Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Addresses changes made to security demo config install tool #214

Merged
merged 6 commits into from
Jan 20, 2024

Conversation

DarshitChanpura
Copy link
Member

Description

There were recent changes to security demo configuration setup which now requires a custom admin Password to be setup. This PR updates the documentation and related code change.

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed as per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Copy link

codecov bot commented Dec 15, 2023

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (6dcd996) 83.30% compared to head (a5da908) 83.30%.

Additional details and impacted files
@@            Coverage Diff            @@
##               main     #214   +/-   ##
=========================================
  Coverage     83.30%   83.30%           
  Complexity      337      337           
=========================================
  Files            43       43           
  Lines          1270     1270           
  Branches        155      155           
=========================================
  Hits           1058     1058           
  Misses          134      134           
  Partials         78       78           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@msfroh
Copy link
Collaborator

msfroh commented Dec 15, 2023

Thanks @DarshitChanpura!

Before we merge this, I'm going to make some changes to update the quickstart scripts to actually use newer versions of OpenSearch. (Currently, the Kendra one still downloads OpenSearch 2.7 and the Personalize one downloads 2.9.)

Copy link

@derek-ho derek-ho left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@DarshitChanpura
Copy link
Member Author

DarshitChanpura commented Jan 17, 2024

@msfroh @macohen @macohen @noCharger @mingshl @sejli Can one of the maintainers take a look at the failing CI and help bring this to closure?

if [ "$COMPARE_VERSION" != "$OPENSEARCH_REQUIRED_VERSION" ]; then
OPENSEARCH_INITIAL_ADMIN_PASSWORD="admin"
else
OPENSEARCH_INITIAL_ADMIN_PASSWORD="myStrongPassword123!"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than hard-coding, we should probably take the admin password as a command-line arg.

@DarshitChanpura -- did earlier versions support the OPENSEARCH_INITIAL_ADMIN_PASSWORD env var? Or does that change come in 2.12?

I'm wondering if it makes sense to change the scripts to require the initial admin password for all versions, where it will be required for 2.12 and a good idea for earlier versions.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than hard-coding, we should probably take the admin password as a command-line arg.

Starting 2.12 a custom strong password is required.

@DarshitChanpura -- did earlier versions support the OPENSEARCH_INITIAL_ADMIN_PASSWORD env var? Or does that change come in 2.12?

This change is introduced in 2.12 and will be present for all versions 2.12 and above

I'm wondering if it makes sense to change the scripts to require the initial admin password for all versions, where it will be required for 2.12 and a good idea for earlier versions.

That might be your design decision as a maintainer. Since the admin password is required only for 2.12 and above, IMO we can keep a version check in place and require it only for >= 2.12

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't answer my question. Allow me to rephrase:

Is it POSSIBLE to set the admin password in docker-compose.yml before 2.12?

If so, I will change the script to always require a custom password, for all versions, since it's a good idea.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it POSSIBLE to set the admin password in docker-compose.yml before 2.12?

You can set the env variable OPENSEARCH_INITIAL_ADMIN_PASSWORD in the docker-compose.yml. This value will only be picked up for 2.12 and above

You, can change the script to have a default strong password, and then based on the version it will be picked.

Does that answer your query?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, thank you.

In that case, it does make more sense to accept and enforce it for version 2.12 and higher only, because requiring the parameter on earlier versions and then ignoring it (leaving the default password as admin) would be a terrible user experience.

In fact, we should reject the parameter (or at least output a warning that it's being ignored) if the version is pre-2.12.

I'll make those changes to the script.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Made those changes and pushed the commit to this PR.

@DarshitChanpura, please let me know what you think. Thanks!

DarshitChanpura and others added 2 commits January 18, 2024 11:22
For earlier versions, emit a warning if an admin password is specified
on the command line, since it will be ignored.

Signed-off-by: Michael Froh <[email protected]>
Copy link
Member Author

@DarshitChanpura DarshitChanpura left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Copy link
Collaborator

@noCharger noCharger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@msfroh msfroh merged commit c31475e into opensearch-project:main Jan 20, 2024
21 checks passed
opensearch-trigger-bot bot pushed a commit that referenced this pull request Jan 20, 2024
Require password as an argument on 2.12 and higher

For earlier versions, emit a warning if an admin password is specified
on the command line, since it will be ignored.

---------

Signed-off-by: Darshit Chanpura <[email protected]>
Signed-off-by: Michael Froh <[email protected]>
Co-authored-by: Michael Froh <[email protected]>
(cherry picked from commit c31475e)
@opensearch-trigger-bot
Copy link

The backport to 2.12 failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.12 2.12
# Navigate to the new working tree
cd .worktrees/backport-2.12
# Create a new branch
git switch --create backport/backport-214-to-2.12
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 c31475e5465fdce80c7c9b86519a4d8d0141c06b
# Push it to GitHub
git push --set-upstream origin backport/backport-214-to-2.12
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.12

Then, create a pull request where the base branch is 2.12 and the compare/head branch is backport/backport-214-to-2.12.

@msfroh
Copy link
Collaborator

msfroh commented Jan 20, 2024

The backport to 2.12 failed:

That makes sense, since we haven't cut a 2.12 branch yet -- it will get cut from 2.x.

I'm just going to remove the backport-2.12 label.

sejli added a commit that referenced this pull request Mar 2, 2024
)

Require password as an argument on 2.12 and higher

For earlier versions, emit a warning if an admin password is specified
on the command line, since it will be ignored.

---------

Signed-off-by: Darshit Chanpura <[email protected]>
Signed-off-by: Michael Froh <[email protected]>
Co-authored-by: Michael Froh <[email protected]>
(cherry picked from commit c31475e)

Co-authored-by: Darshit Chanpura <[email protected]>
Co-authored-by: Sean Li <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 2.x Backport to 2.x branch v2.12.0
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

4 participants