Addresses changes made to security demo config install tool #214
Conversation
Signed-off-by: Darshit Chanpura <[email protected]>
DarshitChanpura
requested review from
msfroh,
macohen,
noCharger,
mingshl and
sejli
as code owners
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #214 +/- ##
=========================================
Coverage 83.30% 83.30%
Complexity 337 337
=========================================
Files 43 43
Lines 1270 1270
Branches 155 155
=========================================
Hits 1058 1058
Misses 134 134
Partials 78 78 ☔ View full report in Codecov by Sentry. |
|
Thanks @DarshitChanpura! Before we merge this, I'm going to make some changes to update the quickstart scripts to actually use newer versions of OpenSearch. (Currently, the Kendra one still downloads OpenSearch 2.7 and the Personalize one downloads 2.9.) |
Signed-off-by: Darshit Chanpura <[email protected]>
Signed-off-by: Darshit Chanpura <[email protected]>
DarshitChanpura
force-pushed
the
admin-cred-update
branch
from
09e4d38 to
7d7db74
Compare
| if [ "$COMPARE_VERSION" != "$OPENSEARCH_REQUIRED_VERSION" ]; then | ||
| OPENSEARCH_INITIAL_ADMIN_PASSWORD="admin" | ||
| else | ||
| OPENSEARCH_INITIAL_ADMIN_PASSWORD="myStrongPassword123!" |
There was a problem hiding this comment.
Rather than hard-coding, we should probably take the admin password as a command-line arg.
@DarshitChanpura -- did earlier versions support the OPENSEARCH_INITIAL_ADMIN_PASSWORD env var? Or does that change come in 2.12?
I'm wondering if it makes sense to change the scripts to require the initial admin password for all versions, where it will be required for 2.12 and a good idea for earlier versions.
There was a problem hiding this comment.
Rather than hard-coding, we should probably take the admin password as a command-line arg.
Starting 2.12 a custom strong password is required.
@DarshitChanpura -- did earlier versions support the OPENSEARCH_INITIAL_ADMIN_PASSWORD env var? Or does that change come in 2.12?
This change is introduced in 2.12 and will be present for all versions 2.12 and above
I'm wondering if it makes sense to change the scripts to require the initial admin password for all versions, where it will be required for 2.12 and a good idea for earlier versions.
That might be your design decision as a maintainer. Since the admin password is required only for 2.12 and above, IMO we can keep a version check in place and require it only for >= 2.12
There was a problem hiding this comment.
This doesn't answer my question. Allow me to rephrase:
Is it POSSIBLE to set the admin password in docker-compose.yml before 2.12?
If so, I will change the script to always require a custom password, for all versions, since it's a good idea.
There was a problem hiding this comment.
Is it POSSIBLE to set the admin password in docker-compose.yml before 2.12?
You can set the env variable OPENSEARCH_INITIAL_ADMIN_PASSWORD in the docker-compose.yml. This value will only be picked up for 2.12 and above
You, can change the script to have a default strong password, and then based on the version it will be picked.
Does that answer your query?
There was a problem hiding this comment.
Yes, thank you.
In that case, it does make more sense to accept and enforce it for version 2.12 and higher only, because requiring the parameter on earlier versions and then ignoring it (leaving the default password as admin) would be a terrible user experience.
In fact, we should reject the parameter (or at least output a warning that it's being ignored) if the version is pre-2.12.
I'll make those changes to the script.
There was a problem hiding this comment.
Made those changes and pushed the commit to this PR.
@DarshitChanpura, please let me know what you think. Thanks!
For earlier versions, emit a warning if an admin password is specified on the command line, since it will be ignored. Signed-off-by: Michael Froh <[email protected]>
Require password as an argument on 2.12 and higher For earlier versions, emit a warning if an admin password is specified on the command line, since it will be ignored. --------- Signed-off-by: Darshit Chanpura <[email protected]> Signed-off-by: Michael Froh <[email protected]> Co-authored-by: Michael Froh <[email protected]> (cherry picked from commit c31475e)
|
The backport to To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.12 2.12
# Navigate to the new working tree
cd .worktrees/backport-2.12
# Create a new branch
git switch --create backport/backport-214-to-2.12
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 c31475e5465fdce80c7c9b86519a4d8d0141c06b
# Push it to GitHub
git push --set-upstream origin backport/backport-214-to-2.12
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.12Then, create a pull request where the |
That makes sense, since we haven't cut a 2.12 branch yet -- it will get cut from 2.x. I'm just going to remove the |
) Require password as an argument on 2.12 and higher For earlier versions, emit a warning if an admin password is specified on the command line, since it will be ignored. --------- Signed-off-by: Darshit Chanpura <[email protected]> Signed-off-by: Michael Froh <[email protected]> Co-authored-by: Michael Froh <[email protected]> (cherry picked from commit c31475e) Co-authored-by: Darshit Chanpura <[email protected]> Co-authored-by: Sean Li <[email protected]>
Description
There were recent changes to security demo configuration setup which now requires a custom admin Password to be setup. This PR updates the documentation and related code change.
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.