From 958d33b09ce89e7ec0081a2e32168582b60180c2 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Fri, 15 Dec 2023 16:29:42 -0500 Subject: [PATCH 1/4] Addresses changes made to security demo config install tool Signed-off-by: Darshit Chanpura --- helpers/personalized_search_ranking_quickstart.sh | 14 +++++++++++--- helpers/search_processing_kendra_quickstart.sh | 12 ++++++++++-- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/helpers/personalized_search_ranking_quickstart.sh b/helpers/personalized_search_ranking_quickstart.sh index d481043..18e41e4 100755 --- a/helpers/personalized_search_ranking_quickstart.sh +++ b/helpers/personalized_search_ranking_quickstart.sh @@ -252,6 +252,13 @@ if [ -n "${VOLUME_NAME:-}" ]; then external: true" fi echo "Volume created" + +# OpenSearch 2.12 onwards security plugins requires a password to be set to setup admin user +if [ "$(echo "${OPENSEARCH_VERSION} 2.12" | awk '{print ($1 >= $2)}')" -eq 1 ] && [ -z "${OPENSEARCH_INITIAL_ADMIN_PASSWORD}" ]; then + echo "OpenSearch 2.12 onwards, the Security Plugins requires initial admin password to be set for demo config setup" + exit 1 +fi + # # Create a docker-compose.yml file that will launch an OpenSearch node with the image we # just built and an OpenSearch Dashboards node that points to the OpenSearch node. @@ -269,6 +276,7 @@ services: - cluster.name=opensearch-cluster - node.name=opensearch-node - discovery.type=single-node + - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD} ulimits: memlock: soft: -1 @@ -329,8 +337,8 @@ cat >README <" https://localhost:9200/ Index some data on OpenSearch by following instructions at https://opensearch.org/docs/latest/opensearch/index-data/ @@ -343,7 +351,7 @@ search ranking and one with Personalized search Ranking. To configure and setup Personalize search ranking, run a curl command as follows: -curl -X PUT "https://localhost:9200/_search/pipeline/intelligent_ranking" -u 'admin:admin' --insecure -H 'Content-Type: application/json' -d' +curl -X PUT "https://localhost:9200/_search/pipeline/intelligent_ranking" -u 'admin:' --insecure -H 'Content-Type: application/json' -d' { "description": "A pipeline to apply custom reranking", "response_processors" : [ diff --git a/helpers/search_processing_kendra_quickstart.sh b/helpers/search_processing_kendra_quickstart.sh index 5351e5a..611bb74 100755 --- a/helpers/search_processing_kendra_quickstart.sh +++ b/helpers/search_processing_kendra_quickstart.sh @@ -359,6 +359,13 @@ if [ -n "${VOLUME_NAME:-}" ]; then external: true" fi +# OpenSearch 2.12 onwards security plugins requires a password to be set to setup admin user +if [ "$(echo "${OPENSEARCH_VERSION} 2.12" | awk '{print ($1 >= $2)}')" -eq 1 ] && [ -z "${OPENSEARCH_INITIAL_ADMIN_PASSWORD}" ]; then + echo "OpenSearch 2.12 onwards, the Security Plugins requires initial admin password to be set for demo config setup" + exit 1 +fi + + # # Create a docker-compose.yml file that will launch an OpenSearch node with the image we # just built and an OpenSearch Dashboards node that points to the OpenSearch node. @@ -379,6 +386,7 @@ services: - kendra_intelligent_ranking.service.endpoint=${KENDRA_RANKING_ENDPOINT} - kendra_intelligent_ranking.service.region=${AWS_REGION} - kendra_intelligent_ranking.service.execution_plan_id=${EXECUTION_PLAN_ID} + - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD} ulimits: memlock: soft: -1 @@ -446,8 +454,8 @@ cat >README <" https://localhost:9200/ Index some data on OpenSearch by following instructions at https://opensearch.org/docs/latest/opensearch/index-data/ From b558a1088854e86fb8df5241ce54b615b7200337 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Tue, 2 Jan 2024 10:33:08 -0500 Subject: [PATCH 2/4] Addresses PR feedback Signed-off-by: Darshit Chanpura --- helpers/personalized_search_ranking_quickstart.sh | 15 +++++++++++---- helpers/search_processing_kendra_quickstart.sh | 14 ++++++++++---- 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/helpers/personalized_search_ranking_quickstart.sh b/helpers/personalized_search_ranking_quickstart.sh index 18e41e4..1f44c11 100755 --- a/helpers/personalized_search_ranking_quickstart.sh +++ b/helpers/personalized_search_ranking_quickstart.sh @@ -253,10 +253,17 @@ if [ -n "${VOLUME_NAME:-}" ]; then fi echo "Volume created" -# OpenSearch 2.12 onwards security plugins requires a password to be set to setup admin user -if [ "$(echo "${OPENSEARCH_VERSION} 2.12" | awk '{print ($1 >= $2)}')" -eq 1 ] && [ -z "${OPENSEARCH_INITIAL_ADMIN_PASSWORD}" ]; then - echo "OpenSearch 2.12 onwards, the Security Plugins requires initial admin password to be set for demo config setup" - exit 1 + +# Starting in 2.12.0, security demo configuration script requires an initial admin password +IFS='.' read -ra version_array <<< "$VERSION" + +if [ -z "$CREDENTIAL" ] +then + if (( ${version_array[0]} > 2 || (${version_array[0]} == 2 && ${version_array[1]} >= 12) )); then + CREDENTIAL="admin:myStrongPassword123!" + else + CREDENTIAL="admin:admin" + fi fi # diff --git a/helpers/search_processing_kendra_quickstart.sh b/helpers/search_processing_kendra_quickstart.sh index 611bb74..be3cce7 100755 --- a/helpers/search_processing_kendra_quickstart.sh +++ b/helpers/search_processing_kendra_quickstart.sh @@ -359,10 +359,16 @@ if [ -n "${VOLUME_NAME:-}" ]; then external: true" fi -# OpenSearch 2.12 onwards security plugins requires a password to be set to setup admin user -if [ "$(echo "${OPENSEARCH_VERSION} 2.12" | awk '{print ($1 >= $2)}')" -eq 1 ] && [ -z "${OPENSEARCH_INITIAL_ADMIN_PASSWORD}" ]; then - echo "OpenSearch 2.12 onwards, the Security Plugins requires initial admin password to be set for demo config setup" - exit 1 +# Starting in 2.12.0, security demo configuration script requires an initial admin password +IFS='.' read -ra version_array <<< "$VERSION" + +if [ -z "$CREDENTIAL" ] +then + if (( ${version_array[0]} > 2 || (${version_array[0]} == 2 && ${version_array[1]} >= 12) )); then + CREDENTIAL="admin:myStrongPassword123!" + else + CREDENTIAL="admin:admin" + fi fi From 7d7db740b24d483f736194f919147863141dc280 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Sat, 13 Jan 2024 13:37:54 -0500 Subject: [PATCH 3/4] Updates version selection logic Signed-off-by: Darshit Chanpura --- .../personalized_search_ranking_quickstart.sh | 16 ++++++---------- helpers/search_processing_kendra_quickstart.sh | 15 ++++++--------- 2 files changed, 12 insertions(+), 19 deletions(-) diff --git a/helpers/personalized_search_ranking_quickstart.sh b/helpers/personalized_search_ranking_quickstart.sh index 1f44c11..ee5c9a3 100755 --- a/helpers/personalized_search_ranking_quickstart.sh +++ b/helpers/personalized_search_ranking_quickstart.sh @@ -253,17 +253,13 @@ if [ -n "${VOLUME_NAME:-}" ]; then fi echo "Volume created" - # Starting in 2.12.0, security demo configuration script requires an initial admin password -IFS='.' read -ra version_array <<< "$VERSION" - -if [ -z "$CREDENTIAL" ] -then - if (( ${version_array[0]} > 2 || (${version_array[0]} == 2 && ${version_array[1]} >= 12) )); then - CREDENTIAL="admin:myStrongPassword123!" - else - CREDENTIAL="admin:admin" - fi +OPENSEARCH_REQUIRED_VERSION="2.12.0" +COMPARE_VERSION=`echo $OPENSEARCH_REQUIRED_VERSION $OPENSEARCH_VERSION | tr ' ' '\n' | sort -V | uniq | head -n 1` +if [ "$COMPARE_VERSION" != "$OPENSEARCH_REQUIRED_VERSION" ]; then + OPENSEARCH_INITIAL_ADMIN_PASSWORD="admin" +else + OPENSEARCH_INITIAL_ADMIN_PASSWORD="myStrongPassword123!" fi # diff --git a/helpers/search_processing_kendra_quickstart.sh b/helpers/search_processing_kendra_quickstart.sh index be3cce7..ba62405 100755 --- a/helpers/search_processing_kendra_quickstart.sh +++ b/helpers/search_processing_kendra_quickstart.sh @@ -360,15 +360,12 @@ if [ -n "${VOLUME_NAME:-}" ]; then fi # Starting in 2.12.0, security demo configuration script requires an initial admin password -IFS='.' read -ra version_array <<< "$VERSION" - -if [ -z "$CREDENTIAL" ] -then - if (( ${version_array[0]} > 2 || (${version_array[0]} == 2 && ${version_array[1]} >= 12) )); then - CREDENTIAL="admin:myStrongPassword123!" - else - CREDENTIAL="admin:admin" - fi +OPENSEARCH_REQUIRED_VERSION="2.12.0" +COMPARE_VERSION=`echo $OPENSEARCH_REQUIRED_VERSION $OPENSEARCH_VERSION | tr ' ' '\n' | sort -V | uniq | head -n 1` +if [ "$COMPARE_VERSION" != "$OPENSEARCH_REQUIRED_VERSION" ]; then + OPENSEARCH_INITIAL_ADMIN_PASSWORD="admin" +else + OPENSEARCH_INITIAL_ADMIN_PASSWORD="myStrongPassword123!" fi From a5da90814d2f69e810fcce2d795475e7c565d999 Mon Sep 17 00:00:00 2001 From: Michael Froh Date: Thu, 18 Jan 2024 22:13:29 +0000 Subject: [PATCH 4/4] Require password as an argument on 2.12 and higher For earlier versions, emit a warning if an admin password is specified on the command line, since it will be ignored. Signed-off-by: Michael Froh --- .../personalized_search_ranking_quickstart.sh | 38 +++++++++++++------ .../search_processing_kendra_quickstart.sh | 35 +++++++++++------ 2 files changed, 51 insertions(+), 22 deletions(-) diff --git a/helpers/personalized_search_ranking_quickstart.sh b/helpers/personalized_search_ranking_quickstart.sh index ee5c9a3..c78b3ad 100755 --- a/helpers/personalized_search_ranking_quickstart.sh +++ b/helpers/personalized_search_ranking_quickstart.sh @@ -26,7 +26,7 @@ fi function print_help() { cat << EOF Usage: $0 [-r ] [--profile ] - [--volume-name ] + [--volume-name ] [--admin-password ] -r | --region The AWS region for the Personalize Intelligent Ranking service endpoint. If not specified, will read from the AWS CLI for the default profile. @@ -39,6 +39,11 @@ Usage: $0 [-r ] [--profile ] named Docker volume to \$OPENSEARCH_ROOT/data, so index data will persist across executions. If the named volume does not exist, it will be created. + --admin-password For OpenSearch 2.12 and higher, we no longer use a default + password of "admin" for the admin user. Instead, the value + passed to this parameter will be used as the admin password. + For OpenSearch versions prior to 2.12, this argument will be + ignored with a warning. NOTE: If the --profile option is not specified, the script will attempt to read AWS credentials (access/secret key, optional session token) from environment variables, @@ -76,9 +81,27 @@ while [ "$#" -gt 0 ]; do VOLUME_NAME=$1 shift ;; - esac + --admin-password ) + shift + OPENSEARCH_INITIAL_ADMIN_PASSWORD="$1" + shift + ;; + esac done +# Starting in 2.12.0, security demo configuration script requires an initial admin password +OPENSEARCH_REQUIRED_VERSION="2.12.0" +COMPARE_VERSION=`echo $OPENSEARCH_REQUIRED_VERSION $OPENSEARCH_VERSION | tr ' ' '\n' | sort -V | uniq | head -n 1` +if [ "$COMPARE_VERSION" != "$OPENSEARCH_REQUIRED_VERSION" ]; then + if [ -n "${OPENSEARCH_INITIAL_ADMIN_PASSWORD:-}" ]; then + echo "WARNING: The --admin-password setting has no effect on OpenSearch ${OPENSEARCH_VERSION}. The admin password will be 'admin'." + fi + OPENSEARCH_INITIAL_ADMIN_PASSWORD="admin" +elif [ -z "${OPENSEARCH_INITIAL_ADMIN_PASSWORD:-}" ]; then + echo "Starting with OpenSearch 2.12, you must specify the admin password with the --admin-password parameter." + exit 1 +fi + # # Determine which credentials and region to use. By the end of this block, all specified # credentials will be loaded into environment variables (or we fail with an explanatory @@ -253,14 +276,7 @@ if [ -n "${VOLUME_NAME:-}" ]; then fi echo "Volume created" -# Starting in 2.12.0, security demo configuration script requires an initial admin password -OPENSEARCH_REQUIRED_VERSION="2.12.0" -COMPARE_VERSION=`echo $OPENSEARCH_REQUIRED_VERSION $OPENSEARCH_VERSION | tr ' ' '\n' | sort -V | uniq | head -n 1` -if [ "$COMPARE_VERSION" != "$OPENSEARCH_REQUIRED_VERSION" ]; then - OPENSEARCH_INITIAL_ADMIN_PASSWORD="admin" -else - OPENSEARCH_INITIAL_ADMIN_PASSWORD="myStrongPassword123!" -fi + # # Create a docker-compose.yml file that will launch an OpenSearch node with the image we @@ -395,4 +411,4 @@ applicable) by running The full text of this message is also available at $(pwd)/README EOF -cat README \ No newline at end of file +cat README diff --git a/helpers/search_processing_kendra_quickstart.sh b/helpers/search_processing_kendra_quickstart.sh index ba62405..3c0bba4 100755 --- a/helpers/search_processing_kendra_quickstart.sh +++ b/helpers/search_processing_kendra_quickstart.sh @@ -27,7 +27,7 @@ function print_help() { cat << EOF Usage: $0 [-p ] [-r ] [-e ] [--profile ] [--create-execution-plan] - [--volume-name ] + [--volume-name ] [--admin-password ] -p | --execution-plan-id The ID returned from Kendra Intelligent Ranking service from the call to CreateRescoreExecutionPlan. Required if --create-execution-plan is not set. @@ -50,6 +50,11 @@ Usage: $0 [-p ] [-r ] [-e ] named Docker volume to \$OPENSEARCH_ROOT/data, so index data will persist across executions. If the named volume does not exist, it will be created. + --admin-password For OpenSearch 2.12 and higher, we no longer use a default + password of "admin" for the admin user. Instead, the value + passed to this parameter will be used as the admin password. + For OpenSearch versions prior to 2.12, this argument will be + ignored with a warning. NOTE: If the --profile option is not specified, the script will attempt to read AWS credentials (access/secret key, optional session token) from environment variables, @@ -101,6 +106,11 @@ while [ "$#" -gt 0 ]; do VOLUME_NAME=$1 shift ;; + --admin-password ) + shift + OPENSEARCH_INITIAL_ADMIN_PASSWORD="$1" + shift + ;; esac done @@ -121,6 +131,19 @@ if [ "${FAILED_VALIDATION}" == "1" ]; then exit 1 fi +# Starting in 2.12.0, security demo configuration script requires an initial admin password +OPENSEARCH_REQUIRED_VERSION="2.12.0" +COMPARE_VERSION=`echo $OPENSEARCH_REQUIRED_VERSION $OPENSEARCH_VERSION | tr ' ' '\n' | sort -V | uniq | head -n 1` +if [ "$COMPARE_VERSION" != "$OPENSEARCH_REQUIRED_VERSION" ]; then + if [ -n "${OPENSEARCH_INITIAL_ADMIN_PASSWORD:-}" ]; then + echo "WARNING: The --admin-password setting has no effect on OpenSearch ${OPENSEARCH_VERSION}. The admin password will be 'admin'." + fi + OPENSEARCH_INITIAL_ADMIN_PASSWORD="admin" +elif [ -z "${OPENSEARCH_INITIAL_ADMIN_PASSWORD:-}" ]; then + echo "Starting with OpenSearch 2.12, you must specify the admin password with the --admin-password parameter." + exit 1 +fi + # # Determine which credentials and region to use. By the end of this block, all specified # credentials will be loaded into environment variables (or we fail with an explanatory @@ -359,16 +382,6 @@ if [ -n "${VOLUME_NAME:-}" ]; then external: true" fi -# Starting in 2.12.0, security demo configuration script requires an initial admin password -OPENSEARCH_REQUIRED_VERSION="2.12.0" -COMPARE_VERSION=`echo $OPENSEARCH_REQUIRED_VERSION $OPENSEARCH_VERSION | tr ' ' '\n' | sort -V | uniq | head -n 1` -if [ "$COMPARE_VERSION" != "$OPENSEARCH_REQUIRED_VERSION" ]; then - OPENSEARCH_INITIAL_ADMIN_PASSWORD="admin" -else - OPENSEARCH_INITIAL_ADMIN_PASSWORD="myStrongPassword123!" -fi - - # # Create a docker-compose.yml file that will launch an OpenSearch node with the image we # just built and an OpenSearch Dashboards node that points to the OpenSearch node.