-
Notifications
You must be signed in to change notification settings - Fork 283
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace admin:admin
default credentials with configuration file password
#3285
Comments
Going to add the configuration value to the opensearch.yml file instead of as a separate file. |
I was able to confirm the setting parsing etc. is correct but there is still an issue I am facing with how to populate the updated password. I think the way to go is to hash the password and then use it to update the internal users configuration using the UserService. This is nice because we know this will be consistent and it reuses a lot of the logic. The issue is determining when the config is accessible... still not sure how to do that. |
I made a different solution which just modifies the yaml file directly during the creation of the configuration repository. Going to ask Craig which he thinks seems like a better idea... I am not convinced by either. What I shared with Craig: There are a couple problems, but they change on the implementation. The easy part is done: add in a setting which someone can provide a new password to use as the default; if they don't provide one we use "admin" like before After populating the settings, we need to then update everything that expects the admin password to be admin. So there are two ways to do that: 1) use the internal users api logic to replicate a user configuration change and use the new password provided as the only change; 2) directly modify the internal_users yaml so that before the file is registered we have already swapped the password. Each has its own problems...
|
This goes against the spirit of this work: to not have |
@scrawfor99 This is the current block where all internal_users are created: https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java#L155-L161 It would be great if the admin password can be hashed and saved in the internal user list in the same call as it is now. As Dave said above, no default, if the setting is missing the node should not be brought up. That being said, I would support adding this into the Implementation wise, I think what you mentioned about editing yaml files is on the right track but no files need to be edited directly. In the startup flow the Following the call stack it leads down to Do you think it makes sense to add a condition in this block that if |
@davidlago, I understand that the intention is to replace the default If we do neither of these the demos will not work. I was under the impression that this change was not expected to remove any functionality so was going to do the best I could to remove the defaults but still provide coverage where needed. If you are fine breaking the demos than I will remove any safe guards against an empty field. |
Hi @cwperks, thanks for taking a minute to provide some more thoughts. See above about my concerns for completely removing any default. If @davidlago is okay with breaking out-of-the-box demos then I will do it, but I did not want to do that on my own. For your other suggestions, I will take a look. I had not messed with the ConfigHelper yet so maybe that will work well. I did you try directly modifying the configuration repository before but I will give it another shot with the route you mentioned. |
I think it is acceptable that if you don't provide a value for something as important as an admin password, we fail to start the cluster. I would decouple the problem into:
We can, also separately, think about what the backport and breaking changes considerations are as we merge any/all of these to 2.x. For example, we will have to have both 1 and 2 above before we backport all of them at once into 2.x, or else we'll be breaking demos. |
Hi @davidlago, sounds good. Sorry for the confusion on my end. To be clear, I did recognize that some of the changes I was proposing may seem counterintuitive but the intention was to preserve the demo scripts. I will remove that support. |
We can still preserve them, and adapt them to work with whichever new more secure approach we use... just not necessarily as part of this PR. |
I added a change to the |
Changed the setting use so that the configuration repository would insert the new admin user into the internal user configuration directly upon start. However, there is an issue since the nodes won't load and the configurations are not getting properly updated. Looking for a potential fix but tried everything obvious that I could think of. |
[Triage] This issue is a common request and important for OpenSearch to exercise best security practices. Going to mark as triaged. |
Backport 8628a89 from #3329. ### Related Issues - Related #3285 Signed-off-by: Stephen Crawford <[email protected]> Signed-off-by: Peter Nied <[email protected]> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Peter Nied <[email protected]>
This issue describes the tasks required to replace the basic
admin:admin
default credentials with an alternative method which takes a provided password from the openseach.yml file to be used as the default password. This issue results from:Feedback from @peternied and @cwperks on a spike I created.
While I think OTP could be a useful feature down the road, specifically for addressing requests to be able to run as a superadmin while SSL is disabled, for now, we can start with making the default password configurable via a configuration file value and a env. variable.
Craig said:
"
I like this approach and have seen it used in a number of places. Here's an example for keycloak where its passed in as an env variable in a docker-compose file:
I'd like to try to keep the simplicity of starting a demo cluster with docker-compose, where someone trying to start a cluster with the sample docker-compose.yml file can do docker-compose up and the cluster is brought up.
With the env variable approach, there would be one additional step to bring up a node or starting the cluster with docker. It would be to supply OPENSEARCH_ADMIN_PASSWORD or the node could not be brought up. A sample docker-compose.yml file for a single node could look like:
In addition to admin:admin being widely known there are a few other widely known secrets too:
"
And I agree.
The tasks required for these are listed on the document linked above, so I won't duplicate them here. Support for the configuration file will be prioritized first but both should ultimately be supported.
The tasks required to complete this include:
The text was updated successfully, but these errors were encountered: