From 37f5fc47935bfc543a460a9ac2952e9d5e1348e1 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 13 Sep 2023 11:14:17 -0400 Subject: [PATCH 001/108] Base changes Signed-off-by: Stephen Crawford --- config/internal_users.yml | 2 +- config/opensearch.yml.example | 4 ++ .../security/OpenSearchSecurityPlugin.java | 8 +++ .../security/support/ConfigConstants.java | 1 + .../InitializationIntegrationTests.java | 8 +-- .../security/test/SingleClusterTest.java | 3 +- tools/install_demo_configuration.bat | 57 +++++++++++++++++++ tools/install_demo_configuration.sh | 24 ++++++++ 8 files changed, 101 insertions(+), 6 deletions(-) diff --git a/config/internal_users.yml b/config/internal_users.yml index f4d31e52c6..c2eb61354a 100644 --- a/config/internal_users.yml +++ b/config/internal_users.yml @@ -11,7 +11,7 @@ _meta: ## Demo users admin: - hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG" + hash: reserved: true backend_roles: - "admin" diff --git a/config/opensearch.yml.example b/config/opensearch.yml.example index 3b4df645de..3144e1ab2a 100644 --- a/config/opensearch.yml.example +++ b/config/opensearch.yml.example @@ -38,6 +38,10 @@ plugins.security.authcz.admin_dn: # BOTH - backend roles are mapped to Security roles mapped directly and via roles_mapping.yml in addition plugins.security.roles_mapping_resolution: MAPPING_ONLY +# Specify the default password for the admin user +# Note: This setting is required for using the default admin user account +plugins.security.bootstrap.admin.password: + ############## REST Management API configuration settings ############## # Enable or disable role based access to the REST management API # Default is that no role is allowed to access the REST management API. diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 8b1e307172..3b83046332 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -289,6 +289,10 @@ public OpenSearchSecurityPlugin(final Settings settings, final Path configPath) transportPassiveAuthSetting = new TransportPassiveAuthSetting(settings); + if (settings.get(ConfigConstants.SECURITY_BOOTSTRAP_ADMIN_DEFAULT_PASSWORD) == null) { + throw new RuntimeException("A default admin password must be provided in the opensearch.yml file."); + } + if (disabled) { this.sslCertReloadEnabled = false; log.warn( @@ -1205,6 +1209,10 @@ public List> getSettings() { ) ); // not filtered here + settings.add( + Setting.simpleString(ConfigConstants.SECURITY_BOOTSTRAP_ADMIN_DEFAULT_PASSWORD, Property.NodeScope, Property.Filtered) + ); + settings.add(Setting.simpleString(ConfigConstants.SECURITY_CONFIG_INDEX_NAME, Property.NodeScope, Property.Filtered)); settings.add(Setting.groupSetting(ConfigConstants.SECURITY_AUTHCZ_IMPERSONATION_DN + ".", Property.NodeScope)); // not filtered // here diff --git a/src/main/java/org/opensearch/security/support/ConfigConstants.java b/src/main/java/org/opensearch/security/support/ConfigConstants.java index 8317d65335..9cf120136c 100644 --- a/src/main/java/org/opensearch/security/support/ConfigConstants.java +++ b/src/main/java/org/opensearch/security/support/ConfigConstants.java @@ -139,6 +139,7 @@ public class ConfigConstants { public static final String SECURITY_INTERCLUSTER_REQUEST_EVALUATOR_CLASS = "plugins.security.cert.intercluster_request_evaluator_class"; public static final String OPENDISTRO_SECURITY_ACTION_NAME = OPENDISTRO_SECURITY_CONFIG_PREFIX + "action_name"; + public static final String SECURITY_BOOTSTRAP_ADMIN_DEFAULT_PASSWORD = "plugins.security.bootstrap.admin.password"; public static final String SECURITY_AUTHCZ_ADMIN_DN = "plugins.security.authcz.admin_dn"; public static final String SECURITY_CONFIG_INDEX_NAME = "plugins.security.config_index_name"; public static final String SECURITY_AUTHCZ_IMPERSONATION_DN = "plugins.security.authcz.impersonation_dn"; diff --git a/src/test/java/org/opensearch/security/InitializationIntegrationTests.java b/src/test/java/org/opensearch/security/InitializationIntegrationTests.java index d6306e7f5d..6c46915fa6 100644 --- a/src/test/java/org/opensearch/security/InitializationIntegrationTests.java +++ b/src/test/java/org/opensearch/security/InitializationIntegrationTests.java @@ -283,8 +283,8 @@ public void testDefaultConfig() throws Exception { RestHelper rh = nonSslRestHelper(); Thread.sleep(10000); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("admin", "admin")).getStatusCode()); - HttpResponse res = rh.executeGetRequest("/_cluster/health", encodeBasicHeader("admin", "admin")); + Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("admin", "testPassword")).getStatusCode()); + HttpResponse res = rh.executeGetRequest("/_cluster/health", encodeBasicHeader("admin", "testPassword")); Assert.assertEquals(res.getBody(), HttpStatus.SC_OK, res.getStatusCode()); } @@ -300,14 +300,14 @@ public void testInvalidDefaultConfig() throws Exception { Thread.sleep(10000); Assert.assertEquals( HttpStatus.SC_SERVICE_UNAVAILABLE, - rh.executeGetRequest("", encodeBasicHeader("admin", "admin")).getStatusCode() + rh.executeGetRequest("", encodeBasicHeader("admin", "testPassword")).getStatusCode() ); ClusterHelper.updateDefaultDirectory(defaultInitDirectory); restart(Settings.EMPTY, null, settings, false); rh = nonSslRestHelper(); Thread.sleep(10000); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("admin", "admin")).getStatusCode()); + Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("admin", "testPassword")).getStatusCode()); } finally { ClusterHelper.resetSystemProperties(); } diff --git a/src/test/java/org/opensearch/security/test/SingleClusterTest.java b/src/test/java/org/opensearch/security/test/SingleClusterTest.java index 2839e1e283..42b0a5b612 100644 --- a/src/test/java/org/opensearch/security/test/SingleClusterTest.java +++ b/src/test/java/org/opensearch/security/test/SingleClusterTest.java @@ -80,7 +80,8 @@ protected void setup( Settings nodeOverride, boolean initSecurityIndex ) throws Exception { - setup(initTransportClientSettings, dynamicSecuritySettings, nodeOverride, initSecurityIndex, ClusterConfiguration.DEFAULT); + Settings settings = Settings.builder().put(nodeOverride).put("plugins.security.bootstrap.admin.password", "testPassword").build(); + setup(initTransportClientSettings, dynamicSecuritySettings, settings, initSecurityIndex, ClusterConfiguration.DEFAULT); } protected void restart( diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index 6bb115fb3e..8bb985102a 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -75,6 +75,7 @@ cd %CUR% echo Basedir: %BASE_DIR% set "OPENSEARCH_CONF_FILE=%BASE_DIR%config\opensearch.yml" +set "INTERNAL_USERS_FILE"=%BASE_DIR%config\internal_users.yml" set "OPENSEARCH_CONF_DIR=%BASE_DIR%config\" set "OPENSEARCH_BIN_DIR=%BASE_DIR%bin\" set "OPENSEARCH_PLUGINS_DIR=%BASE_DIR%plugins\" @@ -319,6 +320,62 @@ echo plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_a echo plugins.security.system_indices.enabled: true >> "%OPENSEARCH_CONF_FILE%" echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"] >> "%OPENSEARCH_CONF_FILE%" + +for /f "tokens=2 delims=: " %%a in ('findstr /r "plugins.security.bootstrap.admin.password:" "%OPENSEARCH_CONF_FILE%"') do ( + set "ADMIN_PASSWORD=%%a" +) + +REM If ADMIN_PASSWORD is empty, check the environment variable as a fallback +if not defined ADMIN_PASSWORD ( + if defined ENV_ADMIN_PASSWORD ( + set "ADMIN_PASSWORD=!ENV_ADMIN_PASSWORD!" + ) else ( + echo Admin password not found in %OPENSEARCH_CONF_FILE% and ENV_ADMIN_PASSWORD is not set. + exit /b 1 + ) +) + + +set "salt=" +for /l %%i in (1,1,16) do ( + set /a "rand=!random! %% 16" + set "salt=!salt!!rand!" +) + +openssl passwd -bcrypt -salt !salt! "!ADMIN_PASSWORD!" > tmp_hash.txt + +set "HASHED_ADMIN_PASSWORD=" +for /f %%a in (tmp_hash.txt) do ( + set "HASHED_ADMIN_PASSWORD=%%a" +) + +del tmp_hash.txt + +for /f "tokens=1 delims=:" %%b in ('findstr /n "admin:" "%INTERNAL_USERS_FILE%"') do ( + set "ADMIN_HASH_LINE=%%b" +) + +(for /f "delims=" %%c in ('type "%INTERNAL_USERS_FILE%" ^| findstr /n "^"') do ( + set "line=%%c" + setlocal enabledelayedexpansion + echo(!line:%ADMIN_HASH_LINE%:=! | findstr "^" + endlocal +)) > tmp_internal_users.yml + +(for /f "delims=" %%d in ('type "tmp_internal_users.yml" ^| findstr /n "^"') do ( + set "line=%%d" + setlocal enabledelayedexpansion + if !line:^%ADMIN_HASH_LINE%^=! neq !line! ( + echo !line! + ) else ( + echo !line! + echo hash: "!HASHED_ADMIN_PASSWORD!" + ) + endlocal +)) > "%INTERNAL_USERS_FILE%" + +del tmp_internal_users.yml + :: network.host >nul findstr /b /c:"network.host" "%OPENSEARCH_CONF_FILE%" && ( echo network.host already present diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 7428ea7b14..28fe60f8fd 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -109,6 +109,7 @@ else echo "DEBUG: basedir does not exist" fi OPENSEARCH_CONF_FILE="$BASE_DIR/config/opensearch.yml" +INTERNAL_USERS_FILE = "$BASE_DIR/config/internal_users.yml" OPENSEARCH_BIN_DIR="$BASE_DIR/bin" OPENSEARCH_PLUGINS_DIR="$BASE_DIR/plugins" OPENSEARCH_MODULES_DIR="$BASE_DIR/modules" @@ -387,6 +388,29 @@ echo 'plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_ echo 'plugins.security.system_indices.enabled: true' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null +ADMIN_PASSWORD=$(grep -oP 'plugins.security.bootstrap.admin.password:\s*\K.+' "$OPENSEARCH_CONF_FILE" | awk '{print $1}' + +if [ -z "$ADMIN_PASSWORD" ]; then + if [ -n "$ENV_ADMIN_PASSWORD" ]; then + ADMIN_PASSWORD="$ENV_ADMIN_PASSWORD" + else + echo "Admin password not found in $OPENSEARCH_YML_PATH and ENV_ADMIN_PASSWORD is not set." + exit 1 + fi +fi + +salt=$(openssl rand -hex 8) + +# Generate the hash using OpenBSD-style Blowfish-based bcrypt +HASHED_ADMIN_PASSWORD=$(openssl passwd -bcrypt -salt $salt "$ADMIN_PASSWORD") + +# Clear the clearTextPassword variable +unset ADMIN_PASSWORD + +ADMIN_HASH_LINE=$(grep -n 'admin:' "$INTERNAL_USERS_FILE" | cut -f1 -d:) + +sed -i "${ADMIN_HASH_LINE}s/.*/ hash: \"$HASHED_ADMIN_PASSWORD\"/" "$INTERNAL_USERS_FILE" + #network.host if $SUDO_CMD grep --quiet -i "^network.host" "$OPENSEARCH_CONF_FILE"; then : #already present From 66b81ef25bf527db793f68b03a063a1dbeab5686 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 13 Sep 2023 13:17:38 -0400 Subject: [PATCH 002/108] state of the world Signed-off-by: Stephen Crawford --- config/opensearch.yml.example | 2 +- .../security/OpenSearchSecurityPlugin.java | 42 ++++++++++++ tools/admin_password_tool.bat | 66 +++++++++++++++++++ tools/admin_password_tool.sh | 50 ++++++++++++++ 4 files changed, 159 insertions(+), 1 deletion(-) create mode 100644 tools/admin_password_tool.bat create mode 100644 tools/admin_password_tool.sh diff --git a/config/opensearch.yml.example b/config/opensearch.yml.example index 3144e1ab2a..447e0d1f67 100644 --- a/config/opensearch.yml.example +++ b/config/opensearch.yml.example @@ -40,7 +40,7 @@ plugins.security.roles_mapping_resolution: MAPPING_ONLY # Specify the default password for the admin user # Note: This setting is required for using the default admin user account -plugins.security.bootstrap.admin.password: +plugins.security.bootstrap.admin.password: test ############## REST Management API configuration settings ############## # Enable or disable role based access to the REST management API diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 3b83046332..9eae5cd6bf 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -292,6 +292,8 @@ public OpenSearchSecurityPlugin(final Settings settings, final Path configPath) if (settings.get(ConfigConstants.SECURITY_BOOTSTRAP_ADMIN_DEFAULT_PASSWORD) == null) { throw new RuntimeException("A default admin password must be provided in the opensearch.yml file."); } + System.setProperty(ConfigConstants.SECURITY_BOOTSTRAP_ADMIN_DEFAULT_PASSWORD, settings.get(ConfigConstants.SECURITY_BOOTSTRAP_ADMIN_DEFAULT_PASSWORD)); + runAdminTool(); if (disabled) { this.sslCertReloadEnabled = false; @@ -1927,6 +1929,46 @@ private static String handleKeyword(final String field) { return field; } + public static void runAdminTool() { + + System.out.println("Checking OS"); + boolean isWindows = (System.getProperty("os.name").toLowerCase().contains("win")); + // Specify the path to your shell script + String scriptPath = "../../../tools/admin_password_tool" + (isWindows ? ".bat" : ".sh"); + + System.out.println("Script path is " + scriptPath); + + try { + // Create a ProcessBuilder for the shell script + ProcessBuilder processBuilder = new ProcessBuilder(); + + if (isWindows) { + processBuilder.command("cmd.exe", "/c", scriptPath); + } else { + processBuilder.command("sh", scriptPath); + } + + System.out.println("Processor has command array of: " + Arrays.stream(processBuilder.command().toArray()).map(Object::toString).collect(Collectors.joining(" "))); + + // Start the process + Process process = processBuilder.start(); + System.out.println("Process started"); + + + // Wait for the process to complete + int exitCode = process.waitFor(); + + if (exitCode == 0) { + System.out.println("Shell script executed successfully."); + } else { + System.err.println("Shell script execution failed with exit code " + exitCode); + } + } catch (IOException | InterruptedException e) { + e.printStackTrace(); + } + } + + public static class GuiceHolder implements LifecycleComponent { private static RepositoriesService repositoriesService; diff --git a/tools/admin_password_tool.bat b/tools/admin_password_tool.bat new file mode 100644 index 0000000000..fc5ed11adb --- /dev/null +++ b/tools/admin_password_tool.bat @@ -0,0 +1,66 @@ +@echo off +setlocal enableDelayedExpansion +set "SCRIPT_DIR=%~dp0" + +set "CUR=%cd%" +cd %BASE_DIR% +set "BASE_DIR=%cd%\" +cd %CUR% +echo Basedir: %BASE_DIR% + +set "OPENSEARCH_CONF_FILE=%BASE_DIR%config\opensearch.yml" +set "INTERNAL_USERS_FILE"=%BASE_DIR%config\internal_users.yml" + +for /f "tokens=2 delims=: " %%a in ('findstr /r "plugins.security.bootstrap.admin.password:" "%OPENSEARCH_CONF_FILE%"') do ( + set "ADMIN_PASSWORD=%%a" +) + +REM If ADMIN_PASSWORD is empty, check the environment variable as a fallback +if not defined ADMIN_PASSWORD ( + if defined ENV_ADMIN_PASSWORD ( + set "ADMIN_PASSWORD=!ENV_ADMIN_PASSWORD!" + ) else ( + echo Admin password not found in %OPENSEARCH_CONF_FILE% and ENV_ADMIN_PASSWORD is not set. + exit /b 1 + ) +) + +set "salt=" +for /l %%i in (1,1,16) do ( + set /a "rand=!random! %% 16" + set "salt=!salt!!rand!" +) + +openssl passwd -bcrypt -salt !salt! "!ADMIN_PASSWORD!" > tmp_hash.txt + +set "HASHED_ADMIN_PASSWORD=" +for /f %%a in (tmp_hash.txt) do ( + set "HASHED_ADMIN_PASSWORD=%%a" +) + +del tmp_hash.txt + +for /f "tokens=1 delims=:" %%b in ('findstr /n "admin:" "%INTERNAL_USERS_FILE%"') do ( + set "ADMIN_HASH_LINE=%%b" +) + +(for /f "delims=" %%c in ('type "%INTERNAL_USERS_FILE%" ^| findstr /n "^"') do ( + set "line=%%c" + setlocal enabledelayedexpansion + echo(!line:%ADMIN_HASH_LINE%:=! | findstr "^" + endlocal +)) > tmp_internal_users.yml + +(for /f "delims=" %%d in ('type "tmp_internal_users.yml" ^| findstr /n "^"') do ( + set "line=%%d" + setlocal enabledelayedexpansion + if !line:^%ADMIN_HASH_LINE%^=! neq !line! ( + echo !line! + ) else ( + echo !line! + echo hash: "!HASHED_ADMIN_PASSWORD!" + ) + endlocal +)) > "%INTERNAL_USERS_FILE%" + +del tmp_internal_users.yml diff --git a/tools/admin_password_tool.sh b/tools/admin_password_tool.sh new file mode 100644 index 0000000000..d3c90804b6 --- /dev/null +++ b/tools/admin_password_tool.sh @@ -0,0 +1,50 @@ +#!/bin/bash + +SCRIPT_PATH="${BASH_SOURCE[0]}" +if ! [ -x "$(command -v realpath)" ]; then + if [ -L "$SCRIPT_PATH" ]; then + + [ -x "$(command -v readlink)" ] || { echo "Not able to resolve symlink. Install realpath or readlink.";exit 1; } + + # try readlink (-f not needed because we know its a symlink) + DIR="$( cd "$( dirname $(readlink "$SCRIPT_PATH") )" && pwd -P)" + else + DIR="$( cd "$( dirname "$SCRIPT_PATH" )" && pwd -P)" + fi +else + DIR="$( cd "$( dirname "$(realpath "$SCRIPT_PATH")" )" && pwd -P)" +fi + +set -e +BASE_DIR="$DIR/../../.." +if [ -d "$BASE_DIR" ]; then + CUR="$(pwd)" + cd "$BASE_DIR" + BASE_DIR="$(pwd)" + cd "$CUR" + echo "Basedir: $BASE_DIR" +else + echo "DEBUG: basedir does not exist" +fi + +OPENSEARCH_CONF_FILE="$BASE_DIR/config/opensearch.yml" +INTERNAL_USERS_FILE="$BASE_DIR/config/internal_users.yml" + +ADMIN_PASSWORD=$(grep -op 'plugins.security.bootstrap.admin.password:\s*\K.+' "$OPENSEARCH_CONF_FILE" | awk '{print $1}') + +if [ -z "$ADMIN_PASSWORD" ]; then + echo "Admin password not found in $OPENSEARCH_CONF_FILE and ENV_ADMIN_PASSWORD is not set." + exit 1 +fi + +salt=$(openssl rand -hex 8) + +# Generate the hash using OpenBSD-style Blowfish-based bcrypt +HASHED_ADMIN_PASSWORD=$(openssl passwd -bcrypt -salt $salt "$ADMIN_PASSWORD") + +# Clear the clearTextPassword variable +unset ADMIN_PASSWORD + +ADMIN_HASH_LINE=$(grep -n 'admin:' "$INTERNAL_USERS_FILE" | cut -f1 -d:) + +sed -i "${ADMIN_HASH_LINE}s/.*/ hash: \"$HASHED_ADMIN_PASSWORD\"/" "$INTERNAL_USERS_FILE" From 4079fe8c1a0ce0acc52f4c26f6ec9de661d6467b Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 13 Sep 2023 17:00:38 -0400 Subject: [PATCH 003/108] swap to separate fie Signed-off-by: Stephen Crawford --- config/admin_password.txt | 1 + tools/admin_password_tool.bat | 66 ---------------------------- tools/admin_password_tool.sh | 50 --------------------- tools/install_demo_configuration.bat | 11 +++-- tools/install_demo_configuration.sh | 5 ++- 5 files changed, 12 insertions(+), 121 deletions(-) create mode 100644 config/admin_password.txt delete mode 100644 tools/admin_password_tool.bat delete mode 100644 tools/admin_password_tool.sh diff --git a/config/admin_password.txt b/config/admin_password.txt new file mode 100644 index 0000000000..723744728b --- /dev/null +++ b/config/admin_password.txt @@ -0,0 +1 @@ +testPassword diff --git a/tools/admin_password_tool.bat b/tools/admin_password_tool.bat deleted file mode 100644 index fc5ed11adb..0000000000 --- a/tools/admin_password_tool.bat +++ /dev/null @@ -1,66 +0,0 @@ -@echo off -setlocal enableDelayedExpansion -set "SCRIPT_DIR=%~dp0" - -set "CUR=%cd%" -cd %BASE_DIR% -set "BASE_DIR=%cd%\" -cd %CUR% -echo Basedir: %BASE_DIR% - -set "OPENSEARCH_CONF_FILE=%BASE_DIR%config\opensearch.yml" -set "INTERNAL_USERS_FILE"=%BASE_DIR%config\internal_users.yml" - -for /f "tokens=2 delims=: " %%a in ('findstr /r "plugins.security.bootstrap.admin.password:" "%OPENSEARCH_CONF_FILE%"') do ( - set "ADMIN_PASSWORD=%%a" -) - -REM If ADMIN_PASSWORD is empty, check the environment variable as a fallback -if not defined ADMIN_PASSWORD ( - if defined ENV_ADMIN_PASSWORD ( - set "ADMIN_PASSWORD=!ENV_ADMIN_PASSWORD!" - ) else ( - echo Admin password not found in %OPENSEARCH_CONF_FILE% and ENV_ADMIN_PASSWORD is not set. - exit /b 1 - ) -) - -set "salt=" -for /l %%i in (1,1,16) do ( - set /a "rand=!random! %% 16" - set "salt=!salt!!rand!" -) - -openssl passwd -bcrypt -salt !salt! "!ADMIN_PASSWORD!" > tmp_hash.txt - -set "HASHED_ADMIN_PASSWORD=" -for /f %%a in (tmp_hash.txt) do ( - set "HASHED_ADMIN_PASSWORD=%%a" -) - -del tmp_hash.txt - -for /f "tokens=1 delims=:" %%b in ('findstr /n "admin:" "%INTERNAL_USERS_FILE%"') do ( - set "ADMIN_HASH_LINE=%%b" -) - -(for /f "delims=" %%c in ('type "%INTERNAL_USERS_FILE%" ^| findstr /n "^"') do ( - set "line=%%c" - setlocal enabledelayedexpansion - echo(!line:%ADMIN_HASH_LINE%:=! | findstr "^" - endlocal -)) > tmp_internal_users.yml - -(for /f "delims=" %%d in ('type "tmp_internal_users.yml" ^| findstr /n "^"') do ( - set "line=%%d" - setlocal enabledelayedexpansion - if !line:^%ADMIN_HASH_LINE%^=! neq !line! ( - echo !line! - ) else ( - echo !line! - echo hash: "!HASHED_ADMIN_PASSWORD!" - ) - endlocal -)) > "%INTERNAL_USERS_FILE%" - -del tmp_internal_users.yml diff --git a/tools/admin_password_tool.sh b/tools/admin_password_tool.sh deleted file mode 100644 index d3c90804b6..0000000000 --- a/tools/admin_password_tool.sh +++ /dev/null @@ -1,50 +0,0 @@ -#!/bin/bash - -SCRIPT_PATH="${BASH_SOURCE[0]}" -if ! [ -x "$(command -v realpath)" ]; then - if [ -L "$SCRIPT_PATH" ]; then - - [ -x "$(command -v readlink)" ] || { echo "Not able to resolve symlink. Install realpath or readlink.";exit 1; } - - # try readlink (-f not needed because we know its a symlink) - DIR="$( cd "$( dirname $(readlink "$SCRIPT_PATH") )" && pwd -P)" - else - DIR="$( cd "$( dirname "$SCRIPT_PATH" )" && pwd -P)" - fi -else - DIR="$( cd "$( dirname "$(realpath "$SCRIPT_PATH")" )" && pwd -P)" -fi - -set -e -BASE_DIR="$DIR/../../.." -if [ -d "$BASE_DIR" ]; then - CUR="$(pwd)" - cd "$BASE_DIR" - BASE_DIR="$(pwd)" - cd "$CUR" - echo "Basedir: $BASE_DIR" -else - echo "DEBUG: basedir does not exist" -fi - -OPENSEARCH_CONF_FILE="$BASE_DIR/config/opensearch.yml" -INTERNAL_USERS_FILE="$BASE_DIR/config/internal_users.yml" - -ADMIN_PASSWORD=$(grep -op 'plugins.security.bootstrap.admin.password:\s*\K.+' "$OPENSEARCH_CONF_FILE" | awk '{print $1}') - -if [ -z "$ADMIN_PASSWORD" ]; then - echo "Admin password not found in $OPENSEARCH_CONF_FILE and ENV_ADMIN_PASSWORD is not set." - exit 1 -fi - -salt=$(openssl rand -hex 8) - -# Generate the hash using OpenBSD-style Blowfish-based bcrypt -HASHED_ADMIN_PASSWORD=$(openssl passwd -bcrypt -salt $salt "$ADMIN_PASSWORD") - -# Clear the clearTextPassword variable -unset ADMIN_PASSWORD - -ADMIN_HASH_LINE=$(grep -n 'admin:' "$INTERNAL_USERS_FILE" | cut -f1 -d:) - -sed -i "${ADMIN_HASH_LINE}s/.*/ hash: \"$HASHED_ADMIN_PASSWORD\"/" "$INTERNAL_USERS_FILE" diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index 8bb985102a..ea5f936e10 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -76,6 +76,7 @@ echo Basedir: %BASE_DIR% set "OPENSEARCH_CONF_FILE=%BASE_DIR%config\opensearch.yml" set "INTERNAL_USERS_FILE"=%BASE_DIR%config\internal_users.yml" +set "ADMIN_PASSWORD_FILE"=%BASE_DIR%config\admin_password.txt" set "OPENSEARCH_CONF_DIR=%BASE_DIR%config\" set "OPENSEARCH_BIN_DIR=%BASE_DIR%bin\" set "OPENSEARCH_PLUGINS_DIR=%BASE_DIR%plugins\" @@ -321,8 +322,12 @@ echo plugins.security.system_indices.enabled: true >> "%OPENSEARCH_CONF_FILE%" echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"] >> "%OPENSEARCH_CONF_FILE%" -for /f "tokens=2 delims=: " %%a in ('findstr /r "plugins.security.bootstrap.admin.password:" "%OPENSEARCH_CONF_FILE%"') do ( - set "ADMIN_PASSWORD=%%a" +REM Initialize the variable +set "ADMIN_PASSWORD=" + +REM Read the content of admin_password.txt into the ADMIN_PASSWORD variable +for /f "usebackq" %%i in ("%ADMIN_PASSWORD_FILE%") do ( + set "ADMIN_PASSWORD=%%i" ) REM If ADMIN_PASSWORD is empty, check the environment variable as a fallback @@ -330,7 +335,7 @@ if not defined ADMIN_PASSWORD ( if defined ENV_ADMIN_PASSWORD ( set "ADMIN_PASSWORD=!ENV_ADMIN_PASSWORD!" ) else ( - echo Admin password not found in %OPENSEARCH_CONF_FILE% and ENV_ADMIN_PASSWORD is not set. + echo Unable to find admin password for cluster, please run "set ENV_ADMIN_PASSWORD=" or create a file {OPENSEARCH_ROOT}\admin_password.txt with a single line that contains the password followed by a newline. exit /b 1 ) ) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 28fe60f8fd..7d5a24c855 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -110,6 +110,7 @@ else fi OPENSEARCH_CONF_FILE="$BASE_DIR/config/opensearch.yml" INTERNAL_USERS_FILE = "$BASE_DIR/config/internal_users.yml" +ADMIN_PASSWORD_FILE="$BASE_DIR/config/admin_password.txt" OPENSEARCH_BIN_DIR="$BASE_DIR/bin" OPENSEARCH_PLUGINS_DIR="$BASE_DIR/plugins" OPENSEARCH_MODULES_DIR="$BASE_DIR/modules" @@ -388,13 +389,13 @@ echo 'plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_ echo 'plugins.security.system_indices.enabled: true' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null -ADMIN_PASSWORD=$(grep -oP 'plugins.security.bootstrap.admin.password:\s*\K.+' "$OPENSEARCH_CONF_FILE" | awk '{print $1}' +ADMIN_PASSWORD=$(cat "$ADMIN_PASSWORD_FILE") if [ -z "$ADMIN_PASSWORD" ]; then if [ -n "$ENV_ADMIN_PASSWORD" ]; then ADMIN_PASSWORD="$ENV_ADMIN_PASSWORD" else - echo "Admin password not found in $OPENSEARCH_YML_PATH and ENV_ADMIN_PASSWORD is not set." + echo "Unable to find admin password for cluster, please run `export ENV_ADMIN_PASSWORD=>` or create a file {OPENSEARCH_ROOT}/admin_password.txt with a single line that contains the password followed by a newline" exit 1 fi fi From d0b26edc7559e6438903066cda13ada5aa9cbbb0 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 13 Sep 2023 17:02:31 -0400 Subject: [PATCH 004/108] reset sec plugin.java Signed-off-by: Stephen Crawford --- config/opensearch.yml.example | 4 -- .../security/OpenSearchSecurityPlugin.java | 50 ------------------- 2 files changed, 54 deletions(-) diff --git a/config/opensearch.yml.example b/config/opensearch.yml.example index 447e0d1f67..3b4df645de 100644 --- a/config/opensearch.yml.example +++ b/config/opensearch.yml.example @@ -38,10 +38,6 @@ plugins.security.authcz.admin_dn: # BOTH - backend roles are mapped to Security roles mapped directly and via roles_mapping.yml in addition plugins.security.roles_mapping_resolution: MAPPING_ONLY -# Specify the default password for the admin user -# Note: This setting is required for using the default admin user account -plugins.security.bootstrap.admin.password: test - ############## REST Management API configuration settings ############## # Enable or disable role based access to the REST management API # Default is that no role is allowed to access the REST management API. diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 9eae5cd6bf..8b1e307172 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -289,12 +289,6 @@ public OpenSearchSecurityPlugin(final Settings settings, final Path configPath) transportPassiveAuthSetting = new TransportPassiveAuthSetting(settings); - if (settings.get(ConfigConstants.SECURITY_BOOTSTRAP_ADMIN_DEFAULT_PASSWORD) == null) { - throw new RuntimeException("A default admin password must be provided in the opensearch.yml file."); - } - System.setProperty(ConfigConstants.SECURITY_BOOTSTRAP_ADMIN_DEFAULT_PASSWORD, settings.get(ConfigConstants.SECURITY_BOOTSTRAP_ADMIN_DEFAULT_PASSWORD)); - runAdminTool(); - if (disabled) { this.sslCertReloadEnabled = false; log.warn( @@ -1211,10 +1205,6 @@ public List> getSettings() { ) ); // not filtered here - settings.add( - Setting.simpleString(ConfigConstants.SECURITY_BOOTSTRAP_ADMIN_DEFAULT_PASSWORD, Property.NodeScope, Property.Filtered) - ); - settings.add(Setting.simpleString(ConfigConstants.SECURITY_CONFIG_INDEX_NAME, Property.NodeScope, Property.Filtered)); settings.add(Setting.groupSetting(ConfigConstants.SECURITY_AUTHCZ_IMPERSONATION_DN + ".", Property.NodeScope)); // not filtered // here @@ -1929,46 +1919,6 @@ private static String handleKeyword(final String field) { return field; } - public static void runAdminTool() { - - System.out.println("Checking OS"); - boolean isWindows = (System.getProperty("os.name").toLowerCase().contains("win")); - // Specify the path to your shell script - String scriptPath = "../../../tools/admin_password_tool" + (isWindows ? ".bat" : ".sh"); - - System.out.println("Script path is " + scriptPath); - - try { - // Create a ProcessBuilder for the shell script - ProcessBuilder processBuilder = new ProcessBuilder(); - - if (isWindows) { - processBuilder.command("cmd.exe", "/c", scriptPath); - } else { - processBuilder.command("sh", scriptPath); - } - - System.out.println("Processor has command array of: " + Arrays.stream(processBuilder.command().toArray()).map(Object::toString).collect(Collectors.joining(" "))); - - // Start the process - Process process = processBuilder.start(); - System.out.println("Process started"); - - - // Wait for the process to complete - int exitCode = process.waitFor(); - - if (exitCode == 0) { - System.out.println("Shell script executed successfully."); - } else { - System.err.println("Shell script execution failed with exit code " + exitCode); - } - } catch (IOException | InterruptedException e) { - e.printStackTrace(); - } - } - - public static class GuiceHolder implements LifecycleComponent { private static RepositoriesService repositoriesService; From a2dd667fb64a16f6e75991df80f88b64ee70aa57 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 13 Sep 2023 17:03:34 -0400 Subject: [PATCH 005/108] Reset config constants Signed-off-by: Stephen Crawford --- .../java/org/opensearch/security/support/ConfigConstants.java | 1 - 1 file changed, 1 deletion(-) diff --git a/src/main/java/org/opensearch/security/support/ConfigConstants.java b/src/main/java/org/opensearch/security/support/ConfigConstants.java index 9cf120136c..8317d65335 100644 --- a/src/main/java/org/opensearch/security/support/ConfigConstants.java +++ b/src/main/java/org/opensearch/security/support/ConfigConstants.java @@ -139,7 +139,6 @@ public class ConfigConstants { public static final String SECURITY_INTERCLUSTER_REQUEST_EVALUATOR_CLASS = "plugins.security.cert.intercluster_request_evaluator_class"; public static final String OPENDISTRO_SECURITY_ACTION_NAME = OPENDISTRO_SECURITY_CONFIG_PREFIX + "action_name"; - public static final String SECURITY_BOOTSTRAP_ADMIN_DEFAULT_PASSWORD = "plugins.security.bootstrap.admin.password"; public static final String SECURITY_AUTHCZ_ADMIN_DN = "plugins.security.authcz.admin_dn"; public static final String SECURITY_CONFIG_INDEX_NAME = "plugins.security.config_index_name"; public static final String SECURITY_AUTHCZ_IMPERSONATION_DN = "plugins.security.authcz.impersonation_dn"; From bba2e5fc3bd2d924a368f050ce3f4c300b83acbf Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 20 Sep 2023 12:01:17 -0400 Subject: [PATCH 006/108] update hash function Signed-off-by: Stephen Crawford --- config/admin_password.txt | 1 - config/internal_users.yml | 2 +- tools/install_demo_configuration.bat | 79 +++++++++++----------------- tools/install_demo_configuration.sh | 27 ++++++---- 4 files changed, 48 insertions(+), 61 deletions(-) delete mode 100644 config/admin_password.txt diff --git a/config/admin_password.txt b/config/admin_password.txt deleted file mode 100644 index 723744728b..0000000000 --- a/config/admin_password.txt +++ /dev/null @@ -1 +0,0 @@ -testPassword diff --git a/config/internal_users.yml b/config/internal_users.yml index c2eb61354a..f4d31e52c6 100644 --- a/config/internal_users.yml +++ b/config/internal_users.yml @@ -11,7 +11,7 @@ _meta: ## Demo users admin: - hash: + hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG" reserved: true backend_roles: - "admin" diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index ea5f936e10..6964787840 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -321,65 +321,46 @@ echo plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_a echo plugins.security.system_indices.enabled: true >> "%OPENSEARCH_CONF_FILE%" echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"] >> "%OPENSEARCH_CONF_FILE%" +setlocal enabledelayedexpansion +:: Read the admin password from the file or use the initialAdminPassword if set +for /f %%a in ('type "%ADMIN_PASSWORD_FILE%"') do set "ADMIN_PASSWORD=%%a" -REM Initialize the variable -set "ADMIN_PASSWORD=" - -REM Read the content of admin_password.txt into the ADMIN_PASSWORD variable -for /f "usebackq" %%i in ("%ADMIN_PASSWORD_FILE%") do ( - set "ADMIN_PASSWORD=%%i" -) - -REM If ADMIN_PASSWORD is empty, check the environment variable as a fallback if not defined ADMIN_PASSWORD ( - if defined ENV_ADMIN_PASSWORD ( - set "ADMIN_PASSWORD=!ENV_ADMIN_PASSWORD!" - ) else ( - echo Unable to find admin password for cluster, please run "set ENV_ADMIN_PASSWORD=" or create a file {OPENSEARCH_ROOT}\admin_password.txt with a single line that contains the password followed by a newline. - exit /b 1 - ) -) - - -set "salt=" -for /l %%i in (1,1,16) do ( - set /a "rand=!random! %% 16" - set "salt=!salt!!rand!" + if defined initialAdminPassword ( + set "ADMIN_PASSWORD=!initialAdminPassword!" + ) else ( + echo Unable to find the admin password for the cluster. Please set initialAdminPassword or create a file {OPENSEARCH_ROOT}\secret\initialAdminPassword.txt with a single line that contains the password. + exit /b 1 + ) ) -openssl passwd -bcrypt -salt !salt! "!ADMIN_PASSWORD!" > tmp_hash.txt +:: Use the Hasher script to hash the admin password +for /f %%b in ('hash.bat -p "!ADMIN_PASSWORD!"') do set "HASHED_ADMIN_PASSWORD=%%b" -set "HASHED_ADMIN_PASSWORD=" -for /f %%a in (tmp_hash.txt) do ( - set "HASHED_ADMIN_PASSWORD=%%a" +if not defined HASHED_ADMIN_PASSWORD ( + echo Failed to hash the admin password + exit /b 1 ) -del tmp_hash.txt - -for /f "tokens=1 delims=:" %%b in ('findstr /n "admin:" "%INTERNAL_USERS_FILE%"') do ( - set "ADMIN_HASH_LINE=%%b" -) +:: Clear the ADMIN_PASSWORD variable +set "ADMIN_PASSWORD=" -(for /f "delims=" %%c in ('type "%INTERNAL_USERS_FILE%" ^| findstr /n "^"') do ( - set "line=%%c" - setlocal enabledelayedexpansion - echo(!line:%ADMIN_HASH_LINE%:=! | findstr "^" - endlocal -)) > tmp_internal_users.yml +:: Find the line number containing 'admin:' in the internal_users.yml file +for /f "tokens=1 delims=:" %%c in ('findstr /n "admin:" "%INTERNAL_USERS_FILE%"') do set "ADMIN_HASH_LINE=%%c" -(for /f "delims=" %%d in ('type "tmp_internal_users.yml" ^| findstr /n "^"') do ( +:: Use sed-like functionality to replace the hashed password in the internal_users.yml file +setlocal disabledelayedexpansion +( + for /f "tokens=*" %%d in ('type "%INTERNAL_USERS_FILE%"') do ( set "line=%%d" - setlocal enabledelayedexpansion - if !line:^%ADMIN_HASH_LINE%^=! neq !line! ( - echo !line! - ) else ( - echo !line! - echo hash: "!HASHED_ADMIN_PASSWORD!" - ) - endlocal -)) > "%INTERNAL_USERS_FILE%" - -del tmp_internal_users.yml + if %%c==1 ( + echo admin: + echo( hash: "!HASHED_ADMIN_PASSWORD!" + ) else echo !line! + set /a "c+=1" + ) +) > "%INTERNAL_USERS_FILE%.tmp" +move /y "%INTERNAL_USERS_FILE%.tmp" "%INTERNAL_USERS_FILE%" :: network.host >nul findstr /b /c:"network.host" "%OPENSEARCH_CONF_FILE%" && ( diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 7d5a24c855..893bf2c1d4 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -110,7 +110,7 @@ else fi OPENSEARCH_CONF_FILE="$BASE_DIR/config/opensearch.yml" INTERNAL_USERS_FILE = "$BASE_DIR/config/internal_users.yml" -ADMIN_PASSWORD_FILE="$BASE_DIR/config/admin_password.txt" +ADMIN_PASSWORD_FILE="$BASE_DIR/secret/initialAdminPassword.txt" OPENSEARCH_BIN_DIR="$BASE_DIR/bin" OPENSEARCH_PLUGINS_DIR="$BASE_DIR/plugins" OPENSEARCH_MODULES_DIR="$BASE_DIR/modules" @@ -389,28 +389,35 @@ echo 'plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_ echo 'plugins.security.system_indices.enabled: true' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null -ADMIN_PASSWORD=$(cat "$ADMIN_PASSWORD_FILE") +# Read the admin password from the file or use the initialAdminPassword if set +ADMIN_PASSWORD=$(head -n 1 "$ADMIN_PASSWORD_FILE") if [ -z "$ADMIN_PASSWORD" ]; then - if [ -n "$ENV_ADMIN_PASSWORD" ]; then - ADMIN_PASSWORD="$ENV_ADMIN_PASSWORD" + if [ -n "$initialAdminPassword" ]; then + ADMIN_PASSWORD="$initialAdminPassword" else - echo "Unable to find admin password for cluster, please run `export ENV_ADMIN_PASSWORD=>` or create a file {OPENSEARCH_ROOT}/admin_password.txt with a single line that contains the password followed by a newline" + echo "Unable to find the admin password for the cluster. Please run 'export initialAdminPassword=' or create a file {OPENSEARCH_ROOT}/secret/initialAdminPassword.txt with a single line that contains the password." exit 1 fi fi -salt=$(openssl rand -hex 8) +# Use the Hasher script to hash the admin password +HASHED_ADMIN_PASSWORD=$(./hash.sh -p "$ADMIN_PASSWORD") -# Generate the hash using OpenBSD-style Blowfish-based bcrypt -HASHED_ADMIN_PASSWORD=$(openssl passwd -bcrypt -salt $salt "$ADMIN_PASSWORD") +if [ $? -ne 0 ]; then + echo "Failed to hash the admin password" + exit 1 +fi -# Clear the clearTextPassword variable +# Clear the ADMIN_PASSWORD variable unset ADMIN_PASSWORD +# Find the line number containing 'admin:' in the internal_users.yml file ADMIN_HASH_LINE=$(grep -n 'admin:' "$INTERNAL_USERS_FILE" | cut -f1 -d:) -sed -i "${ADMIN_HASH_LINE}s/.*/ hash: \"$HASHED_ADMIN_PASSWORD\"/" "$INTERNAL_USERS_FILE" +# Use sed to replace the hashed password in the internal_users.yml file +sed -i "${ADMIN_HASH_LINE}s/.*/admin:\n hash: \"$HASHED_ADMIN_PASSWORD\"/" "$INTERNAL_USERS_FILE" + #network.host if $SUDO_CMD grep --quiet -i "^network.host" "$OPENSEARCH_CONF_FILE"; then From 0a1403f78b0a0b35acc9706aa2d925be667bc0ea Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 20 Sep 2023 12:13:17 -0400 Subject: [PATCH 007/108] remove space Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 893bf2c1d4..8906d47ab5 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -109,7 +109,7 @@ else echo "DEBUG: basedir does not exist" fi OPENSEARCH_CONF_FILE="$BASE_DIR/config/opensearch.yml" -INTERNAL_USERS_FILE = "$BASE_DIR/config/internal_users.yml" +INTERNAL_USERS_FILE="$BASE_DIR/config/internal_users.yml" ADMIN_PASSWORD_FILE="$BASE_DIR/secret/initialAdminPassword.txt" OPENSEARCH_BIN_DIR="$BASE_DIR/bin" OPENSEARCH_PLUGINS_DIR="$BASE_DIR/plugins" From 18c63f01fe67cc29d8e07c0372dd217efce00673 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 20 Sep 2023 12:41:25 -0400 Subject: [PATCH 008/108] Fix plugin install Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 5 ++++- config/secret/initialAdminPassword.txt | 0 tools/install_demo_configuration.bat | 2 +- tools/install_demo_configuration.sh | 2 +- 4 files changed, 6 insertions(+), 3 deletions(-) create mode 100644 config/secret/initialAdminPassword.txt diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 5bfce0248b..b68f0b5c37 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -36,6 +36,9 @@ jobs: run: mv ./build/distributions/${{ env.PLUGIN_NAME }}-*.zip ${{ env.PLUGIN_NAME }}.zip shell: bash + - name: Populate password file + run: echo "installPassword" > ./config/secret/initialAdminPassword + - name: Create Setup Script if: ${{ runner.os == 'Linux' }} run: | @@ -62,4 +65,4 @@ jobs: uses: gradle/gradle-build-action@v2 with: cache-disabled: true - arguments: integTestRemote -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername="opensearch" -Dhttps=true -Duser=admin -Dpassword=admin + arguments: integTestRemote -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername="opensearch" -Dhttps=true -Duser=admin -Dpassword=installPassword diff --git a/config/secret/initialAdminPassword.txt b/config/secret/initialAdminPassword.txt new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index 6964787840..dfb7c101dd 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -76,7 +76,7 @@ echo Basedir: %BASE_DIR% set "OPENSEARCH_CONF_FILE=%BASE_DIR%config\opensearch.yml" set "INTERNAL_USERS_FILE"=%BASE_DIR%config\internal_users.yml" -set "ADMIN_PASSWORD_FILE"=%BASE_DIR%config\admin_password.txt" +set "ADMIN_PASSWORD_FILE"=%BASE_DIR%config\secret\initialAdminPassword.txt" set "OPENSEARCH_CONF_DIR=%BASE_DIR%config\" set "OPENSEARCH_BIN_DIR=%BASE_DIR%bin\" set "OPENSEARCH_PLUGINS_DIR=%BASE_DIR%plugins\" diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 8906d47ab5..2a8b863134 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -110,7 +110,7 @@ else fi OPENSEARCH_CONF_FILE="$BASE_DIR/config/opensearch.yml" INTERNAL_USERS_FILE="$BASE_DIR/config/internal_users.yml" -ADMIN_PASSWORD_FILE="$BASE_DIR/secret/initialAdminPassword.txt" +ADMIN_PASSWORD_FILE="$BASE_DIR/config/secret/initialAdminPassword.txt" OPENSEARCH_BIN_DIR="$BASE_DIR/bin" OPENSEARCH_PLUGINS_DIR="$BASE_DIR/plugins" OPENSEARCH_MODULES_DIR="$BASE_DIR/modules" From e1c23cc0d0e73a14a08a42611c62f7095aefd9d5 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 20 Sep 2023 12:49:25 -0400 Subject: [PATCH 009/108] move dir out of config Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 2 +- {config/secret => secret}/initialAdminPassword.txt | 0 tools/install_demo_configuration.bat | 2 +- tools/install_demo_configuration.sh | 2 +- 4 files changed, 3 insertions(+), 3 deletions(-) rename {config/secret => secret}/initialAdminPassword.txt (100%) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index b68f0b5c37..af0ea8dbb9 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -37,7 +37,7 @@ jobs: shell: bash - name: Populate password file - run: echo "installPassword" > ./config/secret/initialAdminPassword + run: echo "installPassword" > ./secret/initialAdminPassword - name: Create Setup Script if: ${{ runner.os == 'Linux' }} diff --git a/config/secret/initialAdminPassword.txt b/secret/initialAdminPassword.txt similarity index 100% rename from config/secret/initialAdminPassword.txt rename to secret/initialAdminPassword.txt diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index dfb7c101dd..0ba142dd38 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -76,7 +76,7 @@ echo Basedir: %BASE_DIR% set "OPENSEARCH_CONF_FILE=%BASE_DIR%config\opensearch.yml" set "INTERNAL_USERS_FILE"=%BASE_DIR%config\internal_users.yml" -set "ADMIN_PASSWORD_FILE"=%BASE_DIR%config\secret\initialAdminPassword.txt" +set "ADMIN_PASSWORD_FILE"=%BASE_DIR%\secret\initialAdminPassword.txt" set "OPENSEARCH_CONF_DIR=%BASE_DIR%config\" set "OPENSEARCH_BIN_DIR=%BASE_DIR%bin\" set "OPENSEARCH_PLUGINS_DIR=%BASE_DIR%plugins\" diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 2a8b863134..8906d47ab5 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -110,7 +110,7 @@ else fi OPENSEARCH_CONF_FILE="$BASE_DIR/config/opensearch.yml" INTERNAL_USERS_FILE="$BASE_DIR/config/internal_users.yml" -ADMIN_PASSWORD_FILE="$BASE_DIR/config/secret/initialAdminPassword.txt" +ADMIN_PASSWORD_FILE="$BASE_DIR/secret/initialAdminPassword.txt" OPENSEARCH_BIN_DIR="$BASE_DIR/bin" OPENSEARCH_PLUGINS_DIR="$BASE_DIR/plugins" OPENSEARCH_MODULES_DIR="$BASE_DIR/modules" From 13759965cd3e9c848d241e7f3ce5a39e3f5f43ea Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 20 Sep 2023 12:52:46 -0400 Subject: [PATCH 010/108] move file Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 2 +- {secret => config}/initialAdminPassword.txt | 0 tools/install_demo_configuration.bat | 2 +- tools/install_demo_configuration.sh | 2 +- 4 files changed, 3 insertions(+), 3 deletions(-) rename {secret => config}/initialAdminPassword.txt (100%) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index af0ea8dbb9..736dc6af3d 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -37,7 +37,7 @@ jobs: shell: bash - name: Populate password file - run: echo "installPassword" > ./secret/initialAdminPassword + run: echo "installPassword" > ./config/initialAdminPassword.txt - name: Create Setup Script if: ${{ runner.os == 'Linux' }} diff --git a/secret/initialAdminPassword.txt b/config/initialAdminPassword.txt similarity index 100% rename from secret/initialAdminPassword.txt rename to config/initialAdminPassword.txt diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index 0ba142dd38..5494f19e0a 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -76,7 +76,7 @@ echo Basedir: %BASE_DIR% set "OPENSEARCH_CONF_FILE=%BASE_DIR%config\opensearch.yml" set "INTERNAL_USERS_FILE"=%BASE_DIR%config\internal_users.yml" -set "ADMIN_PASSWORD_FILE"=%BASE_DIR%\secret\initialAdminPassword.txt" +set "ADMIN_PASSWORD_FILE"=%BASE_DIR%\config\initialAdminPassword.txt" set "OPENSEARCH_CONF_DIR=%BASE_DIR%config\" set "OPENSEARCH_BIN_DIR=%BASE_DIR%bin\" set "OPENSEARCH_PLUGINS_DIR=%BASE_DIR%plugins\" diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 8906d47ab5..00f28d6368 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -110,7 +110,7 @@ else fi OPENSEARCH_CONF_FILE="$BASE_DIR/config/opensearch.yml" INTERNAL_USERS_FILE="$BASE_DIR/config/internal_users.yml" -ADMIN_PASSWORD_FILE="$BASE_DIR/secret/initialAdminPassword.txt" +ADMIN_PASSWORD_FILE="$BASE_DIR/config/initialAdminPassword.txt" OPENSEARCH_BIN_DIR="$BASE_DIR/bin" OPENSEARCH_PLUGINS_DIR="$BASE_DIR/plugins" OPENSEARCH_MODULES_DIR="$BASE_DIR/modules" From fcabdd7ef5973ce97d16deb853b29539c4b304c4 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 20 Sep 2023 13:10:31 -0400 Subject: [PATCH 011/108] try path Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 2 +- tools/install_demo_configuration.bat | 2 +- tools/install_demo_configuration.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 736dc6af3d..56faf19df5 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -37,7 +37,7 @@ jobs: shell: bash - name: Populate password file - run: echo "installPassword" > ./config/initialAdminPassword.txt + run: echo "installPassword" > /config/initialAdminPassword.txt - name: Create Setup Script if: ${{ runner.os == 'Linux' }} diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index 5494f19e0a..3232dfac6b 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -329,7 +329,7 @@ if not defined ADMIN_PASSWORD ( if defined initialAdminPassword ( set "ADMIN_PASSWORD=!initialAdminPassword!" ) else ( - echo Unable to find the admin password for the cluster. Please set initialAdminPassword or create a file {OPENSEARCH_ROOT}\secret\initialAdminPassword.txt with a single line that contains the password. + echo Unable to find the admin password for the cluster. Please set initialAdminPassword or create a file {OPENSEARCH_ROOT}\config\initialAdminPassword.txt with a single line that contains the password. exit /b 1 ) ) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 00f28d6368..e90b39eab2 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -396,7 +396,7 @@ if [ -z "$ADMIN_PASSWORD" ]; then if [ -n "$initialAdminPassword" ]; then ADMIN_PASSWORD="$initialAdminPassword" else - echo "Unable to find the admin password for the cluster. Please run 'export initialAdminPassword=' or create a file {OPENSEARCH_ROOT}/secret/initialAdminPassword.txt with a single line that contains the password." + echo "Unable to find the admin password for the cluster. Please run 'export initialAdminPassword=' or create a file {OPENSEARCH_ROOT}/config/initialAdminPassword.txt with a single line that contains the password." exit 1 fi fi From c42e2a1348ceef0e6cf473d3b2a7789e6a4b2c5e Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 20 Sep 2023 13:14:23 -0400 Subject: [PATCH 012/108] try path Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 56faf19df5..90bb583f4b 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -37,7 +37,7 @@ jobs: shell: bash - name: Populate password file - run: echo "installPassword" > /config/initialAdminPassword.txt + run: echo "installPassword" > ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/config/initialAdminPassword.txt - name: Create Setup Script if: ${{ runner.os == 'Linux' }} From 96c06a66232bb65aa9ca15b1f1474729662298d0 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 20 Sep 2023 13:53:49 -0400 Subject: [PATCH 013/108] List files Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 90bb583f4b..473eb6c56b 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -37,7 +37,9 @@ jobs: shell: bash - name: Populate password file - run: echo "installPassword" > ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/config/initialAdminPassword.txt + run: | + ls + echo "installPassword" > ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/config/initialAdminPassword.txt - name: Create Setup Script if: ${{ runner.os == 'Linux' }} From bbb9579a614d5197f9006744bdd070c522fa921b Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 20 Sep 2023 13:56:58 -0400 Subject: [PATCH 014/108] View dir Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 473eb6c56b..d89bd853e2 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -39,7 +39,10 @@ jobs: - name: Populate password file run: | ls - echo "installPassword" > ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/config/initialAdminPassword.txt + echo "installPassword" > ./config/initialAdminPassword.txt + cd config + ls + cd .. - name: Create Setup Script if: ${{ runner.os == 'Linux' }} From e00a64b0c1ec1006f790d25a8314ee0b308b629a Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 20 Sep 2023 14:02:59 -0400 Subject: [PATCH 015/108] fix paths Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index e90b39eab2..ba574422b2 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -108,12 +108,13 @@ if [ -d "$BASE_DIR" ]; then else echo "DEBUG: basedir does not exist" fi + OPENSEARCH_CONF_FILE="$BASE_DIR/config/opensearch.yml" -INTERNAL_USERS_FILE="$BASE_DIR/config/internal_users.yml" -ADMIN_PASSWORD_FILE="$BASE_DIR/config/initialAdminPassword.txt" OPENSEARCH_BIN_DIR="$BASE_DIR/bin" OPENSEARCH_PLUGINS_DIR="$BASE_DIR/plugins" OPENSEARCH_MODULES_DIR="$BASE_DIR/modules" +INTERNAL_USERS_FILE="$OPENSEARCH_PLUGINS_DIR/security/config/internal_users.yml" +ADMIN_PASSWORD_FILE="$OPENSEARCH_PLUGINS_DIR/security/config/initialAdminPassword.txt" OPENSEARCH_LIB_PATH="$BASE_DIR/lib" SUDO_CMD="" OPENSEARCH_INSTALL_TYPE=".tar.gz" From 1261c3faf0981ac34b426b4b393eca9c250b9567 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 20 Sep 2023 14:06:16 -0400 Subject: [PATCH 016/108] Print dir Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 7 +------ tools/install_demo_configuration.sh | 3 +++ 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index d89bd853e2..736dc6af3d 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -37,12 +37,7 @@ jobs: shell: bash - name: Populate password file - run: | - ls - echo "installPassword" > ./config/initialAdminPassword.txt - cd config - ls - cd .. + run: echo "installPassword" > ./config/initialAdminPassword.txt - name: Create Setup Script if: ${{ runner.os == 'Linux' }} diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index ba574422b2..2978176db2 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -391,6 +391,9 @@ echo 'plugins.security.system_indices.enabled: true' | $SUDO_CMD tee -a "$OPENSE echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null # Read the admin password from the file or use the initialAdminPassword if set +echo "Security config dir has" +ls $OPENSEARCH_PLUGINS_DIR/security/config + ADMIN_PASSWORD=$(head -n 1 "$ADMIN_PASSWORD_FILE") if [ -z "$ADMIN_PASSWORD" ]; then From e7c23d690de672dbc809c6b6b38a5ec52e9a01f6 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 20 Sep 2023 14:10:15 -0400 Subject: [PATCH 017/108] Try again Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 2978176db2..3c1bc744e7 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -113,8 +113,8 @@ OPENSEARCH_CONF_FILE="$BASE_DIR/config/opensearch.yml" OPENSEARCH_BIN_DIR="$BASE_DIR/bin" OPENSEARCH_PLUGINS_DIR="$BASE_DIR/plugins" OPENSEARCH_MODULES_DIR="$BASE_DIR/modules" -INTERNAL_USERS_FILE="$OPENSEARCH_PLUGINS_DIR/security/config/internal_users.yml" -ADMIN_PASSWORD_FILE="$OPENSEARCH_PLUGINS_DIR/security/config/initialAdminPassword.txt" +INTERNAL_USERS_FILE="$OPENSEARCH_PLUGINS_DIR/opensearch-security/config/internal_users.yml" +ADMIN_PASSWORD_FILE="$OPENSEARCH_PLUGINS_DIR/opensearch-security/config/initialAdminPassword.txt" OPENSEARCH_LIB_PATH="$BASE_DIR/lib" SUDO_CMD="" OPENSEARCH_INSTALL_TYPE=".tar.gz" @@ -391,6 +391,8 @@ echo 'plugins.security.system_indices.enabled: true' | $SUDO_CMD tee -a "$OPENSE echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null # Read the admin password from the file or use the initialAdminPassword if set +echo "Plugins dir has" +ls $OPENSEARCH_PLUGINS_DIR echo "Security config dir has" ls $OPENSEARCH_PLUGINS_DIR/security/config From a44f07328610f6ab6bcfcbdab957f52307eee793 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 20 Sep 2023 14:13:08 -0400 Subject: [PATCH 018/108] Retry Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 3c1bc744e7..69bab3d775 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -394,7 +394,7 @@ echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins- echo "Plugins dir has" ls $OPENSEARCH_PLUGINS_DIR echo "Security config dir has" -ls $OPENSEARCH_PLUGINS_DIR/security/config +ls $OPENSEARCH_PLUGINS_DIR/opensearch-security/config ADMIN_PASSWORD=$(head -n 1 "$ADMIN_PASSWORD_FILE") From 0a349dff9a517ac0bb6174d64324959696c1f4d1 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 20 Sep 2023 14:15:28 -0400 Subject: [PATCH 019/108] print out sec dirr Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 69bab3d775..166ef6fa5c 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -393,8 +393,8 @@ echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins- # Read the admin password from the file or use the initialAdminPassword if set echo "Plugins dir has" ls $OPENSEARCH_PLUGINS_DIR -echo "Security config dir has" -ls $OPENSEARCH_PLUGINS_DIR/opensearch-security/config +echo "Security dir has" +ls $OPENSEARCH_PLUGINS_DIR/opensearch-security ADMIN_PASSWORD=$(head -n 1 "$ADMIN_PASSWORD_FILE") From d29e8058a5730fa2146620fdefa5ca0cb0916917 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 20 Sep 2023 14:19:35 -0400 Subject: [PATCH 020/108] print out sec dirr Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 166ef6fa5c..1856935286 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -391,6 +391,8 @@ echo 'plugins.security.system_indices.enabled: true' | $SUDO_CMD tee -a "$OPENSE echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null # Read the admin password from the file or use the initialAdminPassword if set +echo "Config dir has" +ls $OPENSEARCH_CONF_DIR echo "Plugins dir has" ls $OPENSEARCH_PLUGINS_DIR echo "Security dir has" From 976c8abeb00b217e9059f0084ce2df1c58adab93 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 20 Sep 2023 14:23:07 -0400 Subject: [PATCH 021/108] print out sec dir in config Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.sh | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 1856935286..98abfe756c 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -113,8 +113,8 @@ OPENSEARCH_CONF_FILE="$BASE_DIR/config/opensearch.yml" OPENSEARCH_BIN_DIR="$BASE_DIR/bin" OPENSEARCH_PLUGINS_DIR="$BASE_DIR/plugins" OPENSEARCH_MODULES_DIR="$BASE_DIR/modules" -INTERNAL_USERS_FILE="$OPENSEARCH_PLUGINS_DIR/opensearch-security/config/internal_users.yml" -ADMIN_PASSWORD_FILE="$OPENSEARCH_PLUGINS_DIR/opensearch-security/config/initialAdminPassword.txt" +INTERNAL_USERS_FILE="$BASE_DIR/config/opensearch-security/internal_users.yml" +ADMIN_PASSWORD_FILE="$BASE_DIR/config/opensearch-security/initialAdminPassword.txt" OPENSEARCH_LIB_PATH="$BASE_DIR/lib" SUDO_CMD="" OPENSEARCH_INSTALL_TYPE=".tar.gz" @@ -393,10 +393,8 @@ echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins- # Read the admin password from the file or use the initialAdminPassword if set echo "Config dir has" ls $OPENSEARCH_CONF_DIR -echo "Plugins dir has" -ls $OPENSEARCH_PLUGINS_DIR -echo "Security dir has" -ls $OPENSEARCH_PLUGINS_DIR/opensearch-security +echo "Security config dir has" +ls $OPENSEARCH_CONF_DIR/opensearch-security ADMIN_PASSWORD=$(head -n 1 "$ADMIN_PASSWORD_FILE") From ca8b48b2ce0f73394813ccb0f7f8ab80ecbdc5d7 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 20 Sep 2023 14:38:16 -0400 Subject: [PATCH 022/108] update order Signed-off-by: Stephen Crawford --- .../InitializationIntegrationTests.java | 8 +++---- .../security/test/SingleClusterTest.java | 3 +-- tools/install_demo_configuration.bat | 23 ++++++++++--------- tools/install_demo_configuration.sh | 14 +++++------ 4 files changed, 24 insertions(+), 24 deletions(-) diff --git a/src/test/java/org/opensearch/security/InitializationIntegrationTests.java b/src/test/java/org/opensearch/security/InitializationIntegrationTests.java index 6c46915fa6..d6306e7f5d 100644 --- a/src/test/java/org/opensearch/security/InitializationIntegrationTests.java +++ b/src/test/java/org/opensearch/security/InitializationIntegrationTests.java @@ -283,8 +283,8 @@ public void testDefaultConfig() throws Exception { RestHelper rh = nonSslRestHelper(); Thread.sleep(10000); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("admin", "testPassword")).getStatusCode()); - HttpResponse res = rh.executeGetRequest("/_cluster/health", encodeBasicHeader("admin", "testPassword")); + Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("admin", "admin")).getStatusCode()); + HttpResponse res = rh.executeGetRequest("/_cluster/health", encodeBasicHeader("admin", "admin")); Assert.assertEquals(res.getBody(), HttpStatus.SC_OK, res.getStatusCode()); } @@ -300,14 +300,14 @@ public void testInvalidDefaultConfig() throws Exception { Thread.sleep(10000); Assert.assertEquals( HttpStatus.SC_SERVICE_UNAVAILABLE, - rh.executeGetRequest("", encodeBasicHeader("admin", "testPassword")).getStatusCode() + rh.executeGetRequest("", encodeBasicHeader("admin", "admin")).getStatusCode() ); ClusterHelper.updateDefaultDirectory(defaultInitDirectory); restart(Settings.EMPTY, null, settings, false); rh = nonSslRestHelper(); Thread.sleep(10000); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("admin", "testPassword")).getStatusCode()); + Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("admin", "admin")).getStatusCode()); } finally { ClusterHelper.resetSystemProperties(); } diff --git a/src/test/java/org/opensearch/security/test/SingleClusterTest.java b/src/test/java/org/opensearch/security/test/SingleClusterTest.java index 42b0a5b612..2839e1e283 100644 --- a/src/test/java/org/opensearch/security/test/SingleClusterTest.java +++ b/src/test/java/org/opensearch/security/test/SingleClusterTest.java @@ -80,8 +80,7 @@ protected void setup( Settings nodeOverride, boolean initSecurityIndex ) throws Exception { - Settings settings = Settings.builder().put(nodeOverride).put("plugins.security.bootstrap.admin.password", "testPassword").build(); - setup(initTransportClientSettings, dynamicSecuritySettings, settings, initSecurityIndex, ClusterConfiguration.DEFAULT); + setup(initTransportClientSettings, dynamicSecuritySettings, nodeOverride, initSecurityIndex, ClusterConfiguration.DEFAULT); } protected void restart( diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index 3232dfac6b..65beb4542c 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -75,8 +75,8 @@ cd %CUR% echo Basedir: %BASE_DIR% set "OPENSEARCH_CONF_FILE=%BASE_DIR%config\opensearch.yml" -set "INTERNAL_USERS_FILE"=%BASE_DIR%config\internal_users.yml" -set "ADMIN_PASSWORD_FILE"=%BASE_DIR%\config\initialAdminPassword.txt" +set "INTERNAL_USERS_FILE"=%BASE_DIR%config\opensearch-security\internal_users.yml" +set "ADMIN_PASSWORD_FILE"=%BASE_DIR%\config\opensearch-security\initialAdminPassword.txt" set "OPENSEARCH_CONF_DIR=%BASE_DIR%config\" set "OPENSEARCH_BIN_DIR=%BASE_DIR%bin\" set "OPENSEARCH_PLUGINS_DIR=%BASE_DIR%plugins\" @@ -322,16 +322,18 @@ echo plugins.security.system_indices.enabled: true >> "%OPENSEARCH_CONF_FILE%" echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"] >> "%OPENSEARCH_CONF_FILE%" setlocal enabledelayedexpansion -:: Read the admin password from the file or use the initialAdminPassword if set -for /f %%a in ('type "%ADMIN_PASSWORD_FILE%"') do set "ADMIN_PASSWORD=%%a" + +:: Check if initialAdminPassword environment variable is set +if defined initialAdminPassword ( + set "ADMIN_PASSWORD=!initialAdminPassword!" +) else ( + :: Read the admin password from the file + for /f %%a in ('type "%ADMIN_PASSWORD_FILE%"') do set "ADMIN_PASSWORD=%%a" +) if not defined ADMIN_PASSWORD ( - if defined initialAdminPassword ( - set "ADMIN_PASSWORD=!initialAdminPassword!" - ) else ( - echo Unable to find the admin password for the cluster. Please set initialAdminPassword or create a file {OPENSEARCH_ROOT}\config\initialAdminPassword.txt with a single line that contains the password. - exit /b 1 - ) + echo Unable to find the admin password for the cluster. Please set initialAdminPassword or create a file {OPENSEARCH_ROOT}\config\initialAdminPassword.txt with a single line that contains the password. + exit /b 1 ) :: Use the Hasher script to hash the admin password @@ -348,7 +350,6 @@ set "ADMIN_PASSWORD=" :: Find the line number containing 'admin:' in the internal_users.yml file for /f "tokens=1 delims=:" %%c in ('findstr /n "admin:" "%INTERNAL_USERS_FILE%"') do set "ADMIN_HASH_LINE=%%c" -:: Use sed-like functionality to replace the hashed password in the internal_users.yml file setlocal disabledelayedexpansion ( for /f "tokens=*" %%d in ('type "%INTERNAL_USERS_FILE%"') do ( diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 98abfe756c..6199033cdd 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -391,20 +391,20 @@ echo 'plugins.security.system_indices.enabled: true' | $SUDO_CMD tee -a "$OPENSE echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null # Read the admin password from the file or use the initialAdminPassword if set -echo "Config dir has" -ls $OPENSEARCH_CONF_DIR echo "Security config dir has" ls $OPENSEARCH_CONF_DIR/opensearch-security +echo "Cat of password file is: $(cat $ADMIN_PASSWORD_FILE)" -ADMIN_PASSWORD=$(head -n 1 "$ADMIN_PASSWORD_FILE") + +if [ -n "$initialAdminPassword" ]; then + ADMIN_PASSWORD="$initialAdminPassword" +else + ADMIN_PASSWORD=$(head -n 1 "$ADMIN_PASSWORD_FILE") +fi if [ -z "$ADMIN_PASSWORD" ]; then - if [ -n "$initialAdminPassword" ]; then - ADMIN_PASSWORD="$initialAdminPassword" - else echo "Unable to find the admin password for the cluster. Please run 'export initialAdminPassword=' or create a file {OPENSEARCH_ROOT}/config/initialAdminPassword.txt with a single line that contains the password." exit 1 - fi fi # Use the Hasher script to hash the admin password From c9f245d6077e695fe306486290639063864c5c97 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 20 Sep 2023 15:07:31 -0400 Subject: [PATCH 023/108] update order Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 6199033cdd..4077ee6167 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -393,13 +393,13 @@ echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins- # Read the admin password from the file or use the initialAdminPassword if set echo "Security config dir has" ls $OPENSEARCH_CONF_DIR/opensearch-security -echo "Cat of password file is: $(cat $ADMIN_PASSWORD_FILE)" +echo "Cat of password file is: $(cat $OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt)" if [ -n "$initialAdminPassword" ]; then ADMIN_PASSWORD="$initialAdminPassword" else - ADMIN_PASSWORD=$(head -n 1 "$ADMIN_PASSWORD_FILE") + ADMIN_PASSWORD=$(head -n 1 "$OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt") fi if [ -z "$ADMIN_PASSWORD" ]; then From e939ab69332a580d42ce3740cb3783f75b0bd374 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 20 Sep 2023 15:11:00 -0400 Subject: [PATCH 024/108] Try head instead Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 4077ee6167..7ed850c0ed 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -391,9 +391,7 @@ echo 'plugins.security.system_indices.enabled: true' | $SUDO_CMD tee -a "$OPENSE echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null # Read the admin password from the file or use the initialAdminPassword if set -echo "Security config dir has" -ls $OPENSEARCH_CONF_DIR/opensearch-security -echo "Cat of password file is: $(cat $OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt)" +echo "HEAD of password file is: $(head $OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt)" if [ -n "$initialAdminPassword" ]; then From 6de3f674cf4d18e073851f44b438f3af19b9362b Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 20 Sep 2023 15:16:26 -0400 Subject: [PATCH 025/108] remove quotes Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 736dc6af3d..17c8b8721b 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -37,7 +37,12 @@ jobs: shell: bash - name: Populate password file - run: echo "installPassword" > ./config/initialAdminPassword.txt + run: | + echo installPassword > ./config/initialAdminPassword.txt + cd config + cat initialAdminPassword.txt + + - name: Create Setup Script if: ${{ runner.os == 'Linux' }} From 542a66ff738ca7ad06ad4d55c7ed72b79ea0a2be Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 20 Sep 2023 15:20:51 -0400 Subject: [PATCH 026/108] try env var Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 17c8b8721b..2b1367a093 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -36,17 +36,10 @@ jobs: run: mv ./build/distributions/${{ env.PLUGIN_NAME }}-*.zip ${{ env.PLUGIN_NAME }}.zip shell: bash - - name: Populate password file - run: | - echo installPassword > ./config/initialAdminPassword.txt - cd config - cat initialAdminPassword.txt - - - - name: Create Setup Script if: ${{ runner.os == 'Linux' }} run: | + export initialAdminPassword=installPassword cat > setup.sh <<'EOF' chmod +x ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh /bin/bash -c "yes | ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh" @@ -55,6 +48,7 @@ jobs: - name: Create Setup Script if: ${{ runner.os == 'Windows' }} run: | + set initialAdminPassword=installPassword New-Item .\setup.bat -type file Set-Content .\setup.bat -Value "powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y" Get-Content .\setup.bat From 5dfbf9f12f8e9658546fa0635ae2ad7acddc2051 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 20 Sep 2023 15:43:45 -0400 Subject: [PATCH 027/108] try env var Signed-off-by: Stephen Crawford --- config/initialAdminPassword.txt | 0 tools/install_demo_configuration.sh | 1 + 2 files changed, 1 insertion(+) delete mode 100644 config/initialAdminPassword.txt diff --git a/config/initialAdminPassword.txt b/config/initialAdminPassword.txt deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 7ed850c0ed..9328571387 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -391,6 +391,7 @@ echo 'plugins.security.system_indices.enabled: true' | $SUDO_CMD tee -a "$OPENSE echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null # Read the admin password from the file or use the initialAdminPassword if set +echo "Content of security config dir is: $(ls $OPENSEARCH_CONF_DIR/opensearch-security/) echo "HEAD of password file is: $(head $OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt)" From c2bbc932fe9a6b22489712a586867d9e0480500e Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 20 Sep 2023 15:44:15 -0400 Subject: [PATCH 028/108] cofirm correct file Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 2b1367a093..17c8b8721b 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -36,10 +36,17 @@ jobs: run: mv ./build/distributions/${{ env.PLUGIN_NAME }}-*.zip ${{ env.PLUGIN_NAME }}.zip shell: bash + - name: Populate password file + run: | + echo installPassword > ./config/initialAdminPassword.txt + cd config + cat initialAdminPassword.txt + + + - name: Create Setup Script if: ${{ runner.os == 'Linux' }} run: | - export initialAdminPassword=installPassword cat > setup.sh <<'EOF' chmod +x ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh /bin/bash -c "yes | ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh" @@ -48,7 +55,6 @@ jobs: - name: Create Setup Script if: ${{ runner.os == 'Windows' }} run: | - set initialAdminPassword=installPassword New-Item .\setup.bat -type file Set-Content .\setup.bat -Value "powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y" Get-Content .\setup.bat From 922cd06ff4b5109c5e3ad8bd9b173c44d093382a Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 20 Sep 2023 16:03:52 -0400 Subject: [PATCH 029/108] update Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 17c8b8721b..47884aa246 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -38,9 +38,10 @@ jobs: - name: Populate password file run: | + ls echo installPassword > ./config/initialAdminPassword.txt cd config - cat initialAdminPassword.txt + ls From 048e650b914ce5dce4cc7b1099c6ae594e90f3ee Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Wed, 20 Sep 2023 16:12:01 -0400 Subject: [PATCH 030/108] update Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 4 ++-- tools/install_demo_configuration.sh | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 47884aa246..a3e5bf995d 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -40,8 +40,8 @@ jobs: run: | ls echo installPassword > ./config/initialAdminPassword.txt - cd config - ls + pwd + diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 9328571387..d83768d937 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -391,6 +391,7 @@ echo 'plugins.security.system_indices.enabled: true' | $SUDO_CMD tee -a "$OPENSE echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null # Read the admin password from the file or use the initialAdminPassword if set +echo "Path is " $(pwd) echo "Content of security config dir is: $(ls $OPENSEARCH_CONF_DIR/opensearch-security/) echo "HEAD of password file is: $(head $OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt)" From 54ee9217ecb9f5594b2936ad84cf82d5eae957f7 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Thu, 21 Sep 2023 10:06:40 -0400 Subject: [PATCH 031/108] move password population Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index a3e5bf995d..2920c9061a 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -36,19 +36,11 @@ jobs: run: mv ./build/distributions/${{ env.PLUGIN_NAME }}-*.zip ${{ env.PLUGIN_NAME }}.zip shell: bash - - name: Populate password file - run: | - ls - echo installPassword > ./config/initialAdminPassword.txt - pwd - - - - - name: Create Setup Script if: ${{ runner.os == 'Linux' }} run: | cat > setup.sh <<'EOF' + echo installPassword > ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/config/initialAdminPassword.txt chmod +x ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh /bin/bash -c "yes | ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh" EOF From 23766231fd898485b4aac131ae5e94f480326359 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Thu, 21 Sep 2023 10:16:29 -0400 Subject: [PATCH 032/108] add prints Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 2 ++ tools/install_demo_configuration.sh | 1 + 2 files changed, 3 insertions(+) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 2920c9061a..2a78f2d99d 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -41,6 +41,8 @@ jobs: run: | cat > setup.sh <<'EOF' echo installPassword > ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/config/initialAdminPassword.txt + echo ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/config + ls ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/config chmod +x ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh /bin/bash -c "yes | ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh" EOF diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index d83768d937..67798e2ef5 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -392,6 +392,7 @@ echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins- # Read the admin password from the file or use the initialAdminPassword if set echo "Path is " $(pwd) +echo "Checking for password file in: " $OPENSEARCH_CONF_DIR/opensearch-security/ echo "Content of security config dir is: $(ls $OPENSEARCH_CONF_DIR/opensearch-security/) echo "HEAD of password file is: $(head $OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt)" From 9d63dcd31b51b06f332faeddf97417e7fd7d580a Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Thu, 21 Sep 2023 10:30:00 -0400 Subject: [PATCH 033/108] try env var Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 5 ++--- tools/install_demo_configuration.sh | 1 - 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 2a78f2d99d..8c6502d23a 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -40,9 +40,7 @@ jobs: if: ${{ runner.os == 'Linux' }} run: | cat > setup.sh <<'EOF' - echo installPassword > ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/config/initialAdminPassword.txt - echo ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/config - ls ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/config + export initialAdminPassword=installPassword chmod +x ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh /bin/bash -c "yes | ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh" EOF @@ -51,6 +49,7 @@ jobs: if: ${{ runner.os == 'Windows' }} run: | New-Item .\setup.bat -type file + Set initialAdminPassword=installPassword Set-Content .\setup.bat -Value "powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y" Get-Content .\setup.bat diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 67798e2ef5..a44c945ac4 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -396,7 +396,6 @@ echo "Checking for password file in: " $OPENSEARCH_CONF_DIR/opensearch-security/ echo "Content of security config dir is: $(ls $OPENSEARCH_CONF_DIR/opensearch-security/) echo "HEAD of password file is: $(head $OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt)" - if [ -n "$initialAdminPassword" ]; then ADMIN_PASSWORD="$initialAdminPassword" else From a8e5c2d3a460b13a54e8ad6016d25c78bd0e9b73 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Thu, 21 Sep 2023 10:41:18 -0400 Subject: [PATCH 034/108] list dirs Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 8c6502d23a..ca04f46231 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -40,7 +40,10 @@ jobs: if: ${{ runner.os == 'Linux' }} run: | cat > setup.sh <<'EOF' - export initialAdminPassword=installPassword + echo "listing " ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT + ls ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT + echo "listing " ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config + ls ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config chmod +x ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh /bin/bash -c "yes | ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh" EOF @@ -49,7 +52,6 @@ jobs: if: ${{ runner.os == 'Windows' }} run: | New-Item .\setup.bat -type file - Set initialAdminPassword=installPassword Set-Content .\setup.bat -Value "powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y" Get-Content .\setup.bat From fa479902157d9d00433adc41e8595037694ca94b Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Thu, 21 Sep 2023 11:59:10 -0400 Subject: [PATCH 035/108] list dirs Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index ca04f46231..3250bb4989 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -44,6 +44,9 @@ jobs: ls ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT echo "listing " ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config ls ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config + echo installPassword >> ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/opensearch-security/initialAdminPassword.txt + echo "listing " ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/opensearch-security + ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/opensearch-security chmod +x ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh /bin/bash -c "yes | ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh" EOF From c820e78a43fc6a46f00d05a7ffbd13a438a552ec Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Thu, 21 Sep 2023 12:05:53 -0400 Subject: [PATCH 036/108] checking setting Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index a44c945ac4..977967d5d4 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -401,6 +401,7 @@ if [ -n "$initialAdminPassword" ]; then else ADMIN_PASSWORD=$(head -n 1 "$OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt") fi +echo "ADMIN PASSWORD SET TO: $(echo $ADMIN_PASSWORD)" if [ -z "$ADMIN_PASSWORD" ]; then echo "Unable to find the admin password for the cluster. Please run 'export initialAdminPassword=' or create a file {OPENSEARCH_ROOT}/config/initialAdminPassword.txt with a single line that contains the password." From 1f60bb1097e21f14e3199ca47c0e47ae356a9366 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Thu, 21 Sep 2023 12:20:53 -0400 Subject: [PATCH 037/108] try again Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 977967d5d4..9056a1f4ad 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -401,7 +401,7 @@ if [ -n "$initialAdminPassword" ]; then else ADMIN_PASSWORD=$(head -n 1 "$OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt") fi -echo "ADMIN PASSWORD SET TO: $(echo $ADMIN_PASSWORD)" +echo "ADMIN PASSWORD SET TO: $ADMIN_PASSWORD" if [ -z "$ADMIN_PASSWORD" ]; then echo "Unable to find the admin password for the cluster. Please run 'export initialAdminPassword=' or create a file {OPENSEARCH_ROOT}/config/initialAdminPassword.txt with a single line that contains the password." From 18f57152bf4032eefc0447883c9fa28885b1e569 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Thu, 21 Sep 2023 12:35:48 -0400 Subject: [PATCH 038/108] check Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 9056a1f4ad..aee6748e85 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -399,7 +399,7 @@ echo "HEAD of password file is: $(head $OPENSEARCH_CONF_DIR/opensearch-security/ if [ -n "$initialAdminPassword" ]; then ADMIN_PASSWORD="$initialAdminPassword" else - ADMIN_PASSWORD=$(head -n 1 "$OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt") + ADMIN_PASSWORD=$(head $OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt) fi echo "ADMIN PASSWORD SET TO: $ADMIN_PASSWORD" From 48856d2941aec985b8b747ac860f107fb2a71b0d Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Thu, 21 Sep 2023 12:40:08 -0400 Subject: [PATCH 039/108] please work Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index aee6748e85..07fea0ddd0 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -401,7 +401,7 @@ if [ -n "$initialAdminPassword" ]; then else ADMIN_PASSWORD=$(head $OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt) fi -echo "ADMIN PASSWORD SET TO: $ADMIN_PASSWORD" +echo "ADMIN PASSWORD SET TO: $($ADMIN_PASSWORD)" if [ -z "$ADMIN_PASSWORD" ]; then echo "Unable to find the admin password for the cluster. Please run 'export initialAdminPassword=' or create a file {OPENSEARCH_ROOT}/config/initialAdminPassword.txt with a single line that contains the password." From 95e6e8f7dadb9c88a97ebd9f940b9cfabdf2efb7 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Thu, 21 Sep 2023 12:54:11 -0400 Subject: [PATCH 040/108] Change if Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 07fea0ddd0..e572076e50 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -396,18 +396,18 @@ echo "Checking for password file in: " $OPENSEARCH_CONF_DIR/opensearch-security/ echo "Content of security config dir is: $(ls $OPENSEARCH_CONF_DIR/opensearch-security/) echo "HEAD of password file is: $(head $OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt)" -if [ -n "$initialAdminPassword" ]; then +if [[ -n "$initialAdminPassword" ]]; then ADMIN_PASSWORD="$initialAdminPassword" +elif [[ -f "$OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt" && -s "$OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt" ]]; then + ADMIN_PASSWORD=$(head -n 1 "$OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt") else - ADMIN_PASSWORD=$(head $OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt) -fi -echo "ADMIN PASSWORD SET TO: $($ADMIN_PASSWORD)" - -if [ -z "$ADMIN_PASSWORD" ]; then - echo "Unable to find the admin password for the cluster. Please run 'export initialAdminPassword=' or create a file {OPENSEARCH_ROOT}/config/initialAdminPassword.txt with a single line that contains the password." + echo "Unable to find the admin password for the cluster. Please run 'export initialAdminPassword=' or create a file {OPENSEARCH_ROOT}/config/initialAdminPassword.txt with a single line that contains the password." exit 1 fi +echo "ADMIN PASSWORD SET TO: $ADMIN_PASSWORD" + + # Use the Hasher script to hash the admin password HASHED_ADMIN_PASSWORD=$(./hash.sh -p "$ADMIN_PASSWORD") From 59b25e156a41266f7351104c9fb1f0af54cdd900 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Thu, 21 Sep 2023 13:51:22 -0400 Subject: [PATCH 041/108] Try windows Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 3250bb4989..e811490d2a 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -55,6 +55,7 @@ jobs: if: ${{ runner.os == 'Windows' }} run: | New-Item .\setup.bat -type file + echo installPassword >> .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\config\opensearch-security\initialAdminPassword.txt Set-Content .\setup.bat -Value "powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y" Get-Content .\setup.bat From 6cf04b2431c2c18a6cf653f27d447cca521de235 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Thu, 21 Sep 2023 14:06:23 -0400 Subject: [PATCH 042/108] try assignements Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.bat | 4 +++- tools/install_demo_configuration.sh | 23 +++++++++++------------ 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index 65beb4542c..549f4fe2e8 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -76,7 +76,6 @@ echo Basedir: %BASE_DIR% set "OPENSEARCH_CONF_FILE=%BASE_DIR%config\opensearch.yml" set "INTERNAL_USERS_FILE"=%BASE_DIR%config\opensearch-security\internal_users.yml" -set "ADMIN_PASSWORD_FILE"=%BASE_DIR%\config\opensearch-security\initialAdminPassword.txt" set "OPENSEARCH_CONF_DIR=%BASE_DIR%config\" set "OPENSEARCH_BIN_DIR=%BASE_DIR%bin\" set "OPENSEARCH_PLUGINS_DIR=%BASE_DIR%plugins\" @@ -321,6 +320,9 @@ echo plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_a echo plugins.security.system_indices.enabled: true >> "%OPENSEARCH_CONF_FILE%" echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"] >> "%OPENSEARCH_CONF_FILE%" + +set "ADMIN_PASSWORD_FILE"=%OPENSEARCH_CONF_DIR%\opensearch-security\initialAdminPassword.txt + setlocal enabledelayedexpansion :: Check if initialAdminPassword environment variable is set diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index e572076e50..f8da8cf2a9 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -114,7 +114,6 @@ OPENSEARCH_BIN_DIR="$BASE_DIR/bin" OPENSEARCH_PLUGINS_DIR="$BASE_DIR/plugins" OPENSEARCH_MODULES_DIR="$BASE_DIR/modules" INTERNAL_USERS_FILE="$BASE_DIR/config/opensearch-security/internal_users.yml" -ADMIN_PASSWORD_FILE="$BASE_DIR/config/opensearch-security/initialAdminPassword.txt" OPENSEARCH_LIB_PATH="$BASE_DIR/lib" SUDO_CMD="" OPENSEARCH_INSTALL_TYPE=".tar.gz" @@ -391,23 +390,24 @@ echo 'plugins.security.system_indices.enabled: true' | $SUDO_CMD tee -a "$OPENSE echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null # Read the admin password from the file or use the initialAdminPassword if set -echo "Path is " $(pwd) -echo "Checking for password file in: " $OPENSEARCH_CONF_DIR/opensearch-security/ -echo "Content of security config dir is: $(ls $OPENSEARCH_CONF_DIR/opensearch-security/) -echo "HEAD of password file is: $(head $OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt)" +ADMIN_PASSWORD_FILE="$OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt" + +echo "Path is $(pwd)" +echo "Checking for password file in: $OPENSEARCH_CONF_DIR/opensearch-security/" +echo "Content of security config dir is: $(ls "$OPENSEARCH_CONF_DIR/opensearch-security/")" +echo "HEAD of password file is: $(head "$ADMIN_PASSWORD_FILE")" if [[ -n "$initialAdminPassword" ]]; then ADMIN_PASSWORD="$initialAdminPassword" -elif [[ -f "$OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt" && -s "$OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt" ]]; then - ADMIN_PASSWORD=$(head -n 1 "$OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt") +elif [[ -f "$ADMIN_PASSWORD_FILE" && -s "$ADMIN_PASSWORD_FILE" ]]; then + ADMIN_PASSWORD=$(head -n 1 "$ADMIN_PASSWORD_FILE") else - echo "Unable to find the admin password for the cluster. Please run 'export initialAdminPassword=' or create a file {OPENSEARCH_ROOT}/config/initialAdminPassword.txt with a single line that contains the password." - exit 1 + echo "Unable to find the admin password for the cluster. Please run 'export initialAdminPassword=' or create a file {OPENSEARCH_ROOT}/config/initialAdminPassword.txt with a single line that contains the password." + exit 1 fi echo "ADMIN PASSWORD SET TO: $ADMIN_PASSWORD" - # Use the Hasher script to hash the admin password HASHED_ADMIN_PASSWORD=$(./hash.sh -p "$ADMIN_PASSWORD") @@ -419,6 +419,7 @@ fi # Clear the ADMIN_PASSWORD variable unset ADMIN_PASSWORD + # Find the line number containing 'admin:' in the internal_users.yml file ADMIN_HASH_LINE=$(grep -n 'admin:' "$INTERNAL_USERS_FILE" | cut -f1 -d:) @@ -443,8 +444,6 @@ else echo 'node.max_local_storage_nodes: 3' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null fi - - echo "######## End OpenSearch Security Demo Configuration ########" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null $SUDO_CMD chmod +x "$OPENSEARCH_PLUGINS_DIR/opensearch-security/tools/securityadmin.sh" From e4467b8263073d2e7f8480fae981b94e87457268 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Thu, 21 Sep 2023 14:15:47 -0400 Subject: [PATCH 043/108] test Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 1 + tools/install_demo_configuration.bat | 2 +- tools/install_demo_configuration.sh | 4 +++- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index e811490d2a..2d620c6758 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -55,6 +55,7 @@ jobs: if: ${{ runner.os == 'Windows' }} run: | New-Item .\setup.bat -type file + echo installPassword >> ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/opensearch-security/initialAdminPassword.txt echo installPassword >> .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\config\opensearch-security\initialAdminPassword.txt Set-Content .\setup.bat -Value "powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y" Get-Content .\setup.bat diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index 549f4fe2e8..c8d7bf3938 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -339,7 +339,7 @@ if not defined ADMIN_PASSWORD ( ) :: Use the Hasher script to hash the admin password -for /f %%b in ('hash.bat -p "!ADMIN_PASSWORD!"') do set "HASHED_ADMIN_PASSWORD=%%b" +for /f %%b in ('%OPENSEARCH_PLUGINS_DIR%\opensearch-security\tools\hash.bat -p "!ADMIN_PASSWORD!"') do set "HASHED_ADMIN_PASSWORD=%%b" if not defined HASHED_ADMIN_PASSWORD ( echo Failed to hash the admin password diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index f8da8cf2a9..4b676b27a8 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -408,8 +408,10 @@ fi echo "ADMIN PASSWORD SET TO: $ADMIN_PASSWORD" +$SUDO_CMD chmod +x "$OPENSEARCH_PLUGINS_DIR/opensearch-security/tools/hash.sh" + # Use the Hasher script to hash the admin password -HASHED_ADMIN_PASSWORD=$(./hash.sh -p "$ADMIN_PASSWORD") +HASHED_ADMIN_PASSWORD=$($OPENSEARCH_PLUGINS_DIR/opensearch-security/tools/hash.sh -p "$ADMIN_PASSWORD") if [ $? -ne 0 ]; then echo "Failed to hash the admin password" From d28bceb519a190f7dfe7da0dec7f07f0a9ee10fb Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Thu, 21 Sep 2023 14:20:27 -0400 Subject: [PATCH 044/108] Try again Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 1 - tools/install_demo_configuration.sh | 6 ++++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 2d620c6758..e811490d2a 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -55,7 +55,6 @@ jobs: if: ${{ runner.os == 'Windows' }} run: | New-Item .\setup.bat -type file - echo installPassword >> ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/opensearch-security/initialAdminPassword.txt echo installPassword >> .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\config\opensearch-security\initialAdminPassword.txt Set-Content .\setup.bat -Value "powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y" Get-Content .\setup.bat diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 4b676b27a8..0155432d76 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -418,17 +418,19 @@ if [ $? -ne 0 ]; then exit 1 fi +echo "HASHED PASSWORD SET TO: $HASHED_ADMIN_PASSWORD" + # Clear the ADMIN_PASSWORD variable unset ADMIN_PASSWORD - # Find the line number containing 'admin:' in the internal_users.yml file ADMIN_HASH_LINE=$(grep -n 'admin:' "$INTERNAL_USERS_FILE" | cut -f1 -d:) +echo "ADMIN TARGET FILE LINE SET TO: $ADMIN_HASH_LINE" + # Use sed to replace the hashed password in the internal_users.yml file sed -i "${ADMIN_HASH_LINE}s/.*/admin:\n hash: \"$HASHED_ADMIN_PASSWORD\"/" "$INTERNAL_USERS_FILE" - #network.host if $SUDO_CMD grep --quiet -i "^network.host" "$OPENSEARCH_CONF_FILE"; then : #already present From 1f16c5d1e8342cba56d1b4c3f5b49b34a831f08d Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Thu, 21 Sep 2023 14:30:54 -0400 Subject: [PATCH 045/108] retry sed Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 0155432d76..8ed05f0246 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -113,7 +113,6 @@ OPENSEARCH_CONF_FILE="$BASE_DIR/config/opensearch.yml" OPENSEARCH_BIN_DIR="$BASE_DIR/bin" OPENSEARCH_PLUGINS_DIR="$BASE_DIR/plugins" OPENSEARCH_MODULES_DIR="$BASE_DIR/modules" -INTERNAL_USERS_FILE="$BASE_DIR/config/opensearch-security/internal_users.yml" OPENSEARCH_LIB_PATH="$BASE_DIR/lib" SUDO_CMD="" OPENSEARCH_INSTALL_TYPE=".tar.gz" @@ -391,6 +390,7 @@ echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins- # Read the admin password from the file or use the initialAdminPassword if set ADMIN_PASSWORD_FILE="$OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt" +INTERNAL_USERS_FILE="$OPENSEARCH_CONF_DIR/opensearch-security/internal_users.yml" echo "Path is $(pwd)" echo "Checking for password file in: $OPENSEARCH_CONF_DIR/opensearch-security/" @@ -429,7 +429,7 @@ ADMIN_HASH_LINE=$(grep -n 'admin:' "$INTERNAL_USERS_FILE" | cut -f1 -d:) echo "ADMIN TARGET FILE LINE SET TO: $ADMIN_HASH_LINE" # Use sed to replace the hashed password in the internal_users.yml file -sed -i "${ADMIN_HASH_LINE}s/.*/admin:\n hash: \"$HASHED_ADMIN_PASSWORD\"/" "$INTERNAL_USERS_FILE" +sed -i "${ADMIN_HASH_LINE}s/.*/admin:\n hash: '$HASHED_ADMIN_PASSWORD'/" "$INTERNAL_USERS_FILE" #network.host if $SUDO_CMD grep --quiet -i "^network.host" "$OPENSEARCH_CONF_FILE"; then From d308fb42bd70db0ff3395206912daccca1775f4c Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 10:04:57 -0400 Subject: [PATCH 046/108] test with temp file Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.sh | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 8ed05f0246..767db3546c 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -428,8 +428,22 @@ ADMIN_HASH_LINE=$(grep -n 'admin:' "$INTERNAL_USERS_FILE" | cut -f1 -d:) echo "ADMIN TARGET FILE LINE SET TO: $ADMIN_HASH_LINE" -# Use sed to replace the hashed password in the internal_users.yml file -sed -i "${ADMIN_HASH_LINE}s/.*/admin:\n hash: '$HASHED_ADMIN_PASSWORD'/" "$INTERNAL_USERS_FILE" +# Extract the original hash +ORIGINAL_HASH=$(awk -v line_number="$ADMIN_HASH_LINE" 'NR == line_number && /hash:/ { print $2 }' "$INTERNAL_USERS_FILE") + +echo "ORIGINAL HASH: $ORIGINAL_HASH" + +# Use awk to replace the hashed password in the internal_users.yml file +awk -v new_password="$HASHED_ADMIN_PASSWORD" -v line_number="$ADMIN_HASH_LINE" ' + BEGIN { FS = ": " } + NR == line_number && $1 == " hash" { $2 = "\" " new_password "\""; } + { print } +' "$INTERNAL_USERS_FILE" > temp_internal_users.yml + +# Replace the original file with the temporary file +mv temp_internal_users.yml "$INTERNAL_USERS_FILE" + +echo "HASHED PASSWORD SET TO: $HASHED_ADMIN_PASSWORD" #network.host if $SUDO_CMD grep --quiet -i "^network.host" "$OPENSEARCH_CONF_FILE"; then From 3050899068608e58870b01b865ec6aa619412fab Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 10:10:21 -0400 Subject: [PATCH 047/108] test Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 767db3546c..89b44cd986 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -431,7 +431,7 @@ echo "ADMIN TARGET FILE LINE SET TO: $ADMIN_HASH_LINE" # Extract the original hash ORIGINAL_HASH=$(awk -v line_number="$ADMIN_HASH_LINE" 'NR == line_number && /hash:/ { print $2 }' "$INTERNAL_USERS_FILE") -echo "ORIGINAL HASH: $ORIGINAL_HASH" +echo "Before CHANGE: $(cat $INTERNAL_USERS_FILE)" # Use awk to replace the hashed password in the internal_users.yml file awk -v new_password="$HASHED_ADMIN_PASSWORD" -v line_number="$ADMIN_HASH_LINE" ' @@ -443,7 +443,7 @@ awk -v new_password="$HASHED_ADMIN_PASSWORD" -v line_number="$ADMIN_HASH_LINE" ' # Replace the original file with the temporary file mv temp_internal_users.yml "$INTERNAL_USERS_FILE" -echo "HASHED PASSWORD SET TO: $HASHED_ADMIN_PASSWORD" +echo "AFTER CHANGE: $(cat $INTERNAL_USERS_FILE)" #network.host if $SUDO_CMD grep --quiet -i "^network.host" "$OPENSEARCH_CONF_FILE"; then From 005d70a0880c026dff7abd62b8a04a5f232e02a8 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 10:19:39 -0400 Subject: [PATCH 048/108] try sed again Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.sh | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 89b44cd986..648c215885 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -428,17 +428,12 @@ ADMIN_HASH_LINE=$(grep -n 'admin:' "$INTERNAL_USERS_FILE" | cut -f1 -d:) echo "ADMIN TARGET FILE LINE SET TO: $ADMIN_HASH_LINE" -# Extract the original hash -ORIGINAL_HASH=$(awk -v line_number="$ADMIN_HASH_LINE" 'NR == line_number && /hash:/ { print $2 }' "$INTERNAL_USERS_FILE") - echo "Before CHANGE: $(cat $INTERNAL_USERS_FILE)" -# Use awk to replace the hashed password in the internal_users.yml file -awk -v new_password="$HASHED_ADMIN_PASSWORD" -v line_number="$ADMIN_HASH_LINE" ' - BEGIN { FS = ": " } - NR == line_number && $1 == " hash" { $2 = "\" " new_password "\""; } - { print } -' "$INTERNAL_USERS_FILE" > temp_internal_users.yml +# Use sed to replace the hashed password in the internal_users.yml file +HASHED_ADMIN_PASSWORD_SAFETY="${HASHED_ADMIN_PASSWORD//\//\\/}" # Escape forward slashes + +sed -i "${ADMIN_HASH_LINE} s/^ hash:.*/ hash: \"$HASHED_ADMIN_PASSWORD_SAFETY\"/" "$INTERNAL_USERS_FILE" # Replace the original file with the temporary file mv temp_internal_users.yml "$INTERNAL_USERS_FILE" From b5e7d4ea30481db29f736157983ce3801dbb899b Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 10:27:20 -0400 Subject: [PATCH 049/108] try sed again Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.sh | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 648c215885..0bf75c1b60 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -430,13 +430,8 @@ echo "ADMIN TARGET FILE LINE SET TO: $ADMIN_HASH_LINE" echo "Before CHANGE: $(cat $INTERNAL_USERS_FILE)" -# Use sed to replace the hashed password in the internal_users.yml file -HASHED_ADMIN_PASSWORD_SAFETY="${HASHED_ADMIN_PASSWORD//\//\\/}" # Escape forward slashes -sed -i "${ADMIN_HASH_LINE} s/^ hash:.*/ hash: \"$HASHED_ADMIN_PASSWORD_SAFETY\"/" "$INTERNAL_USERS_FILE" - -# Replace the original file with the temporary file -mv temp_internal_users.yml "$INTERNAL_USERS_FILE" +sed -ri "s/^(hash\\s*:\\s*\"\$2a\$12\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR\/YFJcgHp0UGns5JDymv..TOG\"\\s*)/hash: \"\$HASHED_ADMIN_PASSWORD\"/" "$INTERNAL_USERS_FILE" echo "AFTER CHANGE: $(cat $INTERNAL_USERS_FILE)" From f13dbddd78c47ad094f5480507e391accbbd2be3 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 10:32:32 -0400 Subject: [PATCH 050/108] try again Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 0bf75c1b60..cedad1b2b9 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -431,7 +431,7 @@ echo "ADMIN TARGET FILE LINE SET TO: $ADMIN_HASH_LINE" echo "Before CHANGE: $(cat $INTERNAL_USERS_FILE)" -sed -ri "s/^(hash\\s*:\\s*\"\$2a\$12\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR\/YFJcgHp0UGns5JDymv..TOG\"\\s*)/hash: \"\$HASHED_ADMIN_PASSWORD\"/" "$INTERNAL_USERS_FILE" +sed -ri "s/^(\\s*hash:\\s*)\"\\\$2a\\\$12\\\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR\/YFJcgHp0UGns5JDymv..TOG\"/\\1\"\$HASHED_ADMIN_PASSWORD\"/" "$INTERNAL_USERS_FILE" echo "AFTER CHANGE: $(cat $INTERNAL_USERS_FILE)" From a40102cb5f77c2164045eaca30d6c18fba9c9a17 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 10:48:50 -0400 Subject: [PATCH 051/108] Escape $ Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index cedad1b2b9..ffa34d4a8a 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -431,7 +431,7 @@ echo "ADMIN TARGET FILE LINE SET TO: $ADMIN_HASH_LINE" echo "Before CHANGE: $(cat $INTERNAL_USERS_FILE)" -sed -ri "s/^(\\s*hash:\\s*)\"\\\$2a\\\$12\\\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR\/YFJcgHp0UGns5JDymv..TOG\"/\\1\"\$HASHED_ADMIN_PASSWORD\"/" "$INTERNAL_USERS_FILE" +sed -ri "s/^(\\s*hash:\\s*)\"\\\$2a\\\$12\\\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR\/YFJcgHp0UGns5JDymv..TOG\"/\\1\"\\$HASHED_ADMIN_PASSWORD\"/" "$INTERNAL_USERS_FILE" echo "AFTER CHANGE: $(cat $INTERNAL_USERS_FILE)" From 011509fc047830c369a7b51c1742ce9e302ce2ed Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 10:57:44 -0400 Subject: [PATCH 052/108] Add slash Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index ffa34d4a8a..0208cfda23 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -431,7 +431,7 @@ echo "ADMIN TARGET FILE LINE SET TO: $ADMIN_HASH_LINE" echo "Before CHANGE: $(cat $INTERNAL_USERS_FILE)" -sed -ri "s/^(\\s*hash:\\s*)\"\\\$2a\\\$12\\\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR\/YFJcgHp0UGns5JDymv..TOG\"/\\1\"\\$HASHED_ADMIN_PASSWORD\"/" "$INTERNAL_USERS_FILE" +sed -ri "s/^(\\s*hash:\\s*)\"\\\$2a\\\$12\\\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR\/YFJcgHp0UGns5JDymv..TOG\"/\\1\"\\$HASHED_ADMIN_PASSWORD\"//" "$INTERNAL_USERS_FILE" echo "AFTER CHANGE: $(cat $INTERNAL_USERS_FILE)" From 72440cf03bae8a04b7a44c5da70553fad056bd69 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 11:06:10 -0400 Subject: [PATCH 053/108] try awk Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 0208cfda23..b1a4904263 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -430,8 +430,13 @@ echo "ADMIN TARGET FILE LINE SET TO: $ADMIN_HASH_LINE" echo "Before CHANGE: $(cat $INTERNAL_USERS_FILE)" +awk -v hashed_admin_password="$HASHED_ADMIN_PASSWORD" ' + /^ *hash: *"\$2a\$12\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR\/YFJcgHp0UGns5JDymv..TOG"/ { + sub(/"\$2a\$12\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR\/YFJcgHp0UGns5JDymv..TOG"/, "\"" hashed_admin_password "\""); + } + { print } +' "$INTERNAL_USERS_FILE" > temp_file && mv temp_file "$INTERNAL_USERS_FILE" -sed -ri "s/^(\\s*hash:\\s*)\"\\\$2a\\\$12\\\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR\/YFJcgHp0UGns5JDymv..TOG\"/\\1\"\\$HASHED_ADMIN_PASSWORD\"//" "$INTERNAL_USERS_FILE" echo "AFTER CHANGE: $(cat $INTERNAL_USERS_FILE)" From a5166d99618aea867be93ab73bde7b05dac75669 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 11:11:12 -0400 Subject: [PATCH 054/108] test output Signed-off-by: Stephen Crawford --- tools/hash.bat | 5 ----- tools/hash.sh | 5 ----- 2 files changed, 10 deletions(-) diff --git a/tools/hash.bat b/tools/hash.bat index fe5f57b823..a50611465c 100644 --- a/tools/hash.bat +++ b/tools/hash.bat @@ -1,11 +1,6 @@ @echo off set DIR=%~dp0 -echo "**************************************************************************" -echo "** This tool will be deprecated in the next major release of OpenSearch **" -echo "** https://github.com/opensearch-project/security/issues/1755 **" -echo "**************************************************************************" - if defined OPENSEARCH_JAVA_HOME ( set BIN_PATH="%OPENSEARCH_JAVA_HOME%\bin\java.exe" ) else if defined JAVA_HOME ( diff --git a/tools/hash.sh b/tools/hash.sh index e4f92b4cdf..c391232851 100755 --- a/tools/hash.sh +++ b/tools/hash.sh @@ -1,10 +1,5 @@ #!/bin/bash -echo "**************************************************************************" -echo "** This tool will be deprecated in the next major release of OpenSearch **" -echo "** https://github.com/opensearch-project/security/issues/1755 **" -echo "**************************************************************************" - SCRIPT_PATH="${BASH_SOURCE[0]}" if ! [ -x "$(command -v realpath)" ]; then if [ -L "$SCRIPT_PATH" ]; then From 66aa2dcbc0f7856017f650e3fc21069cafddb9cb Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 11:25:32 -0400 Subject: [PATCH 055/108] test windows Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.bat | 40 +++++++++++++++++++--------- 1 file changed, 27 insertions(+), 13 deletions(-) diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index c8d7bf3938..15d3c8ad45 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -321,15 +321,20 @@ echo plugins.security.system_indices.enabled: true >> "%OPENSEARCH_CONF_FILE%" echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"] >> "%OPENSEARCH_CONF_FILE%" -set "ADMIN_PASSWORD_FILE"=%OPENSEARCH_CONF_DIR%\opensearch-security\initialAdminPassword.txt - setlocal enabledelayedexpansion -:: Check if initialAdminPassword environment variable is set -if defined initialAdminPassword ( +set "ADMIN_PASSWORD_FILE=%OPENSEARCH_CONF_DIR%\opensearch-security\initialAdminPassword.txt" +set "INTERNAL_USERS_FILE=%OPENSEARCH_CONF_DIR%\opensearch-security\internal_users.yml" + +echo Path is %cd% +echo Checking for password file in: %OPENSEARCH_CONF_DIR%\opensearch-security\ +echo Content of security config dir is: %OPENSEARCH_CONF_DIR%\opensearch-security\ +echo HEAD of password file is: +type "%ADMIN_PASSWORD_FILE%" + +if "%initialAdminPassword%" NEQ "" ( set "ADMIN_PASSWORD=!initialAdminPassword!" ) else ( - :: Read the admin password from the file for /f %%a in ('type "%ADMIN_PASSWORD_FILE%"') do set "ADMIN_PASSWORD=%%a" ) @@ -338,33 +343,42 @@ if not defined ADMIN_PASSWORD ( exit /b 1 ) -:: Use the Hasher script to hash the admin password -for /f %%b in ('%OPENSEARCH_PLUGINS_DIR%\opensearch-security\tools\hash.bat -p "!ADMIN_PASSWORD!"') do set "HASHED_ADMIN_PASSWORD=%%b" +echo ADMIN PASSWORD SET TO: !ADMIN_PASSWORD! + +REM Use the Hasher script to hash the admin password +"%OPENSEARCH_PLUGINS_DIR%\opensearch-security\tools\hash.bat" -p "!ADMIN_PASSWORD!" -if not defined HASHED_ADMIN_PASSWORD ( +if errorlevel 1 ( echo Failed to hash the admin password exit /b 1 ) -:: Clear the ADMIN_PASSWORD variable +echo HASHED PASSWORD SET TO: %HASHED_ADMIN_PASSWORD% + +REM Clear the ADMIN_PASSWORD variable set "ADMIN_PASSWORD=" -:: Find the line number containing 'admin:' in the internal_users.yml file +REM Find the line number containing 'admin:' in the internal_users.yml file for /f "tokens=1 delims=:" %%c in ('findstr /n "admin:" "%INTERNAL_USERS_FILE%"') do set "ADMIN_HASH_LINE=%%c" -setlocal disabledelayedexpansion +echo ADMIN TARGET FILE LINE SET TO: %ADMIN_HASH_LINE% + +REM Use a temporary file for modification ( for /f "tokens=*" %%d in ('type "%INTERNAL_USERS_FILE%"') do ( set "line=%%d" - if %%c==1 ( + if %%c==%ADMIN_HASH_LINE% ( echo admin: - echo( hash: "!HASHED_ADMIN_PASSWORD!" + echo( hash: "%HASHED_ADMIN_PASSWORD%" ) else echo !line! set /a "c+=1" ) ) > "%INTERNAL_USERS_FILE%.tmp" move /y "%INTERNAL_USERS_FILE%.tmp" "%INTERNAL_USERS_FILE%" +echo AFTER CHANGE: +type "%INTERNAL_USERS_FILE%" + :: network.host >nul findstr /b /c:"network.host" "%OPENSEARCH_CONF_FILE%" && ( echo network.host already present From e9626321345f402026c1964f62dd0a5f8e2a379c Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 11:34:08 -0400 Subject: [PATCH 056/108] test Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index e811490d2a..88961f5f04 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -36,16 +36,14 @@ jobs: run: mv ./build/distributions/${{ env.PLUGIN_NAME }}-*.zip ${{ env.PLUGIN_NAME }}.zip shell: bash + - name: Add runner password + run: echo installPassword >> ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/opensearch-security/initialAdminPassword.txt + shell: bash + - name: Create Setup Script if: ${{ runner.os == 'Linux' }} run: | cat > setup.sh <<'EOF' - echo "listing " ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT - ls ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT - echo "listing " ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config - ls ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config - echo installPassword >> ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/opensearch-security/initialAdminPassword.txt - echo "listing " ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/opensearch-security ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/opensearch-security chmod +x ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh /bin/bash -c "yes | ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh" @@ -55,7 +53,6 @@ jobs: if: ${{ runner.os == 'Windows' }} run: | New-Item .\setup.bat -type file - echo installPassword >> .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\config\opensearch-security\initialAdminPassword.txt Set-Content .\setup.bat -Value "powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y" Get-Content .\setup.bat From 0e904e8a046f5bf31bae9b6230c714abc88479d8 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 11:38:17 -0400 Subject: [PATCH 057/108] move back Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 88961f5f04..d5774c9b9f 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -36,14 +36,11 @@ jobs: run: mv ./build/distributions/${{ env.PLUGIN_NAME }}-*.zip ${{ env.PLUGIN_NAME }}.zip shell: bash - - name: Add runner password - run: echo installPassword >> ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/opensearch-security/initialAdminPassword.txt - shell: bash - - name: Create Setup Script if: ${{ runner.os == 'Linux' }} run: | cat > setup.sh <<'EOF' + echo installPassword >> ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/opensearch-security/initialAdminPassword.txt ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/opensearch-security chmod +x ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh /bin/bash -c "yes | ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh" @@ -53,6 +50,7 @@ jobs: if: ${{ runner.os == 'Windows' }} run: | New-Item .\setup.bat -type file + echo installPassword >> opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\config\opensearch-security\initialAdminPassword.txt Set-Content .\setup.bat -Value "powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y" Get-Content .\setup.bat From 31b63d9cc92a3251af5a2f9c5c317391793eab4b Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 11:42:51 -0400 Subject: [PATCH 058/108] Try with first back then forward slashes Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index d5774c9b9f..31985f7762 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -50,7 +50,7 @@ jobs: if: ${{ runner.os == 'Windows' }} run: | New-Item .\setup.bat -type file - echo installPassword >> opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\config\opensearch-security\initialAdminPassword.txt + echo installPassword >> .\opensearch-%OPENSEARCH_VERSION%-SNAPSHOT/config/opensearch-security/initialAdminPassword.txt Set-Content .\setup.bat -Value "powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y" Get-Content .\setup.bat From f6f4d60ed5089c11243efb91573d19cf56d771db Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 11:46:23 -0400 Subject: [PATCH 059/108] try again Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 31985f7762..eb10ba2d26 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -50,7 +50,7 @@ jobs: if: ${{ runner.os == 'Windows' }} run: | New-Item .\setup.bat -type file - echo installPassword >> .\opensearch-%OPENSEARCH_VERSION%-SNAPSHOT/config/opensearch-security/initialAdminPassword.txt + echo installPassword >> .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/opensearch-security/initialAdminPassword.txt Set-Content .\setup.bat -Value "powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y" Get-Content .\setup.bat From c4658b9743adb49b16dbd315ec94283f4ee688b1 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 11:51:32 -0400 Subject: [PATCH 060/108] prints Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index eb10ba2d26..72ea1149d1 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -50,6 +50,11 @@ jobs: if: ${{ runner.os == 'Windows' }} run: | New-Item .\setup.bat -type file + echo "current dir is " dir + echo "pwd is " %cd + cd .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config + echo "current dir is " dir + echo "pwd is " %cd echo installPassword >> .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/opensearch-security/initialAdminPassword.txt Set-Content .\setup.bat -Value "powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y" Get-Content .\setup.bat From f8b81e49ecaf4fb03f17a5aa31564e5624a25ba0 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 11:58:11 -0400 Subject: [PATCH 061/108] print dirs Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 72ea1149d1..ac3f206e2f 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -41,7 +41,6 @@ jobs: run: | cat > setup.sh <<'EOF' echo installPassword >> ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/opensearch-security/initialAdminPassword.txt - ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/opensearch-security chmod +x ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh /bin/bash -c "yes | ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh" EOF @@ -50,11 +49,16 @@ jobs: if: ${{ runner.os == 'Windows' }} run: | New-Item .\setup.bat -type file - echo "current dir is " dir - echo "pwd is " %cd - cd .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config - echo "current dir is " dir - echo "pwd is " %cd + + echo Current directory is: %cd% + echo Subdirectories in the current directory: + dir /b /ad + cd .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\ + echo Current directory is: %cd% + dir /b /ad + cd .\config + echo Current directory is: %cd% + dir /b /ad echo installPassword >> .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/opensearch-security/initialAdminPassword.txt Set-Content .\setup.bat -Value "powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y" Get-Content .\setup.bat From c8a1d881791e8739a0063e381244ee31cdff6763 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 12:03:58 -0400 Subject: [PATCH 062/108] test with env var Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index ac3f206e2f..dcf2aa7399 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -49,17 +49,7 @@ jobs: if: ${{ runner.os == 'Windows' }} run: | New-Item .\setup.bat -type file - - echo Current directory is: %cd% - echo Subdirectories in the current directory: - dir /b /ad - cd .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\ - echo Current directory is: %cd% - dir /b /ad - cd .\config - echo Current directory is: %cd% - dir /b /ad - echo installPassword >> .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/opensearch-security/initialAdminPassword.txt + Set initialAdminPassword=installPassword Set-Content .\setup.bat -Value "powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y" Get-Content .\setup.bat From 1116ea05987e095e12b966d9a1525bcecc103317 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 12:11:29 -0400 Subject: [PATCH 063/108] Try set and get content Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index dcf2aa7399..9c068ac558 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -49,9 +49,11 @@ jobs: if: ${{ runner.os == 'Windows' }} run: | New-Item .\setup.bat -type file - Set initialAdminPassword=installPassword + New-Item .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT.txt\config\${{ env.PLUGIN_NAME }}\initialAdminPassword.txt -type file Set-Content .\setup.bat -Value "powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y" + Set-Content .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT.txt\config\${{ env.PLUGIN_NAME }}\initialAdminPassword.txt -Value "installPassword" Get-Content .\setup.bat + Get-Content .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT.txt\config\${{ env.PLUGIN_NAME }}\initialAdminPassword.txt - name: Run Opensearch with A Single Plugin uses: ./.github/actions/start-opensearch-with-one-plugin From d557de8a76369ea5bf6606d750594ed737f77ed4 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 12:15:03 -0400 Subject: [PATCH 064/108] Try set and get content Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 9c068ac558..64392d6393 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -49,11 +49,11 @@ jobs: if: ${{ runner.os == 'Windows' }} run: | New-Item .\setup.bat -type file - New-Item .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT.txt\config\${{ env.PLUGIN_NAME }}\initialAdminPassword.txt -type file + New-Item .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\config\${{ env.PLUGIN_NAME }}\initialAdminPassword.txt -type file Set-Content .\setup.bat -Value "powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y" - Set-Content .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT.txt\config\${{ env.PLUGIN_NAME }}\initialAdminPassword.txt -Value "installPassword" + Set-Content .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\config\${{ env.PLUGIN_NAME }}\initialAdminPassword.txt -Value "installPassword" Get-Content .\setup.bat - Get-Content .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT.txt\config\${{ env.PLUGIN_NAME }}\initialAdminPassword.txt + Get-Content .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\config\${{ env.PLUGIN_NAME }}\initialAdminPassword.txt - name: Run Opensearch with A Single Plugin uses: ./.github/actions/start-opensearch-with-one-plugin From 7e52f35516ce6126a256688b7314ff972d714c79 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 12:23:06 -0400 Subject: [PATCH 065/108] Try modifying setup Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 64392d6393..012ae1114f 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -50,10 +50,9 @@ jobs: run: | New-Item .\setup.bat -type file New-Item .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\config\${{ env.PLUGIN_NAME }}\initialAdminPassword.txt -type file - Set-Content .\setup.bat -Value "powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y" - Set-Content .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\config\${{ env.PLUGIN_NAME }}\initialAdminPassword.txt -Value "installPassword" + Set-Content .\setup.bat -Value "powershell.exe echo installPassword >> .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\config\${{ env.PLUGIN_NAME }}\initialAdminPassword.txt & ^ + powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y" Get-Content .\setup.bat - Get-Content .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\config\${{ env.PLUGIN_NAME }}\initialAdminPassword.txt - name: Run Opensearch with A Single Plugin uses: ./.github/actions/start-opensearch-with-one-plugin From 57a6bac96fc92049fce4642509ffdc10cab221b7 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 12:26:30 -0400 Subject: [PATCH 066/108] Try modifying setup Signed-off-by: Stephen Crawford --- .github/workflows/plugin_install.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 012ae1114f..6fd149aaef 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -49,7 +49,6 @@ jobs: if: ${{ runner.os == 'Windows' }} run: | New-Item .\setup.bat -type file - New-Item .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\config\${{ env.PLUGIN_NAME }}\initialAdminPassword.txt -type file Set-Content .\setup.bat -Value "powershell.exe echo installPassword >> .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\config\${{ env.PLUGIN_NAME }}\initialAdminPassword.txt & ^ powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y" Get-Content .\setup.bat From c14b65dd148eb3c7db70da9671d24dad790d297a Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 12:37:04 -0400 Subject: [PATCH 067/108] Fix pathes Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.bat | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index 15d3c8ad45..cc2a6a2d55 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -323,12 +323,12 @@ echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-m setlocal enabledelayedexpansion -set "ADMIN_PASSWORD_FILE=%OPENSEARCH_CONF_DIR%\opensearch-security\initialAdminPassword.txt" -set "INTERNAL_USERS_FILE=%OPENSEARCH_CONF_DIR%\opensearch-security\internal_users.yml" +set "ADMIN_PASSWORD_FILE=%OPENSEARCH_CONF_DIR%opensearch-security\initialAdminPassword.txt" +set "INTERNAL_USERS_FILE=%OPENSEARCH_CONF_DIR%opensearch-security\internal_users.yml" echo Path is %cd% -echo Checking for password file in: %OPENSEARCH_CONF_DIR%\opensearch-security\ -echo Content of security config dir is: %OPENSEARCH_CONF_DIR%\opensearch-security\ +echo Checking for password file in: %OPENSEARCH_CONF_DIR%opensearch-security\ +echo Content of security config dir is: %OPENSEARCH_CONF_DIR%opensearch-security\ echo HEAD of password file is: type "%ADMIN_PASSWORD_FILE%" @@ -345,20 +345,20 @@ if not defined ADMIN_PASSWORD ( echo ADMIN PASSWORD SET TO: !ADMIN_PASSWORD! -REM Use the Hasher script to hash the admin password -"%OPENSEARCH_PLUGINS_DIR%\opensearch-security\tools\hash.bat" -p "!ADMIN_PASSWORD!" +echo Use the Hasher script to hash the admin password +"%OPENSEARCH_PLUGINS_DIR%opensearch-security\tools\hash.bat" -p "!ADMIN_PASSWORD!" if errorlevel 1 ( echo Failed to hash the admin password exit /b 1 ) -echo HASHED PASSWORD SET TO: %HASHED_ADMIN_PASSWORD% +echo HASHED PASSWORD SET TO: !HASHED_ADMIN_PASSWORD! -REM Clear the ADMIN_PASSWORD variable +echo Clear the ADMIN_PASSWORD variable set "ADMIN_PASSWORD=" -REM Find the line number containing 'admin:' in the internal_users.yml file +echo Find the line number containing 'admin:' in the internal_users.yml file for /f "tokens=1 delims=:" %%c in ('findstr /n "admin:" "%INTERNAL_USERS_FILE%"') do set "ADMIN_HASH_LINE=%%c" echo ADMIN TARGET FILE LINE SET TO: %ADMIN_HASH_LINE% From c8a605edb1bf06e5bfb3d72e81393e82407041e4 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 12:51:22 -0400 Subject: [PATCH 068/108] test Signed-off-by: Stephen Crawford --- .github/actions/start-opensearch-with-one-plugin/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/start-opensearch-with-one-plugin/action.yml b/.github/actions/start-opensearch-with-one-plugin/action.yml index fa5681c422..18566fb823 100644 --- a/.github/actions/start-opensearch-with-one-plugin/action.yml +++ b/.github/actions/start-opensearch-with-one-plugin/action.yml @@ -101,13 +101,13 @@ runs: # Verify that the server is operational - name: Check OpenSearch Running on Linux if: ${{ runner.os != 'Windows'}} - run: curl https://localhost:9200/_cat/plugins -u 'admin:admin' -k -v + run: curl https://localhost:9200/_cat/plugins -u 'admin:installPassword' -k -v shell: bash - name: Check OpenSearch Running on Windows if: ${{ runner.os == 'Windows'}} run: | - $credentialBytes = [Text.Encoding]::ASCII.GetBytes("admin:admin") + $credentialBytes = [Text.Encoding]::ASCII.GetBytes("admin:installPassword") $encodedCredentials = [Convert]::ToBase64String($credentialBytes) $baseCredentials = "Basic $encodedCredentials" $Headers = @{ Authorization = $baseCredentials } From 8ae73e9e40ab976a29ec88fa3374e9e991ccf705 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 13:05:18 -0400 Subject: [PATCH 069/108] Try setting Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.bat | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index cc2a6a2d55..6778e86260 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -346,7 +346,7 @@ if not defined ADMIN_PASSWORD ( echo ADMIN PASSWORD SET TO: !ADMIN_PASSWORD! echo Use the Hasher script to hash the admin password -"%OPENSEARCH_PLUGINS_DIR%opensearch-security\tools\hash.bat" -p "!ADMIN_PASSWORD!" +set HASHED_ADMIN_PASSWORD="%OPENSEARCH_PLUGINS_DIR%opensearch-security\tools\hash.bat" -p "!ADMIN_PASSWORD!" if errorlevel 1 ( echo Failed to hash the admin password From 12b45f9c00fdc988f5bed403f7589d3c324bd9ce Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 13:11:50 -0400 Subject: [PATCH 070/108] Fix set Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.bat | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index 6778e86260..2d0fb965ad 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -346,7 +346,7 @@ if not defined ADMIN_PASSWORD ( echo ADMIN PASSWORD SET TO: !ADMIN_PASSWORD! echo Use the Hasher script to hash the admin password -set HASHED_ADMIN_PASSWORD="%OPENSEARCH_PLUGINS_DIR%opensearch-security\tools\hash.bat" -p "!ADMIN_PASSWORD!" +for /f %%b in ('"%OPENSEARCH_PLUGINS_DIR%\opensearch-security\tools\hash.bat" -p "!ADMIN_PASSWORD!"') do set "HASHED_ADMIN_PASSWORD=%%b" if errorlevel 1 ( echo Failed to hash the admin password From 595a82b7bf948817d66c972e7168b2f38c1c78f4 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 13:20:16 -0400 Subject: [PATCH 071/108] Fix set Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.bat | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index 2d0fb965ad..ab775be2d0 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -345,16 +345,19 @@ if not defined ADMIN_PASSWORD ( echo ADMIN PASSWORD SET TO: !ADMIN_PASSWORD! -echo Use the Hasher script to hash the admin password -for /f %%b in ('"%OPENSEARCH_PLUGINS_DIR%\opensearch-security\tools\hash.bat" -p "!ADMIN_PASSWORD!"') do set "HASHED_ADMIN_PASSWORD=%%b" +REM Run the command and capture its output +for /f %%a in ('"%OPENSEARCH_PLUGINS_DIR%opensearch-security\tools\hash.bat" -p "!ADMIN_PASSWORD!"') do ( + set "HASHED_ADMIN_PASSWORD=%%a" +) + +REM Display the value of the variable +echo HASHED_ADMIN_PASSWORD is !HASHED_ADMIN_PASSWORD! if errorlevel 1 ( echo Failed to hash the admin password exit /b 1 ) -echo HASHED PASSWORD SET TO: !HASHED_ADMIN_PASSWORD! - echo Clear the ADMIN_PASSWORD variable set "ADMIN_PASSWORD=" From 0d58f65ac189b52c57c4410972e98a4a34616e9e Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 13:38:28 -0400 Subject: [PATCH 072/108] Try again Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.bat | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index ab775be2d0..827252916e 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -343,10 +343,12 @@ if not defined ADMIN_PASSWORD ( exit /b 1 ) +set "HASH_SCRIPT=%OPENSEARCH_PLUGINS_DIR%\opensearch-security\tools\hash.bat" + echo ADMIN PASSWORD SET TO: !ADMIN_PASSWORD! REM Run the command and capture its output -for /f %%a in ('"%OPENSEARCH_PLUGINS_DIR%opensearch-security\tools\hash.bat" -p "!ADMIN_PASSWORD!"') do ( +for /f %%a in ('"%HASH_SCRIPT%" -p "!ADMIN_PASSWORD!"') do ( set "HASHED_ADMIN_PASSWORD=%%a" ) From 142cac08ff7f87ad432a3c394a94c27dade86b12 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 13:47:23 -0400 Subject: [PATCH 073/108] escape quotes Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.bat | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index 827252916e..ce2b7a1a3f 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -348,7 +348,7 @@ set "HASH_SCRIPT=%OPENSEARCH_PLUGINS_DIR%\opensearch-security\tools\hash.bat" echo ADMIN PASSWORD SET TO: !ADMIN_PASSWORD! REM Run the command and capture its output -for /f %%a in ('"%HASH_SCRIPT%" -p "!ADMIN_PASSWORD!"') do ( +for /f %%a in ('^"%HASH_SCRIPT%^" -p ^"!ADMIN_PASSWORD!^"') do ( set "HASHED_ADMIN_PASSWORD=%%a" ) From a849f158ef238aa3cf51fa6a2e65c2fcc9a46ccd Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 13:53:25 -0400 Subject: [PATCH 074/108] remove quotes Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.bat | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index ce2b7a1a3f..d05ac80c25 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -348,7 +348,7 @@ set "HASH_SCRIPT=%OPENSEARCH_PLUGINS_DIR%\opensearch-security\tools\hash.bat" echo ADMIN PASSWORD SET TO: !ADMIN_PASSWORD! REM Run the command and capture its output -for /f %%a in ('^"%HASH_SCRIPT%^" -p ^"!ADMIN_PASSWORD!^"') do ( +for /f %%a in ('%HASH_SCRIPT% -p !ADMIN_PASSWORD!') do ( set "HASHED_ADMIN_PASSWORD=%%a" ) From 0081cfe8ddbfbcad506e5c56beefb4026077b9d9 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 17:31:50 -0400 Subject: [PATCH 075/108] try coverted awk Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.bat | 30 ++++++++++++---------------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index d05ac80c25..0326ebfd03 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -363,23 +363,19 @@ if errorlevel 1 ( echo Clear the ADMIN_PASSWORD variable set "ADMIN_PASSWORD=" -echo Find the line number containing 'admin:' in the internal_users.yml file -for /f "tokens=1 delims=:" %%c in ('findstr /n "admin:" "%INTERNAL_USERS_FILE%"') do set "ADMIN_HASH_LINE=%%c" - -echo ADMIN TARGET FILE LINE SET TO: %ADMIN_HASH_LINE% - -REM Use a temporary file for modification -( - for /f "tokens=*" %%d in ('type "%INTERNAL_USERS_FILE%"') do ( - set "line=%%d" - if %%c==%ADMIN_HASH_LINE% ( - echo admin: - echo( hash: "%HASHED_ADMIN_PASSWORD%" - ) else echo !line! - set /a "c+=1" - ) -) > "%INTERNAL_USERS_FILE%.tmp" -move /y "%INTERNAL_USERS_FILE%.tmp" "%INTERNAL_USERS_FILE%" +set "OUTPUT_FILE=temp_file" + +del "%OUTPUT_FILE%" 2>nul + +for /f "usebackq delims=" %%a in ("%INTERNAL_USERS_FILE%") do ( + set "line=%%a" + if "!line!"==" hash: \"$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG\"" ( + set "line= hash: \"%HASHED_ADMIN_PASSWORD%\"" + ) + echo !line!>>"%OUTPUT_FILE%" +) + +move /y "%OUTPUT_FILE%" "%INTERNAL_USERS_FILE%" echo AFTER CHANGE: type "%INTERNAL_USERS_FILE%" From d3b23716a3cc25a77bd99e348ebac0ddcbae235d Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 18:15:59 -0400 Subject: [PATCH 076/108] fix pattern Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.bat | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index 0326ebfd03..26b04ce1e3 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -369,8 +369,8 @@ del "%OUTPUT_FILE%" 2>nul for /f "usebackq delims=" %%a in ("%INTERNAL_USERS_FILE%") do ( set "line=%%a" - if "!line!"==" hash: \"$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG\"" ( - set "line= hash: \"%HASHED_ADMIN_PASSWORD%\"" + if "!line!"==" hash: \"$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG\"" ( + set "line= hash: \"%HASHED_ADMIN_PASSWORD%\"" ) echo !line!>>"%OUTPUT_FILE%" ) From 264661e138a2947d7685f3b54109fa4f370fdfdf Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 18:22:57 -0400 Subject: [PATCH 077/108] Check for any number of spaces Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.bat | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index 26b04ce1e3..77d717ea30 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -369,8 +369,15 @@ del "%OUTPUT_FILE%" 2>nul for /f "usebackq delims=" %%a in ("%INTERNAL_USERS_FILE%") do ( set "line=%%a" - if "!line!"==" hash: \"$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG\"" ( - set "line= hash: \"%HASHED_ADMIN_PASSWORD%\"" + if "!line!"==*"hash: \"$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG\"" ( + echo "line found") +) + +for /f "usebackq delims=" %%a in ("%INTERNAL_USERS_FILE%") do ( + set "line=%%a" + rem Check for any number of spaces before the pattern + if "!line!"==*"hash: \"$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG\"" ( + set "line=!line:hash: \"$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG\"=hash: \"%HASHED_ADMIN_PASSWORD%\"!" ) echo !line!>>"%OUTPUT_FILE%" ) From f69050ad26e5735909cf2a3bc81b25ff14bf93ce Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Fri, 22 Sep 2023 18:31:16 -0400 Subject: [PATCH 078/108] Try 2 leading spaces looped line trimming Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.bat | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index 77d717ea30..3cc8c1dd1c 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -369,15 +369,22 @@ del "%OUTPUT_FILE%" 2>nul for /f "usebackq delims=" %%a in ("%INTERNAL_USERS_FILE%") do ( set "line=%%a" - if "!line!"==*"hash: \"$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG\"" ( - echo "line found") + if "!line:~0,2!"==" " ( + rem Check if the line contains the specific pattern + if "!line:~2!"=="hash: \"$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG\"" ( + echo "line found" + ) + ) ) for /f "usebackq delims=" %%a in ("%INTERNAL_USERS_FILE%") do ( set "line=%%a" - rem Check for any number of spaces before the pattern - if "!line!"==*"hash: \"$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG\"" ( - set "line=!line:hash: \"$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG\"=hash: \"%HASHED_ADMIN_PASSWORD%\"!" + rem Check for two leading spaces before the pattern + if "!line:~0,2!"==" " ( + rem Check if the line contains the specific pattern + if "!line:~2!"=="hash: \"$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG\"" ( + set "line= hash: \"%HASHED_ADMIN_PASSWORD%\"" + ) ) echo !line!>>"%OUTPUT_FILE%" ) From b2162457f3dc4ad46dcc49d32f7a16fed238a091 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Mon, 25 Sep 2023 11:19:47 -0400 Subject: [PATCH 079/108] try to update file different way Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.bat | 34 ++++++++-------------------- 1 file changed, 9 insertions(+), 25 deletions(-) diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index 3cc8c1dd1c..ff290849d3 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -363,33 +363,17 @@ if errorlevel 1 ( echo Clear the ADMIN_PASSWORD variable set "ADMIN_PASSWORD=" -set "OUTPUT_FILE=temp_file" - -del "%OUTPUT_FILE%" 2>nul - -for /f "usebackq delims=" %%a in ("%INTERNAL_USERS_FILE%") do ( - set "line=%%a" - if "!line:~0,2!"==" " ( - rem Check if the line contains the specific pattern - if "!line:~2!"=="hash: \"$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG\"" ( - echo "line found" - ) - ) -) +set default_line=" hash: ""$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG""" -for /f "usebackq delims=" %%a in ("%INTERNAL_USERS_FILE%") do ( - set "line=%%a" - rem Check for two leading spaces before the pattern - if "!line:~0,2!"==" " ( - rem Check if the line contains the specific pattern - if "!line:~2!"=="hash: \"$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG\"" ( - set "line= hash: \"%HASHED_ADMIN_PASSWORD%\"" - ) - ) - echo !line!>>"%OUTPUT_FILE%" -) +set "search=%default_line%" +set "replace=" hash: ""%HASHED_ADMIN_PASSWORD%""" -move /y "%OUTPUT_FILE%" "%INTERNAL_USERS_FILE%" + +for /f "delims=" %%i in ('type "%INTERNAL_USERS_FILE%" ^& break ^> "%INTERNAL_USERS_FILE%" ') do ( + set "line=%%i" + >>"%INTERNAL_USERS_FILE%" echo(!line:%search%=%replace%! + endlocal +) echo AFTER CHANGE: type "%INTERNAL_USERS_FILE%" From 294aba81e079d7fa1a97ee31ad7b90daefe30655 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Mon, 25 Sep 2023 11:40:12 -0400 Subject: [PATCH 080/108] try another way Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.bat | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index ff290849d3..a7f1368644 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -368,12 +368,16 @@ set default_line=" hash: ""$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JD set "search=%default_line%" set "replace=" hash: ""%HASHED_ADMIN_PASSWORD%""" - -for /f "delims=" %%i in ('type "%INTERNAL_USERS_FILE%" ^& break ^> "%INTERNAL_USERS_FILE%" ') do ( +set "newfile=Output.txt" +(for /f "delims=" %%i in (%INTERNAL_USERS_FILE%) do ( set "line=%%i" - >>"%INTERNAL_USERS_FILE%" echo(!line:%search%=%replace%! + setlocal enabledelayedexpansion + set "line=!line:%search%=%replace%!" + echo(!line! endlocal -) +))>"%newfile%" +del %INTERNAL_USERS_FILE% +rename %newfile% %INTERNAL_USERS_FILE% echo AFTER CHANGE: type "%INTERNAL_USERS_FILE%" From 023a580954b102156568f0bb4319fba2234f438a Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Mon, 25 Sep 2023 11:42:38 -0400 Subject: [PATCH 081/108] Try setting locals Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.bat | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index a7f1368644..fe4ecccda6 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -367,17 +367,19 @@ set default_line=" hash: ""$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JD set "search=%default_line%" set "replace=" hash: ""%HASHED_ADMIN_PASSWORD%""" +echo To find line is: !search! +echo Replace is: !replace! -set "newfile=Output.txt" -(for /f "delims=" %%i in (%INTERNAL_USERS_FILE%) do ( +setlocal enableextensions +for /f "delims=" %%i in ('type "%INTERNAL_USERS_FILE%" ^& break ^> "%INTERNAL_USERS_FILE%" ') do ( set "line=%%i" setlocal enabledelayedexpansion - set "line=!line:%search%=%replace%!" - echo(!line! + >>"%INTERNAL_USERS_FILE%" echo(!line:%search%=%replace%! endlocal -))>"%newfile%" -del %INTERNAL_USERS_FILE% -rename %newfile% %INTERNAL_USERS_FILE% +) + + +move /y "%OUTPUT_FILE%" "%INTERNAL_USERS_FILE%" echo AFTER CHANGE: type "%INTERNAL_USERS_FILE%" From 1a6094c7827e11535e1bbd67da5ea2d3c535cb35 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Mon, 25 Sep 2023 11:49:30 -0400 Subject: [PATCH 082/108] remove one level of quotes Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.bat | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index fe4ecccda6..2bfd361bf8 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -363,10 +363,11 @@ if errorlevel 1 ( echo Clear the ADMIN_PASSWORD variable set "ADMIN_PASSWORD=" -set default_line=" hash: ""$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG""" +set default_line=" hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"" set "search=%default_line%" -set "replace=" hash: ""%HASHED_ADMIN_PASSWORD%""" +set "replace=" hash: "%HASHED_ADMIN_PASSWORD%"" + echo To find line is: !search! echo Replace is: !replace! From a0012ca1e2d023d2d00c892cf0fd128c94c29205 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Mon, 25 Sep 2023 11:57:10 -0400 Subject: [PATCH 083/108] try again Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.bat | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index 2bfd361bf8..f9a84fe374 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -363,10 +363,11 @@ if errorlevel 1 ( echo Clear the ADMIN_PASSWORD variable set "ADMIN_PASSWORD=" -set default_line=" hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"" +set "default_line= hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"" + set "search=%default_line%" -set "replace=" hash: "%HASHED_ADMIN_PASSWORD%"" +set "replace= hash: "%HASHED_ADMIN_PASSWORD%"" echo To find line is: !search! echo Replace is: !replace! From 79007c8ff35c41524e7778a7eb5b1329c88c94d8 Mon Sep 17 00:00:00 2001 From: Stephen Crawford Date: Mon, 25 Sep 2023 12:13:22 -0400 Subject: [PATCH 084/108] remove echos Signed-off-by: Stephen Crawford --- tools/install_demo_configuration.bat | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index f9a84fe374..b9b900c932 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -320,18 +320,11 @@ echo plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_a echo plugins.security.system_indices.enabled: true >> "%OPENSEARCH_CONF_FILE%" echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"] >> "%OPENSEARCH_CONF_FILE%" - setlocal enabledelayedexpansion set "ADMIN_PASSWORD_FILE=%OPENSEARCH_CONF_DIR%opensearch-security\initialAdminPassword.txt" set "INTERNAL_USERS_FILE=%OPENSEARCH_CONF_DIR%opensearch-security\internal_users.yml" -echo Path is %cd% -echo Checking for password file in: %OPENSEARCH_CONF_DIR%opensearch-security\ -echo Content of security config dir is: %OPENSEARCH_CONF_DIR%opensearch-security\ -echo HEAD of password file is: -type "%ADMIN_PASSWORD_FILE%" - if "%initialAdminPassword%" NEQ "" ( set "ADMIN_PASSWORD=!initialAdminPassword!" ) else ( @@ -345,16 +338,11 @@ if not defined ADMIN_PASSWORD ( set "HASH_SCRIPT=%OPENSEARCH_PLUGINS_DIR%\opensearch-security\tools\hash.bat" -echo ADMIN PASSWORD SET TO: !ADMIN_PASSWORD! - REM Run the command and capture its output for /f %%a in ('%HASH_SCRIPT% -p !ADMIN_PASSWORD!') do ( set "HASHED_ADMIN_PASSWORD=%%a" ) -REM Display the value of the variable -echo HASHED_ADMIN_PASSWORD is !HASHED_ADMIN_PASSWORD! - if errorlevel 1 ( echo Failed to hash the admin password exit /b 1 @@ -365,13 +353,9 @@ set "ADMIN_PASSWORD=" set "default_line= hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"" - set "search=%default_line%" set "replace= hash: "%HASHED_ADMIN_PASSWORD%"" -echo To find line is: !search! -echo Replace is: !replace! - setlocal enableextensions for /f "delims=" %%i in ('type "%INTERNAL_USERS_FILE%" ^& break ^> "%INTERNAL_USERS_FILE%" ') do ( set "line=%%i" @@ -380,12 +364,6 @@ for /f "delims=" %%i in ('type "%INTERNAL_USERS_FILE%" ^& break ^> "%INTERNAL_US endlocal ) - -move /y "%OUTPUT_FILE%" "%INTERNAL_USERS_FILE%" - -echo AFTER CHANGE: -type "%INTERNAL_USERS_FILE%" - :: network.host >nul findstr /b /c:"network.host" "%OPENSEARCH_CONF_FILE%" && ( echo network.host already present From 1eec0c6f4193a26f06e4b860195923604e166192 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 26 Sep 2023 20:14:07 +0000 Subject: [PATCH 085/108] Add deprecation warnings back to the top of hash tools Signed-off-by: Peter Nied --- tools/hash.bat | 5 +++++ tools/hash.sh | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/tools/hash.bat b/tools/hash.bat index a50611465c..fe5f57b823 100644 --- a/tools/hash.bat +++ b/tools/hash.bat @@ -1,6 +1,11 @@ @echo off set DIR=%~dp0 +echo "**************************************************************************" +echo "** This tool will be deprecated in the next major release of OpenSearch **" +echo "** https://github.com/opensearch-project/security/issues/1755 **" +echo "**************************************************************************" + if defined OPENSEARCH_JAVA_HOME ( set BIN_PATH="%OPENSEARCH_JAVA_HOME%\bin\java.exe" ) else if defined JAVA_HOME ( diff --git a/tools/hash.sh b/tools/hash.sh index c391232851..e4f92b4cdf 100755 --- a/tools/hash.sh +++ b/tools/hash.sh @@ -1,5 +1,10 @@ #!/bin/bash +echo "**************************************************************************" +echo "** This tool will be deprecated in the next major release of OpenSearch **" +echo "** https://github.com/opensearch-project/security/issues/1755 **" +echo "**************************************************************************" + SCRIPT_PATH="${BASH_SOURCE[0]}" if ! [ -x "$(command -v realpath)" ]; then if [ -L "$SCRIPT_PATH" ]; then From 6c093e3df61de6fa983ac87c574844727770d5e6 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 26 Sep 2023 20:19:26 +0000 Subject: [PATCH 086/108] Clean up changes to the linux shell script Signed-off-by: Peter Nied --- tools/install_demo_configuration.sh | 25 +++++-------------------- 1 file changed, 5 insertions(+), 20 deletions(-) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index b1a4904263..1cf1bc4081 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -390,12 +390,6 @@ echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins- # Read the admin password from the file or use the initialAdminPassword if set ADMIN_PASSWORD_FILE="$OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt" -INTERNAL_USERS_FILE="$OPENSEARCH_CONF_DIR/opensearch-security/internal_users.yml" - -echo "Path is $(pwd)" -echo "Checking for password file in: $OPENSEARCH_CONF_DIR/opensearch-security/" -echo "Content of security config dir is: $(ls "$OPENSEARCH_CONF_DIR/opensearch-security/")" -echo "HEAD of password file is: $(head "$ADMIN_PASSWORD_FILE")" if [[ -n "$initialAdminPassword" ]]; then ADMIN_PASSWORD="$initialAdminPassword" @@ -406,7 +400,7 @@ else exit 1 fi -echo "ADMIN PASSWORD SET TO: $ADMIN_PASSWORD" +echo " *** ADMIN PASSWORD SET TO: $ADMIN_PASSWORD ***" $SUDO_CMD chmod +x "$OPENSEARCH_PLUGINS_DIR/opensearch-security/tools/hash.sh" @@ -414,22 +408,14 @@ $SUDO_CMD chmod +x "$OPENSEARCH_PLUGINS_DIR/opensearch-security/tools/hash.sh" HASHED_ADMIN_PASSWORD=$($OPENSEARCH_PLUGINS_DIR/opensearch-security/tools/hash.sh -p "$ADMIN_PASSWORD") if [ $? -ne 0 ]; then - echo "Failed to hash the admin password" + echo "Hash the admin password failure, see console for details" exit 1 fi -echo "HASHED PASSWORD SET TO: $HASHED_ADMIN_PASSWORD" - -# Clear the ADMIN_PASSWORD variable -unset ADMIN_PASSWORD - # Find the line number containing 'admin:' in the internal_users.yml file +INTERNAL_USERS_FILE="$OPENSEARCH_CONF_DIR/opensearch-security/internal_users.yml" ADMIN_HASH_LINE=$(grep -n 'admin:' "$INTERNAL_USERS_FILE" | cut -f1 -d:) -echo "ADMIN TARGET FILE LINE SET TO: $ADMIN_HASH_LINE" - -echo "Before CHANGE: $(cat $INTERNAL_USERS_FILE)" - awk -v hashed_admin_password="$HASHED_ADMIN_PASSWORD" ' /^ *hash: *"\$2a\$12\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR\/YFJcgHp0UGns5JDymv..TOG"/ { sub(/"\$2a\$12\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR\/YFJcgHp0UGns5JDymv..TOG"/, "\"" hashed_admin_password "\""); @@ -437,9 +423,6 @@ awk -v hashed_admin_password="$HASHED_ADMIN_PASSWORD" ' { print } ' "$INTERNAL_USERS_FILE" > temp_file && mv temp_file "$INTERNAL_USERS_FILE" - -echo "AFTER CHANGE: $(cat $INTERNAL_USERS_FILE)" - #network.host if $SUDO_CMD grep --quiet -i "^network.host" "$OPENSEARCH_CONF_FILE"; then : #already present @@ -457,6 +440,8 @@ else echo 'node.max_local_storage_nodes: 3' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null fi + + echo "######## End OpenSearch Security Demo Configuration ########" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null $SUDO_CMD chmod +x "$OPENSEARCH_PLUGINS_DIR/opensearch-security/tools/securityadmin.sh" From 3839cdeeca38fef9e65e09e1592cb3d0f416a9c1 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 26 Sep 2023 20:24:09 +0000 Subject: [PATCH 087/108] Clean up some of the win batch file Signed-off-by: Peter Nied --- tools/install_demo_configuration.bat | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index b9b900c932..de6e7aea76 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -323,7 +323,6 @@ echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-m setlocal enabledelayedexpansion set "ADMIN_PASSWORD_FILE=%OPENSEARCH_CONF_DIR%opensearch-security\initialAdminPassword.txt" -set "INTERNAL_USERS_FILE=%OPENSEARCH_CONF_DIR%opensearch-security\internal_users.yml" if "%initialAdminPassword%" NEQ "" ( set "ADMIN_PASSWORD=!initialAdminPassword!" @@ -348,13 +347,10 @@ if errorlevel 1 ( exit /b 1 ) -echo Clear the ADMIN_PASSWORD variable -set "ADMIN_PASSWORD=" - set "default_line= hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"" - set "search=%default_line%" set "replace= hash: "%HASHED_ADMIN_PASSWORD%"" +set "INTERNAL_USERS_FILE=%OPENSEARCH_CONF_DIR%opensearch-security\internal_users.yml" setlocal enableextensions for /f "delims=" %%i in ('type "%INTERNAL_USERS_FILE%" ^& break ^> "%INTERNAL_USERS_FILE%" ') do ( From ac0a2a37c043c4a34167bec3c1b8824d303c3d05 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 26 Sep 2023 20:28:10 +0000 Subject: [PATCH 088/108] Pass admin password as a parameter in start cluster action Signed-off-by: Peter Nied --- .../actions/start-opensearch-with-one-plugin/action.yml | 8 ++++++-- .github/workflows/plugin_install.yml | 4 +++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/actions/start-opensearch-with-one-plugin/action.yml b/.github/actions/start-opensearch-with-one-plugin/action.yml index 18566fb823..68243e9924 100644 --- a/.github/actions/start-opensearch-with-one-plugin/action.yml +++ b/.github/actions/start-opensearch-with-one-plugin/action.yml @@ -14,6 +14,10 @@ inputs: description: 'The name of the setup script you want to run i.e. "setup" (do not include file extension). Leave empty to indicate one should not be run.' required: false + admin-password: + description: 'The admin password uses for the cluster' + required: true + runs: using: "composite" steps: @@ -101,13 +105,13 @@ runs: # Verify that the server is operational - name: Check OpenSearch Running on Linux if: ${{ runner.os != 'Windows'}} - run: curl https://localhost:9200/_cat/plugins -u 'admin:installPassword' -k -v + run: curl https://localhost:9200/_cat/plugins -u 'admin:${{ inputs.admin-password }}' -k -v shell: bash - name: Check OpenSearch Running on Windows if: ${{ runner.os == 'Windows'}} run: | - $credentialBytes = [Text.Encoding]::ASCII.GetBytes("admin:installPassword") + $credentialBytes = [Text.Encoding]::ASCII.GetBytes("admin:${{ inputs.admin-password }}") $encodedCredentials = [Convert]::ToBase64String($credentialBytes) $baseCredentials = "Basic $encodedCredentials" $Headers = @{ Authorization = $baseCredentials } diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 6fd149aaef..125fd78555 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -5,6 +5,7 @@ on: [push, pull_request, workflow_dispatch] env: OPENSEARCH_VERSION: 3.0.0 PLUGIN_NAME: opensearch-security + CLUSTER_ADMIN_PASSWORD: ${RANDOM}${RANDOM} jobs: plugin-install: @@ -59,9 +60,10 @@ jobs: opensearch-version: ${{ env.OPENSEARCH_VERSION }} plugin-name: ${{ env.PLUGIN_NAME }} setup-script-name: setup + admin-password: ${{ env.CLUSTER_ADMIN_PASSWORD }} - name: Run sanity tests uses: gradle/gradle-build-action@v2 with: cache-disabled: true - arguments: integTestRemote -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername="opensearch" -Dhttps=true -Duser=admin -Dpassword=installPassword + arguments: integTestRemote -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername="opensearch" -Dhttps=true -Duser=admin -Dpassword=${{ env.CLUSTER_ADMIN_PASSWORD }} From a5956d138e749732b8db6fa5831fc1c0517c26d3 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 26 Sep 2023 20:37:22 +0000 Subject: [PATCH 089/108] Accept password from job input Signed-off-by: Peter Nied --- .github/workflows/plugin_install.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 125fd78555..6947dbc7c2 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -5,7 +5,7 @@ on: [push, pull_request, workflow_dispatch] env: OPENSEARCH_VERSION: 3.0.0 PLUGIN_NAME: opensearch-security - CLUSTER_ADMIN_PASSWORD: ${RANDOM}${RANDOM} + CLUSTER_ADMIN_PASSWORD: $((RANDOM)) jobs: plugin-install: @@ -41,7 +41,6 @@ jobs: if: ${{ runner.os == 'Linux' }} run: | cat > setup.sh <<'EOF' - echo installPassword >> ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/opensearch-security/initialAdminPassword.txt chmod +x ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh /bin/bash -c "yes | ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh" EOF @@ -50,7 +49,6 @@ jobs: if: ${{ runner.os == 'Windows' }} run: | New-Item .\setup.bat -type file - Set-Content .\setup.bat -Value "powershell.exe echo installPassword >> .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\config\${{ env.PLUGIN_NAME }}\initialAdminPassword.txt & ^ powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y" Get-Content .\setup.bat @@ -66,4 +64,4 @@ jobs: uses: gradle/gradle-build-action@v2 with: cache-disabled: true - arguments: integTestRemote -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername="opensearch" -Dhttps=true -Duser=admin -Dpassword=${{ env.CLUSTER_ADMIN_PASSWORD }} + arguments: integTestRemote -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername="opensearch" -Dhttps=true -Duser=admin -Dpassword=${{ env.CLUSTER_ADMIN_PASSWORD }} -i From d6d71eca444ce091694bfbc4d7bbb9913362e73b Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 26 Sep 2023 20:42:08 +0000 Subject: [PATCH 090/108] Create the password files in the action Signed-off-by: Peter Nied --- .github/actions/start-opensearch-with-one-plugin/action.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/actions/start-opensearch-with-one-plugin/action.yml b/.github/actions/start-opensearch-with-one-plugin/action.yml index 68243e9924..b0beed68ac 100644 --- a/.github/actions/start-opensearch-with-one-plugin/action.yml +++ b/.github/actions/start-opensearch-with-one-plugin/action.yml @@ -77,12 +77,15 @@ runs: run: | echo "running linux setup" chmod +x ./${{ inputs.setup-script-name }}.sh + echo ${{ inputs.admin-password }} >> ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/opensearch-security/initialAdminPassword.txt ./${{ inputs.setup-script-name }}.sh shell: bash - name: Run Setup Script for Windows if: ${{ runner.os == 'Windows' && inputs.setup-script-name != '' }} - run: .\${{ inputs.setup-script-name }}.bat + run: | + Set-Content .\setup.bat -Value "powershell.exe echo ${{ inputs.admin-password }} >> .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\config\${{ env.PLUGIN_NAME }}\initialAdminPassword.txt & ^ + .\${{ inputs.setup-script-name }}.bat shell: pwsh # Run OpenSearch From 016cf09e1b5dba7fa39e77d10b309aae08dd1e30 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 26 Sep 2023 20:44:20 +0000 Subject: [PATCH 091/108] Restore original file population Signed-off-by: Peter Nied --- .github/workflows/plugin_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 6947dbc7c2..115fb7caba 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -49,7 +49,7 @@ jobs: if: ${{ runner.os == 'Windows' }} run: | New-Item .\setup.bat -type file - powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y" + Set-Content .\setup.bat -Value "powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y" Get-Content .\setup.bat - name: Run Opensearch with A Single Plugin From af5fd767a6d410cbed66d6faf5fbd51e89e99eed Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 26 Sep 2023 20:49:21 +0000 Subject: [PATCH 092/108] Make sure CURL fails if there is a 400+ error code response Signed-off-by: Peter Nied --- .github/actions/start-opensearch-with-one-plugin/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/start-opensearch-with-one-plugin/action.yml b/.github/actions/start-opensearch-with-one-plugin/action.yml index b0beed68ac..4a8fc98d6c 100644 --- a/.github/actions/start-opensearch-with-one-plugin/action.yml +++ b/.github/actions/start-opensearch-with-one-plugin/action.yml @@ -108,7 +108,7 @@ runs: # Verify that the server is operational - name: Check OpenSearch Running on Linux if: ${{ runner.os != 'Windows'}} - run: curl https://localhost:9200/_cat/plugins -u 'admin:${{ inputs.admin-password }}' -k -v + run: curl https://localhost:9200/_cat/plugins -u 'admin:${{ inputs.admin-password }}' -k -v --fail-with-body shell: bash - name: Check OpenSearch Running on Windows From 03e5f1015862e57bb20ddad50617cacb21b07caa Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 26 Sep 2023 20:52:34 +0000 Subject: [PATCH 093/108] Debug password isn't defined well Signed-off-by: Peter Nied --- .github/workflows/plugin_install.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 115fb7caba..bfbc84d1e5 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -6,6 +6,7 @@ env: OPENSEARCH_VERSION: 3.0.0 PLUGIN_NAME: opensearch-security CLUSTER_ADMIN_PASSWORD: $((RANDOM)) + CLUSTER_ADMIN_PASSWORD_2: $(RANDOM) jobs: plugin-install: @@ -17,6 +18,11 @@ jobs: runs-on: ${{ matrix.os }} steps: + - run: | + echo First time ${{ env.CLUSTER_ADMIN_PASSWORD }} + echo Second time ${{ env.CLUSTER_ADMIN_PASSWORD }} + echo Less random? ${{ env.CLUSTER_ADMIN_PASSWORD_2 }} + echo More random? ${{ env.CLUSTER_ADMIN_PASSWORD_2 }} - name: Set up JDK uses: actions/setup-java@v3 with: From 22b53d4b0a66661afedb117100b7621e275699bc Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 26 Sep 2023 20:56:50 +0000 Subject: [PATCH 094/108] Set the RNG value to another env so it doesn't change after use Signed-off-by: Peter Nied --- .github/workflows/plugin_install.yml | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index bfbc84d1e5..994aaa1b90 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -5,8 +5,7 @@ on: [push, pull_request, workflow_dispatch] env: OPENSEARCH_VERSION: 3.0.0 PLUGIN_NAME: opensearch-security - CLUSTER_ADMIN_PASSWORD: $((RANDOM)) - CLUSTER_ADMIN_PASSWORD_2: $(RANDOM) + RNG: $((RANDOM)) jobs: plugin-install: @@ -18,11 +17,8 @@ jobs: runs-on: ${{ matrix.os }} steps: - - run: | - echo First time ${{ env.CLUSTER_ADMIN_PASSWORD }} - echo Second time ${{ env.CLUSTER_ADMIN_PASSWORD }} - echo Less random? ${{ env.CLUSTER_ADMIN_PASSWORD_2 }} - echo More random? ${{ env.CLUSTER_ADMIN_PASSWORD_2 }} + - run: echo CLUSTER_ADMIN_PASSWORD=password-${{ env.RNG }} >> $GITHUB_ENV + - name: Set up JDK uses: actions/setup-java@v3 with: From 0f8e4c9c475b93a66ec7d6e65303fa823aedfb75 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 26 Sep 2023 20:58:51 +0000 Subject: [PATCH 095/108] Fiix incomplete echo prompt to set the password Signed-off-by: Peter Nied --- .github/actions/start-opensearch-with-one-plugin/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/start-opensearch-with-one-plugin/action.yml b/.github/actions/start-opensearch-with-one-plugin/action.yml index 4a8fc98d6c..846a3579ac 100644 --- a/.github/actions/start-opensearch-with-one-plugin/action.yml +++ b/.github/actions/start-opensearch-with-one-plugin/action.yml @@ -77,14 +77,14 @@ runs: run: | echo "running linux setup" chmod +x ./${{ inputs.setup-script-name }}.sh - echo ${{ inputs.admin-password }} >> ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/opensearch-security/initialAdminPassword.txt + echo ${{ inputs.admin-password }} >> ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/${{ env.PLUGIN_NAME }}/initialAdminPassword.txt ./${{ inputs.setup-script-name }}.sh shell: bash - name: Run Setup Script for Windows if: ${{ runner.os == 'Windows' && inputs.setup-script-name != '' }} run: | - Set-Content .\setup.bat -Value "powershell.exe echo ${{ inputs.admin-password }} >> .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\config\${{ env.PLUGIN_NAME }}\initialAdminPassword.txt & ^ + echo ${{ inputs.admin-password }} >> .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\config\${{ env.PLUGIN_NAME }}\initialAdminPassword.txt .\${{ inputs.setup-script-name }}.bat shell: pwsh From 3e4e8b0e8575bd688f2eec615dca9ab368f6ad41 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 26 Sep 2023 21:10:36 +0000 Subject: [PATCH 096/108] Restore to main as much as possible Signed-off-by: Peter Nied --- .../start-opensearch-with-one-plugin/action.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/actions/start-opensearch-with-one-plugin/action.yml b/.github/actions/start-opensearch-with-one-plugin/action.yml index 846a3579ac..b795ae8f61 100644 --- a/.github/actions/start-opensearch-with-one-plugin/action.yml +++ b/.github/actions/start-opensearch-with-one-plugin/action.yml @@ -71,21 +71,23 @@ runs: 'y' | .\opensearch-${{ inputs.opensearch-version }}-SNAPSHOT\bin\opensearch-plugin.bat install file:$(pwd)\${{ inputs.plugin-name }}.zip shell: pwsh + - name: Write password to initialAdminPassword location + run: + echo ${{ inputs.admin-password }} >> ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/${{ env.PLUGIN_NAME }}/initialAdminPassword.txt + shell: bash + # Run any configuration scripts - name: Run Setup Script for Linux if: ${{ runner.os == 'Linux' && inputs.setup-script-name != '' }} run: | echo "running linux setup" chmod +x ./${{ inputs.setup-script-name }}.sh - echo ${{ inputs.admin-password }} >> ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/${{ env.PLUGIN_NAME }}/initialAdminPassword.txt ./${{ inputs.setup-script-name }}.sh shell: bash - name: Run Setup Script for Windows if: ${{ runner.os == 'Windows' && inputs.setup-script-name != '' }} - run: | - echo ${{ inputs.admin-password }} >> .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\config\${{ env.PLUGIN_NAME }}\initialAdminPassword.txt - .\${{ inputs.setup-script-name }}.bat + run: .\${{ inputs.setup-script-name }}.bat shell: pwsh # Run OpenSearch From ae34718b94168ce302fdcc57c0bd33f986864e84 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 26 Sep 2023 21:13:22 +0000 Subject: [PATCH 097/108] Restore batch file as much as possible Signed-off-by: Peter Nied --- tools/install_demo_configuration.bat | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index de6e7aea76..d6e7f6bc4f 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -323,6 +323,7 @@ echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-m setlocal enabledelayedexpansion set "ADMIN_PASSWORD_FILE=%OPENSEARCH_CONF_DIR%opensearch-security\initialAdminPassword.txt" +set "INTERNAL_USERS_FILE=%OPENSEARCH_CONF_DIR%opensearch-security\internal_users.yml" if "%initialAdminPassword%" NEQ "" ( set "ADMIN_PASSWORD=!initialAdminPassword!" @@ -335,6 +336,8 @@ if not defined ADMIN_PASSWORD ( exit /b 1 ) +echo " *** ADMIN PASSWORD SET TO: $ADMIN_PASSWORD ***" + set "HASH_SCRIPT=%OPENSEARCH_PLUGINS_DIR%\opensearch-security\tools\hash.bat" REM Run the command and capture its output @@ -347,10 +350,13 @@ if errorlevel 1 ( exit /b 1 ) +echo Clear the ADMIN_PASSWORD variable +set "ADMIN_PASSWORD=" + set "default_line= hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"" + set "search=%default_line%" set "replace= hash: "%HASHED_ADMIN_PASSWORD%"" -set "INTERNAL_USERS_FILE=%OPENSEARCH_CONF_DIR%opensearch-security\internal_users.yml" setlocal enableextensions for /f "delims=" %%i in ('type "%INTERNAL_USERS_FILE%" ^& break ^> "%INTERNAL_USERS_FILE%" ') do ( From 633c020c54f1dd455e39fc05327fdef2d43fb62c Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 26 Sep 2023 21:18:18 +0000 Subject: [PATCH 098/108] Shell script revert as much as possible Signed-off-by: Peter Nied --- tools/install_demo_configuration.sh | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 1cf1bc4081..670e03b52a 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -388,8 +388,14 @@ echo 'plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_ echo 'plugins.security.system_indices.enabled: true' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null -# Read the admin password from the file or use the initialAdminPassword if set +## Read the admin password from the file or use the initialAdminPassword if set ADMIN_PASSWORD_FILE="$OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt" +INTERNAL_USERS_FILE="$OPENSEARCH_CONF_DIR/opensearch-security/internal_users.yml" + +echo "Path is $(pwd)" +echo "Checking for password file in: $OPENSEARCH_CONF_DIR/opensearch-security/" +echo "Content of security config dir is: $(ls "$OPENSEARCH_CONF_DIR/opensearch-security/")" +echo "HEAD of password file is: $(head "$ADMIN_PASSWORD_FILE")" if [[ -n "$initialAdminPassword" ]]; then ADMIN_PASSWORD="$initialAdminPassword" @@ -412,10 +418,18 @@ if [ $? -ne 0 ]; then exit 1 fi +echo "HASHED PASSWORD SET TO: $HASHED_ADMIN_PASSWORD" + +# Clear the ADMIN_PASSWORD variable +unset ADMIN_PASSWORD + # Find the line number containing 'admin:' in the internal_users.yml file -INTERNAL_USERS_FILE="$OPENSEARCH_CONF_DIR/opensearch-security/internal_users.yml" ADMIN_HASH_LINE=$(grep -n 'admin:' "$INTERNAL_USERS_FILE" | cut -f1 -d:) +echo "ADMIN TARGET FILE LINE SET TO: $ADMIN_HASH_LINE" + +echo "Before CHANGE: $(cat $INTERNAL_USERS_FILE)" + awk -v hashed_admin_password="$HASHED_ADMIN_PASSWORD" ' /^ *hash: *"\$2a\$12\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR\/YFJcgHp0UGns5JDymv..TOG"/ { sub(/"\$2a\$12\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR\/YFJcgHp0UGns5JDymv..TOG"/, "\"" hashed_admin_password "\""); @@ -423,6 +437,9 @@ awk -v hashed_admin_password="$HASHED_ADMIN_PASSWORD" ' { print } ' "$INTERNAL_USERS_FILE" > temp_file && mv temp_file "$INTERNAL_USERS_FILE" + +echo "AFTER CHANGE: $(cat $INTERNAL_USERS_FILE)" + #network.host if $SUDO_CMD grep --quiet -i "^network.host" "$OPENSEARCH_CONF_FILE"; then : #already present From 3bba55ae254f8d6714094638beb81e5273d49af5 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 26 Sep 2023 21:21:17 +0000 Subject: [PATCH 099/108] Revert "Restore batch file as much as possible" This reverts commit ae34718b94168ce302fdcc57c0bd33f986864e84. Signed-off-by: Peter Nied --- tools/install_demo_configuration.bat | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index d6e7f6bc4f..de6e7aea76 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -323,7 +323,6 @@ echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-m setlocal enabledelayedexpansion set "ADMIN_PASSWORD_FILE=%OPENSEARCH_CONF_DIR%opensearch-security\initialAdminPassword.txt" -set "INTERNAL_USERS_FILE=%OPENSEARCH_CONF_DIR%opensearch-security\internal_users.yml" if "%initialAdminPassword%" NEQ "" ( set "ADMIN_PASSWORD=!initialAdminPassword!" @@ -336,8 +335,6 @@ if not defined ADMIN_PASSWORD ( exit /b 1 ) -echo " *** ADMIN PASSWORD SET TO: $ADMIN_PASSWORD ***" - set "HASH_SCRIPT=%OPENSEARCH_PLUGINS_DIR%\opensearch-security\tools\hash.bat" REM Run the command and capture its output @@ -350,13 +347,10 @@ if errorlevel 1 ( exit /b 1 ) -echo Clear the ADMIN_PASSWORD variable -set "ADMIN_PASSWORD=" - set "default_line= hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"" - set "search=%default_line%" set "replace= hash: "%HASHED_ADMIN_PASSWORD%"" +set "INTERNAL_USERS_FILE=%OPENSEARCH_CONF_DIR%opensearch-security\internal_users.yml" setlocal enableextensions for /f "delims=" %%i in ('type "%INTERNAL_USERS_FILE%" ^& break ^> "%INTERNAL_USERS_FILE%" ') do ( From 6feb4c3ea94c175527bd8cae834ff66641aa0c36 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 26 Sep 2023 21:25:14 +0000 Subject: [PATCH 100/108] Fix mixed locations of the password file Signed-off-by: Peter Nied --- .github/actions/start-opensearch-with-one-plugin/action.yml | 2 +- tools/install_demo_configuration.bat | 6 +++--- tools/install_demo_configuration.sh | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/actions/start-opensearch-with-one-plugin/action.yml b/.github/actions/start-opensearch-with-one-plugin/action.yml index b795ae8f61..642264f4ec 100644 --- a/.github/actions/start-opensearch-with-one-plugin/action.yml +++ b/.github/actions/start-opensearch-with-one-plugin/action.yml @@ -73,7 +73,7 @@ runs: - name: Write password to initialAdminPassword location run: - echo ${{ inputs.admin-password }} >> ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/${{ env.PLUGIN_NAME }}/initialAdminPassword.txt + echo ${{ inputs.admin-password }} >> ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/initialAdminPassword.txt shell: bash # Run any configuration scripts diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index de6e7aea76..7e4683a963 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -322,7 +322,8 @@ echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-m setlocal enabledelayedexpansion -set "ADMIN_PASSWORD_FILE=%OPENSEARCH_CONF_DIR%opensearch-security\initialAdminPassword.txt" +set "ADMIN_PASSWORD_FILE=%OPENSEARCH_CONF_DIR%\initialAdminPassword.txt" +set "INTERNAL_USERS_FILE=%OPENSEARCH_CONF_DIR%opensearch-security\internal_users.yml" if "%initialAdminPassword%" NEQ "" ( set "ADMIN_PASSWORD=!initialAdminPassword!" @@ -331,7 +332,7 @@ if "%initialAdminPassword%" NEQ "" ( ) if not defined ADMIN_PASSWORD ( - echo Unable to find the admin password for the cluster. Please set initialAdminPassword or create a file {OPENSEARCH_ROOT}\config\initialAdminPassword.txt with a single line that contains the password. + echo Unable to find the admin password for the cluster. Please set initialAdminPassword or create a file %ADMIN_PASSWORD_FILE% with a single line that contains the password. exit /b 1 ) @@ -350,7 +351,6 @@ if errorlevel 1 ( set "default_line= hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"" set "search=%default_line%" set "replace= hash: "%HASHED_ADMIN_PASSWORD%"" -set "INTERNAL_USERS_FILE=%OPENSEARCH_CONF_DIR%opensearch-security\internal_users.yml" setlocal enableextensions for /f "delims=" %%i in ('type "%INTERNAL_USERS_FILE%" ^& break ^> "%INTERNAL_USERS_FILE%" ') do ( diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 670e03b52a..2efae09a31 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -389,7 +389,7 @@ echo 'plugins.security.system_indices.enabled: true' | $SUDO_CMD tee -a "$OPENSE echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null ## Read the admin password from the file or use the initialAdminPassword if set -ADMIN_PASSWORD_FILE="$OPENSEARCH_CONF_DIR/opensearch-security/initialAdminPassword.txt" +ADMIN_PASSWORD_FILE="$OPENSEARCH_CONF_DIR/initialAdminPassword.txt" INTERNAL_USERS_FILE="$OPENSEARCH_CONF_DIR/opensearch-security/internal_users.yml" echo "Path is $(pwd)" @@ -402,7 +402,7 @@ if [[ -n "$initialAdminPassword" ]]; then elif [[ -f "$ADMIN_PASSWORD_FILE" && -s "$ADMIN_PASSWORD_FILE" ]]; then ADMIN_PASSWORD=$(head -n 1 "$ADMIN_PASSWORD_FILE") else - echo "Unable to find the admin password for the cluster. Please run 'export initialAdminPassword=' or create a file {OPENSEARCH_ROOT}/config/initialAdminPassword.txt with a single line that contains the password." + echo "Unable to find the admin password for the cluster. Please run 'export initialAdminPassword=' or create a file $ADMIN_PASSWORD_FILE with a single line that contains the password." exit 1 fi From 5147d23f3cbb8daa3315458ba9983a10024a69e1 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 26 Sep 2023 21:49:57 +0000 Subject: [PATCH 101/108] Make sure to tail output from hasher to ignore deprecation message Signed-off-by: Peter Nied --- tools/install_demo_configuration.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 2efae09a31..345c22d929 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -411,7 +411,7 @@ echo " *** ADMIN PASSWORD SET TO: $ADMIN_PASSWORD ***" $SUDO_CMD chmod +x "$OPENSEARCH_PLUGINS_DIR/opensearch-security/tools/hash.sh" # Use the Hasher script to hash the admin password -HASHED_ADMIN_PASSWORD=$($OPENSEARCH_PLUGINS_DIR/opensearch-security/tools/hash.sh -p "$ADMIN_PASSWORD") +HASHED_ADMIN_PASSWORD=$($OPENSEARCH_PLUGINS_DIR/opensearch-security/tools/hash.sh -p "$ADMIN_PASSWORD" | tail -n 1) if [ $? -ne 0 ]; then echo "Hash the admin password failure, see console for details" From b70a2c00abd6ac0443f22cdb28c14ef81eed7f92 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 26 Sep 2023 21:51:51 +0000 Subject: [PATCH 102/108] Add debug log for config directory Signed-off-by: Peter Nied --- tools/install_demo_configuration.bat | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index 7e4683a963..8500bff260 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -322,9 +322,12 @@ echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-m setlocal enabledelayedexpansion -set "ADMIN_PASSWORD_FILE=%OPENSEARCH_CONF_DIR%\initialAdminPassword.txt" +set "ADMIN_PASSWORD_FILE=%OPENSEARCH_CONF_DIR%initialAdminPassword.txt" set "INTERNAL_USERS_FILE=%OPENSEARCH_CONF_DIR%opensearch-security\internal_users.yml" +echo "what is in the config directory" +dir %OPENSEARCH_CONF_DIR% + if "%initialAdminPassword%" NEQ "" ( set "ADMIN_PASSWORD=!initialAdminPassword!" ) else ( From b94943fa862826ecd4d4e348e6351d2cbbdcfd3e Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 26 Sep 2023 22:02:56 +0000 Subject: [PATCH 103/108] Narrow in on the password file issue in windows Signed-off-by: Peter Nied --- tools/install_demo_configuration.bat | 8 ++++++++ tools/install_demo_configuration.sh | 19 ++----------------- 2 files changed, 10 insertions(+), 17 deletions(-) diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index 8500bff260..19d04cb495 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -328,6 +328,10 @@ set "INTERNAL_USERS_FILE=%OPENSEARCH_CONF_DIR%opensearch-security\internal_users echo "what is in the config directory" dir %OPENSEARCH_CONF_DIR% +echo "what is in the password file" +type "%ADMIN_PASSWORD_FILE%" + + if "%initialAdminPassword%" NEQ "" ( set "ADMIN_PASSWORD=!initialAdminPassword!" ) else ( @@ -339,6 +343,10 @@ if not defined ADMIN_PASSWORD ( exit /b 1 ) +echo " ***************************************************" +echo " *** ADMIN PASSWORD SET TO: %ADMIN_PASSWORD% ***" +echo " ***************************************************" + set "HASH_SCRIPT=%OPENSEARCH_PLUGINS_DIR%\opensearch-security\tools\hash.bat" REM Run the command and capture its output diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 345c22d929..5ed5e154c8 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -392,11 +392,6 @@ echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins- ADMIN_PASSWORD_FILE="$OPENSEARCH_CONF_DIR/initialAdminPassword.txt" INTERNAL_USERS_FILE="$OPENSEARCH_CONF_DIR/opensearch-security/internal_users.yml" -echo "Path is $(pwd)" -echo "Checking for password file in: $OPENSEARCH_CONF_DIR/opensearch-security/" -echo "Content of security config dir is: $(ls "$OPENSEARCH_CONF_DIR/opensearch-security/")" -echo "HEAD of password file is: $(head "$ADMIN_PASSWORD_FILE")" - if [[ -n "$initialAdminPassword" ]]; then ADMIN_PASSWORD="$initialAdminPassword" elif [[ -f "$ADMIN_PASSWORD_FILE" && -s "$ADMIN_PASSWORD_FILE" ]]; then @@ -406,7 +401,9 @@ else exit 1 fi +echo " ***************************************************" echo " *** ADMIN PASSWORD SET TO: $ADMIN_PASSWORD ***" +echo " ***************************************************" $SUDO_CMD chmod +x "$OPENSEARCH_PLUGINS_DIR/opensearch-security/tools/hash.sh" @@ -418,18 +415,9 @@ if [ $? -ne 0 ]; then exit 1 fi -echo "HASHED PASSWORD SET TO: $HASHED_ADMIN_PASSWORD" - -# Clear the ADMIN_PASSWORD variable -unset ADMIN_PASSWORD - # Find the line number containing 'admin:' in the internal_users.yml file ADMIN_HASH_LINE=$(grep -n 'admin:' "$INTERNAL_USERS_FILE" | cut -f1 -d:) -echo "ADMIN TARGET FILE LINE SET TO: $ADMIN_HASH_LINE" - -echo "Before CHANGE: $(cat $INTERNAL_USERS_FILE)" - awk -v hashed_admin_password="$HASHED_ADMIN_PASSWORD" ' /^ *hash: *"\$2a\$12\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR\/YFJcgHp0UGns5JDymv..TOG"/ { sub(/"\$2a\$12\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR\/YFJcgHp0UGns5JDymv..TOG"/, "\"" hashed_admin_password "\""); @@ -437,9 +425,6 @@ awk -v hashed_admin_password="$HASHED_ADMIN_PASSWORD" ' { print } ' "$INTERNAL_USERS_FILE" > temp_file && mv temp_file "$INTERNAL_USERS_FILE" - -echo "AFTER CHANGE: $(cat $INTERNAL_USERS_FILE)" - #network.host if $SUDO_CMD grep --quiet -i "^network.host" "$OPENSEARCH_CONF_FILE"; then : #already present From 91949ca6181436338120c5dfb393c630856a2150 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 26 Sep 2023 20:03:33 -0500 Subject: [PATCH 104/108] Use action to save file to the filesystem Signed-off-by: Peter Nied --- .../actions/start-opensearch-with-one-plugin/action.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/actions/start-opensearch-with-one-plugin/action.yml b/.github/actions/start-opensearch-with-one-plugin/action.yml index 642264f4ec..f651c252fc 100644 --- a/.github/actions/start-opensearch-with-one-plugin/action.yml +++ b/.github/actions/start-opensearch-with-one-plugin/action.yml @@ -71,10 +71,10 @@ runs: 'y' | .\opensearch-${{ inputs.opensearch-version }}-SNAPSHOT\bin\opensearch-plugin.bat install file:$(pwd)\${{ inputs.plugin-name }}.zip shell: pwsh - - name: Write password to initialAdminPassword location - run: - echo ${{ inputs.admin-password }} >> ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/initialAdminPassword.txt - shell: bash + - uses: DamianReeves/write-file-action@v1.2 + with: + path: ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/initialAdminPassword.txt + contents: ${{ inputs.admin-password }} # Run any configuration scripts - name: Run Setup Script for Linux From 15811489b5967818b22fbbb9172304f2425b3eb2 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 26 Sep 2023 20:44:49 -0500 Subject: [PATCH 105/108] Use functional RNG on windows Signed-off-by: Peter Nied --- .../actions/start-opensearch-with-one-plugin/action.yml | 8 ++++---- .github/workflows/plugin_install.yml | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/actions/start-opensearch-with-one-plugin/action.yml b/.github/actions/start-opensearch-with-one-plugin/action.yml index f651c252fc..642264f4ec 100644 --- a/.github/actions/start-opensearch-with-one-plugin/action.yml +++ b/.github/actions/start-opensearch-with-one-plugin/action.yml @@ -71,10 +71,10 @@ runs: 'y' | .\opensearch-${{ inputs.opensearch-version }}-SNAPSHOT\bin\opensearch-plugin.bat install file:$(pwd)\${{ inputs.plugin-name }}.zip shell: pwsh - - uses: DamianReeves/write-file-action@v1.2 - with: - path: ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/initialAdminPassword.txt - contents: ${{ inputs.admin-password }} + - name: Write password to initialAdminPassword location + run: + echo ${{ inputs.admin-password }} >> ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/initialAdminPassword.txt + shell: bash # Run any configuration scripts - name: Run Setup Script for Linux diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 994aaa1b90..9ead50ad4c 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -5,7 +5,6 @@ on: [push, pull_request, workflow_dispatch] env: OPENSEARCH_VERSION: 3.0.0 PLUGIN_NAME: opensearch-security - RNG: $((RANDOM)) jobs: plugin-install: @@ -17,7 +16,8 @@ jobs: runs-on: ${{ matrix.os }} steps: - - run: echo CLUSTER_ADMIN_PASSWORD=password-${{ env.RNG }} >> $GITHUB_ENV + - id: random-password + uses: TGPSKI/name-generator-node-action@v2 - name: Set up JDK uses: actions/setup-java@v3 @@ -60,10 +60,10 @@ jobs: opensearch-version: ${{ env.OPENSEARCH_VERSION }} plugin-name: ${{ env.PLUGIN_NAME }} setup-script-name: setup - admin-password: ${{ env.CLUSTER_ADMIN_PASSWORD }} + admin-password: ${{ steps.random-password.outputs.name }} - name: Run sanity tests uses: gradle/gradle-build-action@v2 with: cache-disabled: true - arguments: integTestRemote -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername="opensearch" -Dhttps=true -Duser=admin -Dpassword=${{ env.CLUSTER_ADMIN_PASSWORD }} -i + arguments: integTestRemote -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername="opensearch" -Dhttps=true -Duser=admin -Dpassword=${{ steps.random-password.outputs.name }} -i From bef523edf8f052c27a1ef3951de9cf3b0f02d0d7 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 26 Sep 2023 21:06:01 -0500 Subject: [PATCH 106/108] Use fixed version of the password generation tool Signed-off-by: Peter Nied --- .github/workflows/plugin_install.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 9ead50ad4c..814b286cb6 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -17,7 +17,7 @@ jobs: steps: - id: random-password - uses: TGPSKI/name-generator-node-action@v2 + uses: peternied/name-generator-node-action@bf5cd5e - name: Set up JDK uses: actions/setup-java@v3 @@ -60,10 +60,10 @@ jobs: opensearch-version: ${{ env.OPENSEARCH_VERSION }} plugin-name: ${{ env.PLUGIN_NAME }} setup-script-name: setup - admin-password: ${{ steps.random-password.outputs.name }} + admin-password: ${{ steps.random-password.outputs.generated_name }} - name: Run sanity tests uses: gradle/gradle-build-action@v2 with: cache-disabled: true - arguments: integTestRemote -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername="opensearch" -Dhttps=true -Duser=admin -Dpassword=${{ steps.random-password.outputs.name }} -i + arguments: integTestRemote -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername="opensearch" -Dhttps=true -Duser=admin -Dpassword=${{ steps.random-password.outputs.generated_name }} -i From 917d7af887877c32d31435936c42ca8ce318ba50 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 26 Sep 2023 21:06:55 -0500 Subject: [PATCH 107/108] Use full commit sha Signed-off-by: Peter Nied --- .github/workflows/plugin_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 814b286cb6..c8bb49487d 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -17,7 +17,7 @@ jobs: steps: - id: random-password - uses: peternied/name-generator-node-action@bf5cd5e + uses: peternied/name-generator-node-action@bf5cd5e4e4a9094a8032557b1dd8d8d960bcd1ec - name: Set up JDK uses: actions/setup-java@v3 From d2a6de26bad300b3c8d1a6bcba290440fe74dee7 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 26 Sep 2023 21:30:23 -0500 Subject: [PATCH 108/108] Switch to published version of the name generator Signed-off-by: Peter Nied --- .github/workflows/plugin_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index c8bb49487d..39901689be 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -17,7 +17,7 @@ jobs: steps: - id: random-password - uses: peternied/name-generator-node-action@bf5cd5e4e4a9094a8032557b1dd8d8d960bcd1ec + uses: peternied/random-name@v1 - name: Set up JDK uses: actions/setup-java@v3