Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Addresses changes made to security demo config install tool #214

Merged
merged 6 commits into from
Jan 20, 2024
Merged

Addresses changes made to security demo config install tool #214

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
958d33b
Addresses changes made to security demo config install tool
DarshitChanpura Dec 15, 2023
b558a10
Addresses PR feedback
DarshitChanpura Jan 2, 2024
6df16df
Merge branch 'main' into admin-cred-update
DarshitChanpura Jan 12, 2024
7d7db74
Updates version selection logic
DarshitChanpura Jan 13, 2024
901887e
Merge branch 'main' into admin-cred-update
DarshitChanpura Jan 18, 2024
a5da908
Require password as an argument on 2.12 and higher
msfroh Jan 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 14 additions & 3 deletions helpers/personalized_search_ranking_quickstart.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -252,6 +252,16 @@ if [ -n "${VOLUME_NAME:-}" ]; then
external: true"
fi
echo "Volume created"

# Starting in 2.12.0, security demo configuration script requires an initial admin password
OPENSEARCH_REQUIRED_VERSION="2.12.0"
COMPARE_VERSION=`echo $OPENSEARCH_REQUIRED_VERSION $OPENSEARCH_VERSION | tr ' ' '\n' | sort -V | uniq | head -n 1`
if [ "$COMPARE_VERSION" != "$OPENSEARCH_REQUIRED_VERSION" ]; then
OPENSEARCH_INITIAL_ADMIN_PASSWORD="admin"
else
OPENSEARCH_INITIAL_ADMIN_PASSWORD="myStrongPassword123!"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than hard-coding, we should probably take the admin password as a command-line arg.

@DarshitChanpura -- did earlier versions support the OPENSEARCH_INITIAL_ADMIN_PASSWORD env var? Or does that change come in 2.12?

I'm wondering if it makes sense to change the scripts to require the initial admin password for all versions, where it will be required for 2.12 and a good idea for earlier versions.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than hard-coding, we should probably take the admin password as a command-line arg.

Starting 2.12 a custom strong password is required.

@DarshitChanpura -- did earlier versions support the OPENSEARCH_INITIAL_ADMIN_PASSWORD env var? Or does that change come in 2.12?

This change is introduced in 2.12 and will be present for all versions 2.12 and above

I'm wondering if it makes sense to change the scripts to require the initial admin password for all versions, where it will be required for 2.12 and a good idea for earlier versions.

That might be your design decision as a maintainer. Since the admin password is required only for 2.12 and above, IMO we can keep a version check in place and require it only for >= 2.12

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't answer my question. Allow me to rephrase:

Is it POSSIBLE to set the admin password in docker-compose.yml before 2.12?

If so, I will change the script to always require a custom password, for all versions, since it's a good idea.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it POSSIBLE to set the admin password in docker-compose.yml before 2.12?

You can set the env variable OPENSEARCH_INITIAL_ADMIN_PASSWORD in the docker-compose.yml. This value will only be picked up for 2.12 and above

You, can change the script to have a default strong password, and then based on the version it will be picked.

Does that answer your query?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, thank you.

In that case, it does make more sense to accept and enforce it for version 2.12 and higher only, because requiring the parameter on earlier versions and then ignoring it (leaving the default password as admin) would be a terrible user experience.

In fact, we should reject the parameter (or at least output a warning that it's being ignored) if the version is pre-2.12.

I'll make those changes to the script.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Made those changes and pushed the commit to this PR.

@DarshitChanpura, please let me know what you think. Thanks!

fi

#
# Create a docker-compose.yml file that will launch an OpenSearch node with the image we
# just built and an OpenSearch Dashboards node that points to the OpenSearch node.
Expand All @@ -269,6 +279,7 @@ services:
- cluster.name=opensearch-cluster
- node.name=opensearch-node
- discovery.type=single-node
- OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}
ulimits:
memlock:
soft: -1
Expand Down Expand Up @@ -329,8 +340,8 @@ cat >README <<EOF
OpenSearch container launched, listening on port 9200.
OpenSearch Dashboards container launched, listening on port 5601.

Interact with OpenSearch using curl by authenticating as admin:admin like:
curl -ku "admin:admin" https://localhost:9200/
Interact with OpenSearch using curl by authenticating as admin like:
curl -ku "admin:<admin-password>" https://localhost:9200/

Index some data on OpenSearch by following instructions at
https://opensearch.org/docs/latest/opensearch/index-data/
Expand All @@ -343,7 +354,7 @@ search ranking and one with Personalized search Ranking.

To configure and setup Personalize search ranking, run a curl command as follows:

curl -X PUT "https://localhost:9200/_search/pipeline/intelligent_ranking" -u 'admin:admin' --insecure -H 'Content-Type: application/json' -d'
curl -X PUT "https://localhost:9200/_search/pipeline/intelligent_ranking" -u 'admin:<admin-password>' --insecure -H 'Content-Type: application/json' -d'
{
"description": "A pipeline to apply custom reranking",
"response_processors" : [
Expand Down
15 changes: 13 additions & 2 deletions helpers/search_processing_kendra_quickstart.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -359,6 +359,16 @@ if [ -n "${VOLUME_NAME:-}" ]; then
external: true"
fi

# Starting in 2.12.0, security demo configuration script requires an initial admin password
OPENSEARCH_REQUIRED_VERSION="2.12.0"
COMPARE_VERSION=`echo $OPENSEARCH_REQUIRED_VERSION $OPENSEARCH_VERSION | tr ' ' '\n' | sort -V | uniq | head -n 1`
if [ "$COMPARE_VERSION" != "$OPENSEARCH_REQUIRED_VERSION" ]; then
OPENSEARCH_INITIAL_ADMIN_PASSWORD="admin"
else
OPENSEARCH_INITIAL_ADMIN_PASSWORD="myStrongPassword123!"
fi


#
# Create a docker-compose.yml file that will launch an OpenSearch node with the image we
# just built and an OpenSearch Dashboards node that points to the OpenSearch node.
Expand All @@ -379,6 +389,7 @@ services:
- kendra_intelligent_ranking.service.endpoint=${KENDRA_RANKING_ENDPOINT}
- kendra_intelligent_ranking.service.region=${AWS_REGION}
- kendra_intelligent_ranking.service.execution_plan_id=${EXECUTION_PLAN_ID}
- OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}
ulimits:
memlock:
soft: -1
Expand Down Expand Up @@ -446,8 +457,8 @@ cat >README <<EOF
OpenSearch container launched, listening on port 9200.
OpenSearch Dashboards container launched, listening on port 5601.

Interact with OpenSearch using curl by authenticating as admin:admin like:
curl -ku "admin:admin" https://localhost:9200/
Interact with OpenSearch using curl by authenticating as admin like:
curl -ku "admin:<admin-password>" https://localhost:9200/

Index some data on OpenSearch by following instructions at
https://opensearch.org/docs/latest/opensearch/index-data/
Expand Down
Loading