diff --git a/_install-and-configure/install-dashboards/debian.md b/_install-and-configure/install-dashboards/debian.md index 79a8166f39..4372049230 100644 --- a/_install-and-configure/install-dashboards/debian.md +++ b/_install-and-configure/install-dashboards/debian.md @@ -129,5 +129,5 @@ By default, OpenSearch Dashboards, like OpenSearch, binds to `localhost` when yo sudo systemctl restart opensearch-dashboards ``` 1. From a web browser, navigate to OpenSearch Dashboards. The default port is 5601. -1. Log in with the default username `admin` and the default password `admin`. +1. Log in with the default username `admin` and the default password `admin`. (For OpenSearch 2.12 and later, the password should be the custom admin password) 1. Visit [Getting started with OpenSearch Dashboards]({{site.url}}{{site.baseurl}}/dashboards/index/) to learn more. diff --git a/_install-and-configure/install-dashboards/helm.md b/_install-and-configure/install-dashboards/helm.md index f9df5b137c..58ca995c3e 100644 --- a/_install-and-configure/install-dashboards/helm.md +++ b/_install-and-configure/install-dashboards/helm.md @@ -34,7 +34,7 @@ Before you get started, you must first use [Helm to install OpenSearch]({{site.u Make sure that you can send requests to your OpenSearch pod: ```json -$ curl -XGET https://localhost:9200 -u 'admin:admin' --insecure +$ curl -XGET https://localhost:9200 -u 'admin:' --insecure { "name" : "opensearch-cluster-master-1", "cluster_name" : "opensearch-cluster", diff --git a/_install-and-configure/install-opensearch/debian.md b/_install-and-configure/install-opensearch/debian.md index 77b0473c71..260940bfdc 100644 --- a/_install-and-configure/install-opensearch/debian.md +++ b/_install-and-configure/install-opensearch/debian.md @@ -45,7 +45,15 @@ This guide assumes that you are comfortable working from the Linux command line # arm64 sudo dpkg -i opensearch-{{site.opensearch_version}}-linux-arm64.deb ``` + For OpenSearch 2.12 and greater, a custom admin password is required in order to set up a security demo configuration. To set a custom admin password, use one the following commands: + ```bash + # x64 + sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD= dpkg -i opensearch-{{site.opensearch_version}}-linux-x64.deb + # arm64 + sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD= dpkg -i opensearch-{{site.opensearch_version}}-linux-arm64.deb + ``` + 1. After the installation succeeds, enable OpenSearch as a service. ```bash sudo systemctl enable opensearch @@ -175,7 +183,7 @@ An OpenSearch node in its default configuration (with demo certificates and user 1. Send requests to the server to verify that OpenSearch is running. Note the use of the `--insecure` flag, which is required because the TLS certificates are self-signed. - Send a request to port 9200: ```bash - curl -X GET https://localhost:9200 -u 'admin:admin' --insecure + curl -X GET https://localhost:9200 -u 'admin:' --insecure ``` {% include copy.html %} @@ -201,7 +209,7 @@ An OpenSearch node in its default configuration (with demo certificates and user ``` - Query the plugins endpoint: ```bash - curl -X GET https://localhost:9200/_cat/plugins?v -u 'admin:admin' --insecure + curl -X GET https://localhost:9200/_cat/plugins?v -u 'admin:' --insecure ``` {% include copy.html %} diff --git a/_install-and-configure/install-opensearch/docker.md b/_install-and-configure/install-opensearch/docker.md index 48c9a5f215..394039bfc2 100644 --- a/_install-and-configure/install-opensearch/docker.md +++ b/_install-and-configure/install-opensearch/docker.md @@ -90,9 +90,13 @@ Before continuing, you should verify that Docker is working correctly by deployi # This command maps ports 9200 and 9600, sets the discovery type to "single-node" and requests the newest image of OpenSearch docker run -d -p 9200:9200 -p 9600:9600 -e "discovery.type=single-node" opensearchproject/opensearch:latest ``` + For OpenSearch 2.12 or greater, set a new custom admin password before installation using the following command: + ```bash + docker run -d -p 9200:9200 -p 9600:9600 -e "discovery.type=single-node" -e "OPENSEARCH_INITIAL_ADMIN_PASSWORD=" opensearchproject/opensearch:latest + ``` 1. Send a request to port 9200. The default username and password are `admin`. ```bash - curl https://localhost:9200 -ku 'admin:admin' + curl https://localhost:9200 -ku 'admin:' ``` {% include copy.html %} diff --git a/_install-and-configure/install-opensearch/helm.md b/_install-and-configure/install-opensearch/helm.md index b1df2da091..ed2aa628e3 100644 --- a/_install-and-configure/install-opensearch/helm.md +++ b/_install-and-configure/install-opensearch/helm.md @@ -98,6 +98,14 @@ You can also build the `opensearch-1.0.0.tgz` file manually: ``` {% include copy.html %} +For OpenSearch 2.12 or greater, customize the admin password in `values.yaml` under `extraEnvs`, as shown in the following example: + +```yaml +extraEnvs: + - name: OPENSEARCH_INITIAL_ADMIN_PASSWORD + value: +``` + #### Sample output ```yaml diff --git a/_install-and-configure/install-opensearch/rpm.md b/_install-and-configure/install-opensearch/rpm.md index 7880e44d32..c9950b8099 100644 --- a/_install-and-configure/install-opensearch/rpm.md +++ b/_install-and-configure/install-opensearch/rpm.md @@ -57,6 +57,19 @@ This guide assumes that you are comfortable working from the Linux command line # Install the arm64 package using rpm. sudo rpm -ivh opensearch-{{site.opensearch_version}}-linux-x64.rpm ``` +For OpenSearch 2.12 and greater, a custom admin password is required in order to set up a security demo configuration. To set a custom admin password, use one the following commands: + ```bash + # Install the x64 package using yum. + sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD= yum install opensearch-{{site.opensearch_version}}-linux-x64.rpm + + # Install the x64 package using rpm. + sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD= rpm -ivh opensearch-{{site.opensearch_version}}-linux-x64.rpm + + # Install the arm64 package using yum. + sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD= yum install opensearch-{{site.opensearch_version}}-linux-x64.rpm + + # Install the arm64 package using rpm. + sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD= rpm -ivh opensearch-{{site.opensearch_version}}-linux-x64.rpm 1. After the installation succeeds, enable OpenSearch as a service. ```bash sudo systemctl enable opensearch @@ -147,7 +160,7 @@ An OpenSearch node in its default configuration (with demo certificates and user 1. Send requests to the server to verify that OpenSearch is running. Note the use of the `--insecure` flag, which is required because the TLS certificates are self-signed. - Send a request to port 9200: ```bash - curl -X GET https://localhost:9200 -u 'admin:admin' --insecure + curl -X GET https://localhost:9200 -u 'admin:' --insecure ``` {% include copy.html %} @@ -173,7 +186,7 @@ An OpenSearch node in its default configuration (with demo certificates and user ``` - Query the plugins endpoint: ```bash - curl -X GET https://localhost:9200/_cat/plugins?v -u 'admin:admin' --insecure + curl -X GET https://localhost:9200/_cat/plugins?v -u 'admin:' --insecure ``` {% include copy.html %} diff --git a/_install-and-configure/install-opensearch/tar.md b/_install-and-configure/install-opensearch/tar.md index c6edb51491..1e5fe47a12 100644 --- a/_install-and-configure/install-opensearch/tar.md +++ b/_install-and-configure/install-opensearch/tar.md @@ -100,10 +100,16 @@ An OpenSearch node configured by the demo security script is not suitable for a ``` {% include copy.html %} + For OpenSearch 2.12 or greater, set a new custom admin password before installation using the following command: + ```bash + $ export OPENSEARCH_INITIAL_ADMIN_PASSWORD= + ``` + {% include copy.html %} + 1. Open another terminal session and send requests to the server to verify that OpenSearch is running. Note the use of the `--insecure` flag, which is required because the TLS certificates are self-signed. - Send a request to port 9200: ```bash - curl -X GET https://localhost:9200 -u 'admin:admin' --insecure + curl -X GET https://localhost:9200 -u 'admin:' --insecure ``` {% include copy.html %} @@ -129,7 +135,7 @@ An OpenSearch node configured by the demo security script is not suitable for a ``` - Query the plugins endpoint: ```bash - curl -X GET https://localhost:9200/_cat/plugins?v -u 'admin:admin' --insecure + curl -X GET https://localhost:9200/_cat/plugins?v -u 'admin:' --insecure ``` {% include copy.html %} diff --git a/_install-and-configure/install-opensearch/windows.md b/_install-and-configure/install-opensearch/windows.md index b945c0e049..dfa1ae123a 100644 --- a/_install-and-configure/install-opensearch/windows.md +++ b/_install-and-configure/install-opensearch/windows.md @@ -70,11 +70,16 @@ An OpenSearch node in its default configuration (with demo certificates and user .\opensearch-windows-install.bat ``` {% include copy.html %} + For OpenSearch 2.12 or greater, set a new custom admin password before installation using the following command: + ```bat + > set OPENSEARCH_INITIAL_ADMIN_PASSWORD= + ``` + {% include copy.html %} 1. Open a new command prompt and send requests to the server to verify that OpenSearch is running. Note the use of the `--insecure` flag, which is required because the TLS certificates are self-signed. - Send a request to port 9200: ```bat - curl.exe -X GET https://localhost:9200 -u "admin:admin" --insecure + curl.exe -X GET https://localhost:9200 -u "admin:" --insecure ``` {% include copy.html %} @@ -100,7 +105,7 @@ An OpenSearch node in its default configuration (with demo certificates and user ``` - Query the plugins endpoint: ```bat - curl.exe -X GET https://localhost:9200/_cat/plugins?v -u "admin:admin" --insecure + curl.exe -X GET https://localhost:9200/_cat/plugins?v -u "admin:" --insecure ``` {% include copy.html %} diff --git a/_install-and-configure/upgrade-opensearch/appendix/rolling-upgrade-lab.md b/_install-and-configure/upgrade-opensearch/appendix/rolling-upgrade-lab.md index a32b4d2692..924900dbc8 100644 --- a/_install-and-configure/upgrade-opensearch/appendix/rolling-upgrade-lab.md +++ b/_install-and-configure/upgrade-opensearch/appendix/rolling-upgrade-lab.md @@ -125,7 +125,7 @@ After selecting a host, you can begin the lab: 1. Press `Ctrl+C` to stop following container logs and return to the command prompt. 1. Use cURL to query the OpenSearch REST API. In the following command, `os-node-01` is queried by sending the request to host port `9201`, which is mapped to port `9200` on the container: ```bash - curl -s "https://localhost:9201" -ku admin:admin + curl -s "https://localhost:9201" -ku admin: ``` {% include copy.html %}

Example response

@@ -177,7 +177,7 @@ This section can be broken down into two parts: curl -H "Content-Type: application/x-ndjson" \ -X PUT "https://localhost:9201/ecommerce?pretty" \ --data-binary "@ecommerce-field_mappings.json" \ - -ku admin:admin + -ku admin: ``` {% include copy.html %}

Example response

@@ -193,7 +193,7 @@ This section can be broken down into two parts: curl -H "Content-Type: application/x-ndjson" \ -X PUT "https://localhost:9201/ecommerce/_bulk?pretty" \ --data-binary "@ecommerce.json" \ - -ku admin:admin + -ku admin: ``` {% include copy.html %}

Example response (truncated)

@@ -226,7 +226,7 @@ This section can be broken down into two parts: curl -H 'Content-Type: application/json' \ -X GET "https://localhost:9201/ecommerce/_search?pretty=true&filter_path=hits.total" \ -d'{"query":{"match":{"customer_first_name":"Sonya"}}}' \ - -ku admin:admin + -ku admin: ``` {% include copy.html %}

Example response

@@ -271,7 +271,7 @@ In this section you will be: curl -H 'Content-Type: application/json' \ -X PUT "https://localhost:9201/_snapshot/snapshot-repo?pretty" \ -d '{"type":"fs","settings":{"location":"/usr/share/opensearch/snapshots"}}' \ - -ku admin:admin + -ku admin: ``` {% include copy.html %}

Example response

@@ -284,7 +284,7 @@ In this section you will be: ```bash curl -H 'Content-Type: application/json' \ -X POST "https://localhost:9201/_snapshot/snapshot-repo/_verify?timeout=0s&master_timeout=50s&pretty" \ - -ku admin:admin + -ku admin: ``` {% include copy.html %}

Example response

@@ -315,7 +315,7 @@ Snapshots are backups of a cluster’s indexes and state. See [Snapshots]({{site ```bash curl -H 'Content-Type: application/json' \ -X PUT "https://localhost:9201/_snapshot/snapshot-repo/cluster-snapshot-v137?wait_for_completion=true&pretty" \ - -ku admin:admin + -ku admin: ``` {% include copy.html %}

Example response

@@ -448,7 +448,7 @@ Some steps included in this section, like disabling shard replication and flushi curl -H 'Content-type: application/json' \ -X PUT "https://localhost:9201/_cluster/settings?pretty" \ -d'{"persistent":{"cluster.routing.allocation.enable":"primaries"}}' \ - -ku admin:admin + -ku admin: ``` {% include copy.html %}

Example response

@@ -469,7 +469,7 @@ Some steps included in this section, like disabling shard replication and flushi ``` 1. Perform a flush operation on the cluster to commit transaction log entries to the Lucene index: ```bash - curl -X POST "https://localhost:9201/_flush?pretty" -ku admin:admin + curl -X POST "https://localhost:9201/_flush?pretty" -ku admin: ``` {% include copy.html %}

Example response

@@ -514,7 +514,7 @@ Some steps included in this section, like disabling shard replication and flushi 1. **Optional**: Query the cluster to determine which node is acting as the cluster manager. You can run this command at any time during the process to see when a new cluster manager is elected: ```bash curl -s "https://localhost:9201/_cat/nodes?v&h=name,version,node.role,master" \ - -ku admin:admin | column -t + -ku admin: | column -t ``` {% include copy.html %}

Example response

@@ -528,7 +528,7 @@ Some steps included in this section, like disabling shard replication and flushi 1. **Optional**: Query the cluster to see how shard allocation changes as nodes are removed and replaced. You can run this command at any time during the process to see how shard statuses change: ```bash curl -s "https://localhost:9201/_cat/shards" \ - -ku admin:admin + -ku admin: ``` {% include copy.html %}

Example response

@@ -644,7 +644,7 @@ Some steps included in this section, like disabling shard replication and flushi 1. Confirm that your cluster is running the new version: ```bash curl -s "https://localhost:9201/_cat/nodes?v&h=name,version,node.role,master" \ - -ku admin:admin | column -t + -ku admin: | column -t ``` {% include copy.html %}

Example response

@@ -700,7 +700,7 @@ Some steps included in this section, like disabling shard replication and flushi curl -H 'Content-type: application/json' \ -X PUT "https://localhost:9201/_cluster/settings?pretty" \ -d'{"persistent":{"cluster.routing.allocation.enable":"all"}}' \ - -ku admin:admin + -ku admin: ``` {% include copy.html %}

Example response

@@ -735,7 +735,7 @@ For this cluster, post-upgrade validation steps can include verifying the follow 1. Verify the current running version of your OpenSearch nodes: ```bash curl -s "https://localhost:9201/_cat/nodes?v&h=name,version,node.role,master" \ - -ku admin:admin | column -t + -ku admin: | column -t ``` {% include copy.html %}

Example response

@@ -781,7 +781,7 @@ For this cluster, post-upgrade validation steps can include verifying the follow 1. Query the [Cluster health]({{site.url}}{{site.baseurl}}/api-reference/cluster-api/cluster-health/) API endpoint to see information about the health of your cluster. You should see a status of `green`, which indicates that all primary and replica shards are allocated: ```bash - curl -s "https://localhost:9201/_cluster/health?pretty" -ku admin:admin + curl -s "https://localhost:9201/_cluster/health?pretty" -ku admin: ``` {% include copy.html %}

Example response

@@ -808,7 +808,7 @@ For this cluster, post-upgrade validation steps can include verifying the follow ``` 1. Query the [CAT shards]({{site.url}}{{site.baseurl}}/api-reference/cat/cat-shards/) API endpoint to see how shards are allocated after the cluster is upgrade: ```bash - curl -s "https://localhost:9201/_cat/shards" -ku admin:admin + curl -s "https://localhost:9201/_cat/shards" -ku admin: ``` {% include copy.html %}

Example response

@@ -860,7 +860,7 @@ You need to query the ecommerce index again in order to confirm that the sample curl -H 'Content-Type: application/json' \ -X GET "https://localhost:9201/ecommerce/_search?pretty=true&filter_path=hits.total" \ -d'{"query":{"match":{"customer_first_name":"Sonya"}}}' \ - -ku admin:admin + -ku admin: ``` {% include copy.html %}

Example response

diff --git a/_security/configuration/demo-configuration.md b/_security/configuration/demo-configuration.md new file mode 100644 index 0000000000..b28e77a347 --- /dev/null +++ b/_security/configuration/demo-configuration.md @@ -0,0 +1,115 @@ +--- +layout: default +title: Setting up a demo configuration +parent: Configuration +nav_order: 4 +--- + +# Setting up a demo configuration + +Welcome to the OpenSearch Security plugin demo configuration setup guide. This tool provides a quick and easy way to replicate a production environment for testing purposes. The demo configuration includes the setup of security-related components, such as internal users, roles, role mappings, audit configuration, basic authentication, tenants, and allow lists. + + +The demo configuration tool performs the following tasks: + +1. Configures security settings, which are then loaded into the security index. +2. Generates demo certificates. +3. Adds security-related settings to the `opensearch.yml` file. + +## Installing the demo configuration + +The demo configuration is automatically called as part of the setup for each supported distribution of OpenSearch. The following are instructions for each distribution. + +**Note**: Starting with OpenSearch 2.12, a custom admin password is required in order to install the demo configuration. If none is provided, the cluster will fail to start. Note that this change only affects new clusters. Existing clusters are not affected because they already have `opensearch.yml` configured, so the installation tool will not run. + +### Docker + +Use the following steps to set up the Security plugin using Docker: + +1. Download [docker-compose.yml](https://opensearch.org/downloads.html). +2. In the `docker-compose.yml` file, set `DISABLE_SECURITY_PLUGIN` to `false`. +3. Run the following command: + +```bash +$ docker-compose up +``` + +### Setting up a custom admin password +**Note**: For OpenSearch versions 2.12 and later, you must set the initial admin password before installation. To customize the admin password, you can take the following steps: + +1. Download the following sample [docker-compose.yml](https://github.com/opensearch-project/documentation-website/blob/{{site.opensearch_major_minor_version}}/assets/examples/docker-compose.yml) file. +2. Create a `.env` file. +3. Add the variable `OPENSEARCH_INITIAL_ADMIN_PASSWORD` and set the variable with a strong string password. +4. Run `docker-compose up`. + +### TAR (Linux) + +For TAR distributions on Linux, download the Linux setup files from the OpenSearch [Download & Get Started](https://opensearch.org/downloads.html) page. Then use the following command to run the demo configuration: + +```bash +$ ./opensearch-tar-install.sh +``` + +For OpenSearch 2.12 or later, set a new custom admin password before installation by using the following command: + +```bash +$ export OPENSEARCH_INITIAL_ADMIN_PASSWORD= +``` + +### Windows + +For ZIP distributions on Windows, after downloading and extracting the setup files, run the following command: + +```powershell +> .\opensearch-windows-install.bat +``` + +For OpenSearch 2.12 or later, set a new custom admin password before installation by running the following command: + +```powershell +> set OPENSEARCH_INITIAL_ADMIN_PASSWORD= +``` + +### Helm + +For Helm charts, the demo configuration is automatically installed during the OpenSearch installation. For OpenSearch 2.12 or later, customize the admin password in `values.yaml` under `extraEnvs`: + +```yaml +extraEnvs: + - name: OPENSEARCH_INITIAL_ADMIN_PASSWORD + value: +``` + +### RPM + +For RPM packages, install OpenSearch and set up the demo configuration by running the following command: + +```bash +$ sudo yum install opensearch-{{site.opensearch_version}}-linux-x64.rpm +``` + +For OpenSearch 2.12 or later, set a new custom admin password before installation by using the following command: + +```bash +$ sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD= yum install opensearch-{{site.opensearch_version}}-linux-x64.rpm +``` + +### DEB + +For DEB packages, install OpenSearch and set up the demo configuration by running the following command: + +```bash +$ sudo dpkg -i opensearch-{{site.opensearch_version}}-linux-arm64.deb +``` + +For OpenSearch 2.12 or later, set a new custom admin password before installation by using the following command: + +```bash +$ sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD= dpkg -i opensearch-{{site.opensearch_version}}-linux-arm64.deb +``` + +### Local distribution + +If you are building a local distribution, refer to [DEVELOPER_GUIDE.md](https://github.com/opensearch-project/security/blob/main/DEVELOPER_GUIDE.md) for instructions on building a local binary for the Security plugin. + +For OpenSearch 2.12 or later, make sure that you set a strong password before installation. \ No newline at end of file diff --git a/assets/examples/docker-compose.yml b/assets/examples/docker-compose.yml index 53a8aaf4db..bab29f90ca 100644 --- a/assets/examples/docker-compose.yml +++ b/assets/examples/docker-compose.yml @@ -10,6 +10,7 @@ services: - cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2 # Nodes eligibile to serve as cluster manager - bootstrap.memory_lock=true # Disable JVM heap memory swapping - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" # Set min and max JVM heap sizes to at least 50% of system RAM + - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD} # Sets the demo admin user password when using demo configuration (for OpenSearch 2.12 and later) ulimits: memlock: soft: -1 # Set memlock to unlimited (no soft or hard limit) @@ -34,6 +35,7 @@ services: - cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2 - bootstrap.memory_lock=true - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" + - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD} ulimits: memlock: soft: -1