Pass in strong password instead to fix integtest workflow #4302
Conversation
Signed-off-by: Derek Ho <[email protected]>
derek-ho
requested review from
dblock,
peterzhuamazon,
bbarani,
gaiksaya,
rishabh6788,
zelinh,
jordarlu,
prudhvigodithi,
Divyaasm and
tianleh
as code owners
|
Am I correct in assuming that we also need to change any repo which has its own integtest.sh file to use default admin:myStrongPassword123! with this change? How do we handle cases in which integtest pass in its own credentials, or we don't need to worry about those? |
| @@ -30,6 +30,10 @@ def install(self, bundle_name: str) -> None: | |||
| logging.info("deb installation requires sudo, script will exit if current user does not have sudo access") | |||
| deb_install_cmd = " ".join( | |||
| [ | |||
| 'sudo' | |||
| 'env' | |||
| 'OPENSEARCH_INITIAL_ADMIN_PASSWORD=myStrongPassword123!' | |||
There was a problem hiding this comment.
This will only set the env variable for the duration of the sudo env command execution and will not persist. Recommend to use export to set the environment variable.
| @@ -30,6 +30,10 @@ def install(self, bundle_name: str) -> None: | |||
| logging.info("rpm installation requires sudo, script will exit if current user does not have sudo access") | |||
| rpm_install_cmd = " ".join( | |||
| [ | |||
| 'sudo' | |||
| 'env' | |||
| 'OPENSEARCH_INITIAL_ADMIN_PASSWORD=myStrongPassword123!' | |||
| @@ -33,7 +33,7 @@ def install(self, bundle_name: str) -> None: | |||
| @property | |||
| def start_cmd(self) -> str: | |||
| start_cmd_map = { | |||
| "opensearch": "./opensearch-tar-install.sh", | |||
| "opensearch": "OPENSEARCH_INITIAL_ADMIN_PASSWORD=myStrongPassword123! ./opensearch-tar-install.sh", | |||
There was a problem hiding this comment.
I believe this should be export OPENSEARCH_INITIAL_ADMIN_PASSWORD=myStrongPassword123! && ./opensearch-tar-install.sh
|
Added a few comments, please address them. |
Signed-off-by: Derek Ho <[email protected]>
Signed-off-by: Derek Ho <[email protected]>
scripts/default/integtest.sh
Outdated
| @@ -89,7 +89,7 @@ fi | |||
|
|
|||
| if [ -z "$CREDENTIAL" ] | |||
| then | |||
| CREDENTIAL="admin:admin" | |||
| CREDENTIAL="admin:myStrongPassword123!" | |||
There was a problem hiding this comment.
This wouldn't work for OS version lower than 2.12.
It may not make much sense to run integration tests for released 2.x versions but it will definitely break integ tests for 1.x line.
There was a problem hiding this comment.
Right! The code is generic for all versions as of today. Until we solve the branching problem.
There was a problem hiding this comment.
To unblock this we can try adding if/else condition to differentiate with 1.x and above until we have this branching/versioning for the build repo solved. The script already has an argument OPENSEARCH_VERSION so adding if/else should be straight forward.
There was a problem hiding this comment.
I think issue with that is what if patch version 2.0 < patch version < 2.12 come along? I was looking into bash script to compare semantic version, but it seems complex, not sure how do you folks feel about adding something like this: https://stackoverflow.com/questions/4023830/how-to-compare-two-strings-in-dot-separated-version-format-in-bash?
There was a problem hiding this comment.
@rishabh6788 @gaiksaya @prudhvigodithi I changed the logic in the script itself to set a strong password if the version is after 2.12.0. Let me know if that makes sense to keep. I also included this logic in the integtest.sh files of repo's which have their own versions of integtest.sh.
Signed-off-by: Derek Ho <[email protected]>
Signed-off-by: Derek Ho <[email protected]>
Signed-off-by: Derek Ho <[email protected]>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #4302 +/- ##
=======================================
Coverage 91.26% 91.27%
=======================================
Files 189 189
Lines 6124 6163 +39
=======================================
+ Hits 5589 5625 +36
- Misses 535 538 +3 ☔ View full report in Codecov by Sentry. |
Signed-off-by: Derek Ho <[email protected]>
I believe most plugins have removed their custom integTest.sh in favor of this default. There are two repos I found which need their own custom ones, we have open PRs in those, which should be merged prior to 2.12.0 release, correct me if my understanding is incorrect: |
Signed-off-by: Derek Ho <[email protected]>
There was a problem hiding this comment.
Waiting for final decision based on this issue before approval, since it includes both deb and rpm.
opensearch-project/security#3916
Signed-off-by: Derek Ho <[email protected]>
|
You can either add docker or open a new PR for docker: |
Is this guy being used in docker integtest? Can you point me to where docker integtest is run, if at all? I would rather merge in this PR as is, since the main purpose is to sniff out if this will solve the autocuts that have been cut against a lot of repos, and close any false alarm that is being raised. |
|
@derek-ho Merging the PR to make sure 2.12.0 |
This is addressed in this PR: #4274 |
* Remove instances of hard admin credentials opensearch-project/opensearch-build#4302 Signed-off-by: Derek Ho <[email protected]>
* Remove instances of hard admin credentials opensearch-project/opensearch-build#4302 Signed-off-by: Derek Ho <[email protected]> (cherry picked from commit 8391566)
* Remove instances of hard admin credentials opensearch-project/opensearch-build#4302 Signed-off-by: Derek Ho <[email protected]> (cherry picked from commit 8391566) Co-authored-by: Derek Ho <[email protected]>
Description
With recent changes in security plugin requiring a strong initial admin password to be set, I've seen a few autocuts with integtest failures. This PR attempts to resolve those by passing in a strong password and using that to run the tests
Issues Resolved
List any issues this PR will resolve, e.g. Closes [...].
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.