Skip to content

Commit

Permalink
Base changes
Browse files Browse the repository at this point in the history
Signed-off-by: Stephen Crawford <[email protected]>
  • Loading branch information
stephen-crawford committed Sep 13, 2023
1 parent c9e109f commit 37f5fc4
Show file tree
Hide file tree
Showing 8 changed files with 101 additions and 6 deletions.
2 changes: 1 addition & 1 deletion config/internal_users.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ _meta:
## Demo users

admin:
hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"
hash:
reserved: true
backend_roles:
- "admin"
Expand Down
4 changes: 4 additions & 0 deletions config/opensearch.yml.example
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,10 @@ plugins.security.authcz.admin_dn:
# BOTH - backend roles are mapped to Security roles mapped directly and via roles_mapping.yml in addition
plugins.security.roles_mapping_resolution: MAPPING_ONLY

# Specify the default password for the admin user
# Note: This setting is required for using the default admin user account
plugins.security.bootstrap.admin.password:

############## REST Management API configuration settings ##############
# Enable or disable role based access to the REST management API
# Default is that no role is allowed to access the REST management API.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -289,6 +289,10 @@ public OpenSearchSecurityPlugin(final Settings settings, final Path configPath)

transportPassiveAuthSetting = new TransportPassiveAuthSetting(settings);

if (settings.get(ConfigConstants.SECURITY_BOOTSTRAP_ADMIN_DEFAULT_PASSWORD) == null) {
throw new RuntimeException("A default admin password must be provided in the opensearch.yml file.");
}

if (disabled) {
this.sslCertReloadEnabled = false;
log.warn(
Expand Down Expand Up @@ -1205,6 +1209,10 @@ public List<Setting<?>> getSettings() {
)
); // not filtered here

settings.add(
Setting.simpleString(ConfigConstants.SECURITY_BOOTSTRAP_ADMIN_DEFAULT_PASSWORD, Property.NodeScope, Property.Filtered)
);

settings.add(Setting.simpleString(ConfigConstants.SECURITY_CONFIG_INDEX_NAME, Property.NodeScope, Property.Filtered));
settings.add(Setting.groupSetting(ConfigConstants.SECURITY_AUTHCZ_IMPERSONATION_DN + ".", Property.NodeScope)); // not filtered
// here
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,7 @@ public class ConfigConstants {
public static final String SECURITY_INTERCLUSTER_REQUEST_EVALUATOR_CLASS = "plugins.security.cert.intercluster_request_evaluator_class";
public static final String OPENDISTRO_SECURITY_ACTION_NAME = OPENDISTRO_SECURITY_CONFIG_PREFIX + "action_name";

public static final String SECURITY_BOOTSTRAP_ADMIN_DEFAULT_PASSWORD = "plugins.security.bootstrap.admin.password";
public static final String SECURITY_AUTHCZ_ADMIN_DN = "plugins.security.authcz.admin_dn";
public static final String SECURITY_CONFIG_INDEX_NAME = "plugins.security.config_index_name";
public static final String SECURITY_AUTHCZ_IMPERSONATION_DN = "plugins.security.authcz.impersonation_dn";
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -283,8 +283,8 @@ public void testDefaultConfig() throws Exception {
RestHelper rh = nonSslRestHelper();
Thread.sleep(10000);

Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("admin", "admin")).getStatusCode());
HttpResponse res = rh.executeGetRequest("/_cluster/health", encodeBasicHeader("admin", "admin"));
Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("admin", "testPassword")).getStatusCode());
HttpResponse res = rh.executeGetRequest("/_cluster/health", encodeBasicHeader("admin", "testPassword"));
Assert.assertEquals(res.getBody(), HttpStatus.SC_OK, res.getStatusCode());
}

Expand All @@ -300,14 +300,14 @@ public void testInvalidDefaultConfig() throws Exception {
Thread.sleep(10000);
Assert.assertEquals(
HttpStatus.SC_SERVICE_UNAVAILABLE,
rh.executeGetRequest("", encodeBasicHeader("admin", "admin")).getStatusCode()
rh.executeGetRequest("", encodeBasicHeader("admin", "testPassword")).getStatusCode()
);

ClusterHelper.updateDefaultDirectory(defaultInitDirectory);
restart(Settings.EMPTY, null, settings, false);
rh = nonSslRestHelper();
Thread.sleep(10000);
Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("admin", "admin")).getStatusCode());
Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("admin", "testPassword")).getStatusCode());
} finally {
ClusterHelper.resetSystemProperties();
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,8 @@ protected void setup(
Settings nodeOverride,
boolean initSecurityIndex
) throws Exception {
setup(initTransportClientSettings, dynamicSecuritySettings, nodeOverride, initSecurityIndex, ClusterConfiguration.DEFAULT);
Settings settings = Settings.builder().put(nodeOverride).put("plugins.security.bootstrap.admin.password", "testPassword").build();
setup(initTransportClientSettings, dynamicSecuritySettings, settings, initSecurityIndex, ClusterConfiguration.DEFAULT);
}

protected void restart(
Expand Down
57 changes: 57 additions & 0 deletions tools/install_demo_configuration.bat
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ cd %CUR%
echo Basedir: %BASE_DIR%

set "OPENSEARCH_CONF_FILE=%BASE_DIR%config\opensearch.yml"
set "INTERNAL_USERS_FILE"=%BASE_DIR%config\internal_users.yml"
set "OPENSEARCH_CONF_DIR=%BASE_DIR%config\"
set "OPENSEARCH_BIN_DIR=%BASE_DIR%bin\"
set "OPENSEARCH_PLUGINS_DIR=%BASE_DIR%plugins\"
Expand Down Expand Up @@ -319,6 +320,62 @@ echo plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_a
echo plugins.security.system_indices.enabled: true >> "%OPENSEARCH_CONF_FILE%"
echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"] >> "%OPENSEARCH_CONF_FILE%"


for /f "tokens=2 delims=: " %%a in ('findstr /r "plugins.security.bootstrap.admin.password:" "%OPENSEARCH_CONF_FILE%"') do (
set "ADMIN_PASSWORD=%%a"
)

REM If ADMIN_PASSWORD is empty, check the environment variable as a fallback
if not defined ADMIN_PASSWORD (
if defined ENV_ADMIN_PASSWORD (
set "ADMIN_PASSWORD=!ENV_ADMIN_PASSWORD!"
) else (
echo Admin password not found in %OPENSEARCH_CONF_FILE% and ENV_ADMIN_PASSWORD is not set.
exit /b 1
)
)


set "salt="
for /l %%i in (1,1,16) do (
set /a "rand=!random! %% 16"
set "salt=!salt!!rand!"
)

openssl passwd -bcrypt -salt !salt! "!ADMIN_PASSWORD!" > tmp_hash.txt

set "HASHED_ADMIN_PASSWORD="
for /f %%a in (tmp_hash.txt) do (
set "HASHED_ADMIN_PASSWORD=%%a"
)

del tmp_hash.txt

for /f "tokens=1 delims=:" %%b in ('findstr /n "admin:" "%INTERNAL_USERS_FILE%"') do (
set "ADMIN_HASH_LINE=%%b"
)

(for /f "delims=" %%c in ('type "%INTERNAL_USERS_FILE%" ^| findstr /n "^"') do (
set "line=%%c"
setlocal enabledelayedexpansion
echo(!line:%ADMIN_HASH_LINE%:=! | findstr "^"
endlocal
)) > tmp_internal_users.yml

(for /f "delims=" %%d in ('type "tmp_internal_users.yml" ^| findstr /n "^"') do (
set "line=%%d"
setlocal enabledelayedexpansion
if !line:^%ADMIN_HASH_LINE%^=! neq !line! (
echo !line!
) else (
echo !line!
echo hash: "!HASHED_ADMIN_PASSWORD!"
)
endlocal
)) > "%INTERNAL_USERS_FILE%"

del tmp_internal_users.yml

:: network.host
>nul findstr /b /c:"network.host" "%OPENSEARCH_CONF_FILE%" && (
echo network.host already present
Expand Down
24 changes: 24 additions & 0 deletions tools/install_demo_configuration.sh
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,7 @@ else
echo "DEBUG: basedir does not exist"
fi
OPENSEARCH_CONF_FILE="$BASE_DIR/config/opensearch.yml"
INTERNAL_USERS_FILE = "$BASE_DIR/config/internal_users.yml"
OPENSEARCH_BIN_DIR="$BASE_DIR/bin"
OPENSEARCH_PLUGINS_DIR="$BASE_DIR/plugins"
OPENSEARCH_MODULES_DIR="$BASE_DIR/modules"
Expand Down Expand Up @@ -387,6 +388,29 @@ echo 'plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_
echo 'plugins.security.system_indices.enabled: true' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null

ADMIN_PASSWORD=$(grep -oP 'plugins.security.bootstrap.admin.password:\s*\K.+' "$OPENSEARCH_CONF_FILE" | awk '{print $1}'
if [ -z "$ADMIN_PASSWORD" ]; then
if [ -n "$ENV_ADMIN_PASSWORD" ]; then
ADMIN_PASSWORD="$ENV_ADMIN_PASSWORD"
else
echo "Admin password not found in $OPENSEARCH_YML_PATH and ENV_ADMIN_PASSWORD is not set."
exit 1
fi
fi
salt=$(openssl rand -hex 8)
# Generate the hash using OpenBSD-style Blowfish-based bcrypt
HASHED_ADMIN_PASSWORD=$(openssl passwd -bcrypt -salt $salt "$ADMIN_PASSWORD")
# Clear the clearTextPassword variable
unset ADMIN_PASSWORD
ADMIN_HASH_LINE=$(grep -n 'admin:' "$INTERNAL_USERS_FILE" | cut -f1 -d:)
sed -i "${ADMIN_HASH_LINE}s/.*/ hash: \"$HASHED_ADMIN_PASSWORD\"/" "$INTERNAL_USERS_FILE"
#network.host
if $SUDO_CMD grep --quiet -i "^network.host" "$OPENSEARCH_CONF_FILE"; then
: #already present
Expand Down

0 comments on commit 37f5fc4

Please sign in to comment.