULT_PASSWORD);
        String hashedPassword = hash(plaintextPassword.toCharArray());
        String userJsonAsString = "{ \"hash\" : \"" + hashedPassword + "\", \"opendistro_security_roles\": [\"admin\"], "
                + "\"attributes\": { \"service\": \"false\", "
                + "\"enabled\": \"false\"}"
                + " }\n";

        JsonNode accountInfo = DefaultObjectMapper.readTree(userJsonAsString);
        ObjectNode account = (ObjectNode) accountInfo;
        SecurityDynamicConfiguration<?> sdc = getConfiguration(CType.INTERNALUSERS);
        if (!sdc.exists("admin")) {
            System.out.println("Admin user not present so setting to new account: " + account.toPrettyString());
            sdc.putCObject(
                    "admin",
                    DefaultObjectMapper.readTree(account, sdc.getImplementingClass())
            );

        }
        saveAndUpdateConfigs(CType.INTERNALUSERS.toString(), client, CType.INTERNALUSERS, sdc);
        System.out.println("Finished creating admin user");
    }

    public static void saveAndUpdateConfigs(
            final String indexName,
            final Client client,
            final CType cType,
            final SecurityDynamicConfiguration<?> configuration
    ) {
        final IndexRequest ir = new IndexRequest(indexName);
        final String id = cType.toLCString();

        configuration.removeStatic();

        try {
            client.index(
                    ir.id(id)
                            .setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE)
                            .setIfSeqNo(configuration.getSeqNo())
                            .setIfPrimaryTerm(configuration.getPrimaryTerm())
                            .source(id, XContentHelper.toXContent(configuration, XContentType.JSON, false))
            );
        } catch (IOException e) {
            throw ExceptionsHelper.convertToOpenSearchException(e);
        }

But we can see in the screenshot one issue--the nodes all run the same configuration repository start process and without a hardcoded hash, they all use their own salt for the password and therefore get different outputs.

This would probably work since when a request hits a node it would be able to resolve the password of its own salt, but I think we should avoid them being different. I am not sure the exact issues that could arise, but I suspect allowing the saved hashes to vary is a bad idea.

Screenshot 2023-09-11 at 11 51 27 AM

I am going to have to find another way to access the settings and make the configuration change as part of the registration process.

@stephen-crawford
Copy link
Contributor Author

Seems like something is wrong with how the update to the configuration is happening:

Checking if default password is empty
Default password is not empty
[2023-09-11T12:23:35,150][WARN ][org.opensearch.security.configuration.Salt] If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes
[2023-09-11T12:23:35,151][ERROR][org.opensearch.security.auditlog.sink.SinkProvider] Default endpoint could not be created, auditlog will not work properly.
[2023-09-11T12:23:35,151][WARN ][org.opensearch.security.auditlog.routing.AuditMessageRouter] No default storage available, audit log may not work properly. Please check configuration.
[2023-09-11T12:23:35,158][WARN ][org.opensearch.gateway.DanglingIndicesState] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually
Admin user not present so setting to new account: {
  "hash" : "$2y$12$OG/c/fbEGN/zd6huu7rXV.qXIar4im8cdgfAqPTbOAxzr8VL/.0Ym",
  "opendistro_security_roles" : [ "admin" ],
  "attributes" : {
    "service" : "false",
    "enabled" : "false"
  }
}
Admin user not present so setting to new account: {
  "hash" : "$2y$12$KGgkb7/Ig7ZlTQgGAnyLjeXPaDVAsxPR5Egw9Jkahl9nGjaUG/FKa",
  "opendistro_security_roles" : [ "admin" ],
  "attributes" : {
    "service" : "false",
    "enabled" : "false"
  }
}
Updating index: INTERNALUSERS with CTYPE: INTERNALUSERS and configuration: {logstash=InternalUserV7 [hash=$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[logstash], attributes={}, description=Demo logstash user, using external role mapping], snapshotrestore=InternalUserV7 [hash=$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[snapshotrestore], attributes={}, description=Demo snapshotrestore user, using external role mapping], admin=InternalUserV7 [hash=$2y$12$OG/c/fbEGN/zd6huu7rXV.qXIar4im8cdgfAqPTbOAxzr8VL/.0Ym, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[], attributes={service=false, enabled=false}, description=null], kibanaserver=InternalUserV7 [hash=$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H., enabled=false, service=false, reserved=true, hidden=false, _static=false, backend_roles=[], attributes={}, description=Demo OpenSearch Dashboards user], kibanaro=InternalUserV7 [hash=$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[kibanauser, readall], attributes={attribute1=value1, attribute2=value2, attribute3=value3}, description=Demo OpenSearch Dashboards read only user, using external role mapping], readall=InternalUserV7 [hash=$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[readall], attributes={}, description=Demo readall user, using external role mapping], anomalyadmin=InternalUserV7 [hash=$2y$12$TRwAAJgnNo67w3rVUz4FIeLx9Dy/llB79zf9I15CKJ9vkM4ZzAd3., enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[], attributes={}, description=Demo anomaly admin user, using internal role]}
Updating index: INTERNALUSERS with CTYPE: INTERNALUSERS and configuration: {logstash=InternalUserV7 [hash=$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[logstash], attributes={}, description=Demo logstash user, using external role mapping], snapshotrestore=InternalUserV7 [hash=$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[snapshotrestore], attributes={}, description=Demo snapshotrestore user, using external role mapping], admin=InternalUserV7 [hash=$2y$12$KGgkb7/Ig7ZlTQgGAnyLjeXPaDVAsxPR5Egw9Jkahl9nGjaUG/FKa, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[], attributes={service=false, enabled=false}, description=null], kibanaserver=InternalUserV7 [hash=$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H., enabled=false, service=false, reserved=true, hidden=false, _static=false, backend_roles=[], attributes={}, description=Demo OpenSearch Dashboards user], kibanaro=InternalUserV7 [hash=$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[kibanauser, readall], attributes={attribute1=value1, attribute2=value2, attribute3=value3}, description=Demo OpenSearch Dashboards read only user, using external role mapping], readall=InternalUserV7 [hash=$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[readall], attributes={}, description=Demo readall user, using external role mapping], anomalyadmin=InternalUserV7 [hash=$2y$12$TRwAAJgnNo67w3rVUz4FIeLx9Dy/llB79zf9I15CKJ9vkM4ZzAd3., enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[], attributes={}, description=Demo anomaly admin user, using internal role]}
Result of update: index {[INTERNALUSERS][internalusers], source[n/a, actual length: [2.6kb], max length: 2kb]}  ir pipeline resolved? true
Result of update: index {[INTERNALUSERS][internalusers], source[n/a, actual length: [2.6kb], max length: 2kb]}  ir pipeline resolved? true
Finished creating admin user
Finished creating admin user
Internal users are: {logstash=InternalUserV7 [hash=$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[logstash], attributes={}, description=Demo logstash user, using external role mapping], snapshotrestore=InternalUserV7 [hash=$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[snapshotrestore], attributes={}, description=Demo snapshotrestore user, using external role mapping], kibanaserver=InternalUserV7 [hash=$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H., enabled=false, service=false, reserved=true, hidden=false, _static=false, backend_roles=[], attributes={}, description=Demo OpenSearch Dashboards user], kibanaro=InternalUserV7 [hash=$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[kibanauser, readall], attributes={attribute1=value1, attribute2=value2, attribute3=value3}, description=Demo OpenSearch Dashboards read only user, using external role mapping], readall=InternalUserV7 [hash=$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[readall], attributes={}, description=Demo readall user, using external role mapping], anomalyadmin=InternalUserV7 [hash=$2y$12$TRwAAJgnNo67w3rVUz4FIeLx9Dy/llB79zf9I15CKJ9vkM4ZzAd3., enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[], attributes={}, description=Demo anomaly admin user, using internal role]} admin user is: null
Internal users are: {logstash=InternalUserV7 [hash=$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[logstash], attributes={}, description=Demo logstash user, using external role mapping], snapshotrestore=InternalUserV7 [hash=$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[snapshotrestore], attributes={}, description=Demo snapshotrestore user, using external role mapping], kibanaserver=InternalUserV7 [hash=$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H., enabled=false, service=false, reserved=true, hidden=false, _static=false, backend_roles=[], attributes={}, description=Demo OpenSearch Dashboards user], kibanaro=InternalUserV7 [hash=$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[kibanauser, readall], attributes={attribute1=value1, attribute2=value2, attribute3=value3}, description=Demo OpenSearch Dashboards read only user, using external role mapping], readall=InternalUserV7 [hash=$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[readall], attributes={}, description=Demo readall user, using external role mapping], anomalyadmin=InternalUserV7 [hash=$2y$12$TRwAAJgnNo67w3rVUz4FIeLx9Dy/llB79zf9I15CKJ9vkM4ZzAd3., enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[], attributes={}, description=Demo anomaly admin user, using internal role]} admin user is: null
Admin user not present so setting to new account: {
  "hash" : "$2y$12$2Lm/4/73wd1cApSg8p0pCefkRDo1wvCtfB6QlUilL7u0mU9RNvGnu",
  "opendistro_security_roles" : [ "admin" ],
  "attributes" : {
    "service" : "false",
    "enabled" : "false"
  }
}
Updating index: INTERNALUSERS with CTYPE: INTERNALUSERS and configuration: {logstash=InternalUserV7 [hash=$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[logstash], attributes={}, description=Demo logstash user, using external role mapping], snapshotrestore=InternalUserV7 [hash=$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[snapshotrestore], attributes={}, description=Demo snapshotrestore user, using external role mapping], admin=InternalUserV7 [hash=$2y$12$2Lm/4/73wd1cApSg8p0pCefkRDo1wvCtfB6QlUilL7u0mU9RNvGnu, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[], attributes={service=false, enabled=false}, description=null], kibanaserver=InternalUserV7 [hash=$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H., enabled=false, service=false, reserved=true, hidden=false, _static=false, backend_roles=[], attributes={}, description=Demo OpenSearch Dashboards user], kibanaro=InternalUserV7 [hash=$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[kibanauser, readall], attributes={attribute1=value1, attribute2=value2, attribute3=value3}, description=Demo OpenSearch Dashboards read only user, using external role mapping], readall=InternalUserV7 [hash=$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[readall], attributes={}, description=Demo readall user, using external role mapping], anomalyadmin=InternalUserV7 [hash=$2y$12$TRwAAJgnNo67w3rVUz4FIeLx9Dy/llB79zf9I15CKJ9vkM4ZzAd3., enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[], attributes={}, description=Demo anomaly admin user, using internal role]}
Result of update: index {[INTERNALUSERS][internalusers], source[n/a, actual length: [2.6kb], max length: 2kb]}  ir pipeline resolved? true
Finished creating admin user
Internal users are: {logstash=InternalUserV7 [hash=$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[logstash], attributes={}, description=Demo logstash user, using external role mapping], snapshotrestore=InternalUserV7 [hash=$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[snapshotrestore], attributes={}, description=Demo snapshotrestore user, using external role mapping], kibanaserver=InternalUserV7 [hash=$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H., enabled=false, service=false, reserved=true, hidden=false, _static=false, backend_roles=[], attributes={}, description=Demo OpenSearch Dashboards user], kibanaro=InternalUserV7 [hash=$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[kibanauser, readall], attributes={attribute1=value1, attribute2=value2, attribute3=value3}, description=Demo OpenSearch Dashboards read only user, using external role mapping], readall=InternalUserV7 [hash=$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2, enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[readall], attributes={}, description=Demo readall user, using external role mapping], anomalyadmin=InternalUserV7 [hash=$2y$12$TRwAAJgnNo67w3rVUz4FIeLx9Dy/llB79zf9I15CKJ9vkM4ZzAd3., enabled=false, service=false, reserved=false, hidden=false, _static=false, backend_roles=[], attributes={}, description=Demo anomaly admin user, using internal role]} admin user is: null
[2023-09-11T12:23:44,441][ERROR][org.opensearch.security.configuration.ConfigurationLoaderSecurity7] Failure [node_utest_n5_fnull_t11202367276541_num2][127.0.0.1:6833] Node not connected retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2023-09-11T12:23:44,441][ERROR][org.opensearch.security.configuration.ConfigurationLoaderSecurity7] Failure [node_utest_n5_fnull_t11202367276541_num2][127.0.0.1:6833] Node not connected retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2023-09-11T12:23:44,442][ERROR][

I would expect the admin user to be presented in the check after the index update but it is not. So for some reason, it does not get updated.

I also notice that the configuration loader complains that the nodes are not connected:

[2023-09-11T12:23:44,442][ERROR][org.opensearch.security.configuration.ConfigurationLoaderSecurity7] Failure [node_utest_n5_fnull_t11202367276541_num2][127.0.0.1:6833] Node not connected retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2023-09-11T12:23:44,442][ERROR][org.opensearch.security.configuration.ConfigurationLoaderSecurity7] Failure [node_utest_n5_fnull_t11202367276541_num2][127.0.0.1:6833] Node not connected retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2023-09-11T12:23:45,170][ERROR][org.opensearch.security.configuration.ConfigurationLoaderSecurity7] Failure [node_utest_n5_fnull_t11202367276541_num1][127.0.0.1:7349] Node not connected retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2023-09-11T12:23:45,171][ERROR][org.opensearch.security.configuration.ConfigurationLoaderSecurity7] Failure [node_utest_n5_fnull_t11202367276541_num1][127.0.0.1:7349] Node not connected retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2023-09-11T12:23:45,171][ERROR][org.opensearch.security.configuration.ConfigurationLoaderSecurity7] Failure [node_utest_n5_fnull_t11202367276541_num1][127.0.0.1:73

@stephen-crawford
Copy link
Contributor Author

Shard indexing pressure may be killing the node during the write?

g.opensearch.transport.SendRequestTransportException: [node_utest_n2_fnull_t15720773812791_num1][127.0.0.1:7862][internal:index/seq_no/resync[p]]
	at org.opensearch.transport.TransportService$4.doRun(TransportService.java:356) [opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:908) [opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:52) [opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
	at java.lang.Thread.run(Thread.java:833) [?:?]
Caused by: org.opensearch.node.NodeClosedException: node closed {node_utest_n2_fnull_t15720773812791_num1}{3xwCawAAQACLJeBYAAAAAA}{rTO27LqDQquW2-BEvhhJXQ}{127.0.0.1}{127.0.0.1:7862}{d}{shard_indexing_pressure_enabled=true}
	... 6 more
[2023-09-11T13:46:57,849][WARN ][org.opensearch.indices.cluster.IndicesClusterStateService] [.opendistro_security][0] marking and sending shard failed due to [shard failure, reason [exception during primary-replica resync]]
org.opensearch.transport.SendRequestTransportException: [node_utest_n2_fnull_t15720773812791_num1][127.0.0.1:7862][internal:index/seq_no/resync[p]]
	at org.opensearch.transport.TransportService$4.doRun(TransportService.java:356) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:908) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:52) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
	at java.lang.Thread.run(Thread.java:833) [?:?]
Caused by: org.opensearch.node.NodeClosedException: node closed {node_utest_n2_fnull_t15720773812791_num1}{3xwCawAAQACLJeBYAAAAAA}{rTO27LqDQquW2-BEvhhJXQ}{127.0.0.1}{127.0.0.1:7862}{d}{shard_indexing_pressure_enabled=true}
	... 6 more
[2023-09-11T13:46:57,850][WARN ][org.opensearch.cluster.action.shard.ShardStateAction] node closed while execution action [internal:cluster/shard/failure] for shard entry [shard id [[.opendistro_security][0]], allocation id [3iCSVeeqRMmJyBuLMdpo1A], primary term [0], message [shard failure, reason [exception during primary-replica resync]], failure [SendRequestTransportException[[node_utest_n2_fnull_t15720773812791_num1][127.0.0.1:7862][internal:index/seq_no/resync[p]]]; nested: NodeClosedException[node closed {node_utest_n2_fnull_t15720773812791_num1}{3xwCawAAQACLJeBYAAAAAA}{rTO27LqDQquW2-BEvhhJXQ}{127.0.0.1}{127.0.0.1:7862}{d}{shard_indexing_pressure_enabled=true}]; ], markAsStale [true]]

expected:<200> but was:<401>

@stephen-crawford
Copy link
Contributor Author

Screenshot 2023-09-12 at 10 44 09 AM

Current implementation is an imperfect solution which sometimes fails. Not sure why.

@stephen-crawford
Copy link
Contributor Author

1e587a1 Is a dynamic insertion of an admin user into the internal user configuration during the node start process. Unfortunately, it does not work because we have no guarantees around the timing or order of the processes.

@stephen-crawford
Base changes
37f5fc4 
Signed-off-by: Stephen Crawford <[email protected]>
peternied
peternied requested changes Sep 13, 2023
View reviewed changes
Copy link
Member

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think about only supporting these 3 scenarios - are there others that I am missing?

No password found:

> ./install_demo_configuration.sh
>    Unable to find admin password for cluster, please run `export CLUSTER_ADMIN_PASSWORD=$(openssl rand -base64 48 | cut -c1-16)` or create a file {OPENSEARCH_ROOT}/CLUSTER_ADMIN_PASSWORD with a single line that contains the password followed by a newline

Password via environment variable

> export CLUSTER_ADMIN_PASSWORD=thisIsMyOwnPassword
> ./install_demo_configuration.sh
...
>    Found admin password in environment variable, please run `echo $CLUSTER_ADMIN_PASSWORD` to see the password
...
# SUCCESS can start ./bin/opensearch and use that password

Password via file

> openssl rand -base64 48 | cut -c1-16 > {OPENSEARCH_ROOT}/CLUSTER_ADMIN_PASSWORD
> ./install_demo_configuration.sh
...
>    Found admin password in password file, please run `cat {OPENSEARCH_ROOT}/CLUSTER_ADMIN_PASSWORD` to see the password
...
# SUCCESS can start ./bin/opensearch and use that password

peternied
peternied requested changes Sep 13, 2023
View reviewed changes
Copy link
Member

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think about only supporting these 3 scenarios - are there others that I am missing?

No password found:

> ./install_demo_configuration.sh
>    Unable to find admin password for cluster, please run `export CLUSTER_ADMIN_PASSWORD=$(openssl rand -base64 48 | cut -c1-16)` or create a file {OPENSEARCH_ROOT}/CLUSTER_ADMIN_PASSWORD with a single line that contains the password followed by a newline

Password via environment variable

> export CLUSTER_ADMIN_PASSWORD=thisIsMyOwnPassword
> ./install_demo_configuration.sh
...
>    Found admin password in environment variable, please run `echo $CLUSTER_ADMIN_PASSWORD` to see the password
...
# SUCCESS can start ./bin/opensearch and use that password

Password via file

> openssl rand -base64 48 | cut -c1-16 > {OPENSEARCH_ROOT}/CLUSTER_ADMIN_PASSWORD
> ./install_demo_configuration.sh
...
>    Found admin password in password file, please run `cat {OPENSEARCH_ROOT}/CLUSTER_ADMIN_PASSWORD` to see the password
...
# SUCCESS can start ./bin/opensearch and use that password

@stephen-crawford
Copy link
Contributor Author

Hi @peternied, that is basically the scenarios I am trying to cover now. The issue is that if we want to remove the default admin password from the internal configuration, we need to be able to provide one for the tests to use.

We could swap the tests to use an account other than admin which still had the all access permissions, but I am not sure whether that would be considered just as bad.

If you look at the changes I have made this far, you can see the trouble I am running into.

I have successfully added logic for a configuration setting to be read from opensearch.yml and used during the install script. I can similarly look for an environment variable--I have not set a name for it yet--should the config value not be present.

The problem is that this logic only executes with the installation script and the tests do not run the installation script.

We need something that will always add the admin user to the internal configuration whether it is a test or not. Otherwise, every test relying on SingleClusterTest and executing a request with admin:admin or admin:newPassword will fail.

There is no way to run the tests with no default password and no step of test execution which will create the new admin user they require.

@stephen-crawford
swap to separate fie
4079fe8 
Signed-off-by: Stephen Crawford <[email protected]>
@stephen-crawford
reset sec plugin.java
d0b26ed 
Signed-off-by: Stephen Crawford <[email protected]>
@stephen-crawford
Reset config constants
a2dd667 
Signed-off-by: Stephen Crawford <[email protected]>
@peternied
Copy link
Member

I think you can support those 3 scenarios without any Java code changes. Try using exactly the input in those examples to get those results.

peternied
peternied reviewed Sep 19, 2023
View reviewed changes
Copy link
Member

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Darn, might need to figure out a way to generate the password, maybe reuse the hasher? This raises a question I'll look into, why are we using an algorithm that isn't a standard part of openssl.

config/internal_users.yml Outdated Show resolved Hide resolved
config/admin_password.txt Outdated Show resolved Hide resolved
tools/install_demo_configuration.sh Outdated Show resolved Hide resolved
tools/install_demo_configuration.bat Outdated Show resolved Hide resolved
tools/install_demo_configuration.sh Outdated Show resolved Hide resolved
tools/install_demo_configuration.bat Outdated Show resolved Hide resolved
stephen-crawford and others added 7 commits September 20, 2023 12:01
@stephen-crawford
update hash function
bba2e5f 
Signed-off-by: Stephen Crawford <[email protected]>
@stephen-crawford
Merge branch 'opensearch-project:main' into adminConfigFile
4c5b6f0
@stephen-crawford
remove space
0a1403f 
Signed-off-by: Stephen Crawford <[email protected]>
@stephen-crawford
Fix plugin install
18c63f0 
Signed-off-by: Stephen Crawford <[email protected]>
@stephen-crawford
move dir out of config
e1c23cc 
Signed-off-by: Stephen Crawford <[email protected]>
@stephen-crawford
move file
1375996 
Signed-off-by: Stephen Crawford <[email protected]>
@stephen-crawford
try path
fcabdd7 
Signed-off-by: Stephen Crawford <[email protected]>
@peternied peternied mentioned this pull request Sep 26, 2023
Closed
peternied
peternied previously approved these changes Sep 27, 2023
View reviewed changes
@peternied
Copy link
Member

@DarshitChanpura @willyborankin @reta Could I get another look at this change?

@peternied peternied added the backport 2.x backport to 2.x branch label Sep 27, 2023
@peternied peternied changed the title Replace hardcoded admin:admin default credentials with operator specified password Demo configuration requires admin password to be provided Sep 27, 2023
@peternied peternied changed the title Demo configuration requires admin password to be provided Demo configuration script requires admin password Sep 27, 2023
@peternied peternied added the v2.11.0 Issues targeting the 2.11 release label Sep 27, 2023
@peternied peternied merged commit 8628a89 into opensearch-project:main Sep 27, 2023
59 checks passed
opensearch-trigger-bot bot pushed a commit that referenced this pull request Sep 27, 2023
@github-actions @peternied
Demo configuration script requires admin password (#3329)
eabc278 
This change requires an alternative to the default credentials
for the admin user.

The credentials can be provided to the script via:
- `initialAdminPassword` environment variable
- a file with a single line that contains the password.

The admin password for the cluster will be printed to the console output of the `tools/install_demo_configuration.(bat|sh)`

Signed-off-by: Stephen Crawford <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
Co-authored-by: Peter Nied <[email protected]>
(cherry picked from commit 8628a89)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Sep 27, 2023
Merged
This was referenced Sep 27, 2023
Closed
Closed
Closed
This was referenced Sep 29, 2023
Merged
Closed
Closed
peternied added a commit that referenced this pull request Oct 3, 2023
@opensearch-trigger-bot @github-actions @peternied
[Backport 2.x] Demo configuration script requires admin password (#3414)
d995daf 
Backport 8628a89 from #3329.

### Related Issues
-  Related #3285

Signed-off-by: Stephen Crawford <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Peter Nied <[email protected]>
@RyanL1997 RyanL1997 mentioned this pull request Oct 4, 2023
Closed
3 tasks
@DarshitChanpura DarshitChanpura mentioned this pull request Oct 17, 2023
Closed
23 tasks
@stephen-crawford stephen-crawford deleted the adminConfigFile branch December 11, 2023 19:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@willyborankin willyborankin willyborankin approved these changes

@peternied peternied peternied approved these changes

@cliu123 cliu123 Awaiting requested review from cliu123

@cwperks cwperks Awaiting requested review from cwperks cwperks is a code owner

@DarshitChanpura DarshitChanpura Awaiting requested review from DarshitChanpura DarshitChanpura is a code owner

@davidlago davidlago Awaiting requested review from davidlago

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 is a code owner

@reta reta Awaiting requested review from reta reta is a code owner

Assignees
No one assigned
Labels
backport 2.x backport to 2.x branch v2.11.0 Issues targeting the 2.11 release
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Replace admin:admin default credentials with configuration file password
3 participants
@stephen-crawford @peternied @willyborankin