Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace admin:admin default credentials #1576

Closed
5 tasks done
Tracked by #1618
setiah opened this issue Dec 3, 2021 · 25 comments
Closed
5 tasks done
Tracked by #1618

Replace admin:admin default credentials #1576

setiah opened this issue Dec 3, 2021 · 25 comments
Labels
breaking This issue is or proposes a breaking change enhancement New feature or request triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. v2.12.0 Items targeting 2.12.0

Comments

@setiah
Copy link

setiah commented Dec 3, 2021

Is your feature request related to a problem? Please describe.
The default admin:admin credential is too weak and a sure-fire way to get hacked. Though the documentation recommends users to change the default passwords, it can be easily missed. Such weak defaults can be very easily exploited and lead to massive data leaks (remember Equifax attack?).

The second gap is, in the existing distribution, there's no default password policy to ensure stronger passwords. It needs to be configured explicitly by users. That is why such weak credentials are able to slip through the cracks.

Describe the solution you'd like
Remove the default passwords provided in internal_users.yml. Instead, have the admin user setup passwords for internal users once the OpenSearch process is up. These passwords can be set up post-installation using a REST API and admin certificates (for authentication). Setting password for admin user would look something like -

PATCH _opendistro/_security/api/internalusers/admin --key admin-key.pem --cert admin.pem --cacert root-ca.pem -d'
{
    "password": "quCn52_8\*N8"
}
'

To make this further easy, OpenSearch distribution could provide a tool such as an OpenSearch shell client to make it easy for admin user to configure all users. This shell client could also help with autogenerating strong passwords and can be further extended to support for more administrative functions in future.

In addition to this, we should also add a default password policy to only allow passwords that match a certain strength criteria. Obv, these policies are overridable depending on the user/enterprise needs. Having a strong default policy will protect against insecure password configurations.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
This is related to opensearch-project/OpenSearch#1618

Task breakdown

  • Remove default passwords for inbuilt users in internal_users.yml, deprecate now and remove password field from yml in 2.0
  • Configure strong default password policy and also make it overridable via yml.
  • Write tool for password setup (to be used by admin).
  • Add auto-password-generation logic to the tool to ease user experience during setup.
  • Integrate auto-password generation into security plugin bootstrap logic #1787
@dredwilliams
Copy link

Agreed -- the inability to change the admin password in particular without wiping the internal user database is a problem.

@AmiStrn
Copy link

AmiStrn commented Dec 5, 2021

It seems like this is assuming use of the security plugin. It should be optional to use the security plugin.

I believe this should be mobed to the security plugin repo here - https://github.com/opensearch-project/security

@setiah
Copy link
Author

setiah commented Dec 7, 2021

@CEHENKLE I don't have permissions to transfer issues to the security plugin repo. Could you pls do that?

@PhilipMay
Copy link

This is a super important security issue. Can you please prioritize it?

PS: it seems like there is something that could handle this - but it is 1. not documented and 2. I am not sure how and if it even works.

https://github.com/opensearch-project/OpenSearch/blob/0ba0e7cc26060f964fcbf6ee45bae53b3a9941d0/distribution/docker/src/docker/bin/docker-entrypoint.sh#L58

@CEHENKLE CEHENKLE transferred this issue from opensearch-project/OpenSearch Jan 18, 2022
@CEHENKLE
Copy link
Member

@PhilipMay Agree. Take a look at: opensearch-project/OpenSearch#1029 We plan to make changes this year in a major version, but let's not wait if there are low things we can do before that.

@peternied
Copy link
Member

There was a related issue filed opensearch-project/security-dashboards-plugin#1008 where the admin password was not able to be updated in the UX

@zalseryani
Copy link

Any update on this case !!

@kingnarmer
Copy link

Checking if there is update on this issue ?

@zalseryani
Copy link

zalseryani commented Jun 6, 2023

@kingnarmer

The only way to solve this issue is to add your internal_users.yml under securityConfig.config.data.config.yml configuration section in your helm chart.

Ex:

      internal_users.yml: |-
        ---
        _meta:
          type: "internalusers"
          config_version: 2

        admin:
          hash: ""
          reserved: true
          backend_roles:
          - "admin"

@dblock
Copy link
Member

dblock commented Aug 8, 2023

I wrote up https://code.dblock.org/2023/08/08/changing-the-default-admin-password-in-opensearch.html which should show how hard this is to actually do today. I like the idea that the system would come up with a generated password, and require changing that password in a secure way on start.

@decyphertek-io
Copy link

decyphertek-io commented Sep 24, 2023

Opensearch admin:admin Debian/Ubuntu Solution:

 # Install Opensearch
 sudo apt update && sudo apt upgrade -y
 sudo apt-get update && sudo apt-get -y install lsb-release ca-certificates curl gnupg2
 # This command appears in two lines, make sure to include them in one.
 curl -o- https://artifacts.opensearch.org/publickeys/opensearch.pgp | sudo gpg --dearmor --batch --yes -o /usr/share/keyrings 
 /opensearch-keyring
 # This command appears in two lines, make sure they are one. 
 echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch  
 /2.x/apt stable main" | sudo tee /etc/apt/sources.list.d/opensearch-2.x.list
 sudo apt update && sudo apt install opensearch -y 
 sudo vim /etc/opensearch/opensearch-security/internal_users.yml
 # change reserved: true to reserved: false ( Only on admin , kibanaserver referenced in opensearch_dashboard.yml)
 # Optional: Change the password via hash. ( See command below, not required if reserved:false , can change from GUI. )
 # Optional: Keep in mind reserved:true makes the account immutable. If you need that, then keep it, cant change from GUI.
 
 # Install opensearch-dashboard
 # This command appears in two lines, make sure they are one. 
 curl -o- https://artifacts.opensearch.org/publickeys/opensearch.pgp | sudo gpg --dearmor --batch --yes -o /usr/share/keyrings 
 /opensearch-keyring
 # This command appears in two lines, make sure they are one
 echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch- 
 dashboards/2.x/apt stable main" | sudo tee /etc/apt/sources.list.d/opensearch-dashboards-2.x.list
 sudo apt update && sudo apt install opensearch-dashboards -y 
 sudo vim /etc/opensearch-dashboards/opensearch_dashboards.yml
 # uncomment server.port: 5601 
 # uncomment and change server.host: "localhost" to server.host: "0.0.0.0"
 # Issue: If you change the kibanaserver password in internal users, you have to add this to opensearch dashboards config.
 # Issue: Do not use ! points in your password hash generator, since it will call bash history and passwords will not match. 

 # Opensearch 2.x > Java 17 compatible
 sudo apt install openjdk-17-jdk 
 export JAVA_HOME=$(readlink -f /usr/bin/java | sed "s:bin/java::") 
 export OPENSEARCH_JAVA_HOME=$JAVA_HOME 
 java --version 
 echo $JAVA_HOME  
 echo $OPENSEARCH_JAVA_HOME 

 # Start the daemons
 sudo systemctl daemon-reload
 sudo systemctl enable opensearch
 sudo systemctl start opensearch
 sudo systemctl enable opensearch-dashboards
 sudo systemctl start opensearch-dashboards

 # Login ( Can now manage all users from GUI ) 
 http://ip-of-server:5601
 user: admin
 pass: admin
 manage users > management > security > internal users > delete & change passwords

 # Verify opensearch works with new password set:
 curl -XGET -k -u 'admin:NEWPASSWORD' 'https://localhost:9200/_cluster/health?pretty'

 # HTTPS options OpenSearch-Dashboard
 * nginx
 * search guard ( Compatibility unclear 7.10) 
 * Security script process.

 # (Optional) Opensearch Security Script Method:
 # Add your chosen password has to the internal users yml.
 sudo  /usr/share/opensearch/plugins/opensearch-security/tools/hash.sh -p <new-password>

 # Update the Internal users yml
 sudo vim /etc/opensearch/opensearch-security/internal_users.yml

 # Dev certs, to generate your own - https://opensearch.org/docs/latest/security/configuration/generate-certificates/
 # This appears on three lines, except should be one command. 
 sudo /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh -f /etc/opensearch/opensearch-security 
 /internal_users.yml -t internalusers  -icl -nhnv -cacert /etc/opensearch/root-ca.pem -cert /etc/opensearch/kirk.pem -key 
 /etc/opensearch/kirk-key.pem

@peternied
Copy link
Member

@scrawfor99's pull request [1] to address this issue was recently merged in to main. We are about to backport this change into 2.x and want to get some feedback on how we think about approaching this.

Currently Planned Behavior

If a password for the admin account is not supplied, the demo_configuration script will exit early with the following message.

echo "Unable to find the admin password for the cluster. Please run 'export initialAdminPassword=<your_password>' 
or create a file $ADMIN_PASSWORD_FILE with a single line that contains the password."

Otherwise the following will be printed in the middle of the script

echo "   ***************************************************"
echo "   ***   ADMIN PASSWORD SET TO: $ADMIN_PASSWORD    ***"
echo "   ***************************************************"

What do we think about these changes going into the 2.x release? Are there any modifications that would make this more palatable? Note, I'm also going to mark this untriaged to make sure it gets discussed during the next triage meeting.

@peternied peternied added the untriaged Require the attention of the repository maintainers and may need to be prioritized label Sep 27, 2023
@davidlago davidlago removed the untriaged Require the attention of the repository maintainers and may need to be prioritized label Oct 2, 2023
@davidlago
Copy link

[Triage] Maintainers agree to take the tradeoff of "breaking" new installs that don't provide a default password for the admin user, for the sake of better securing future cluster installs. This does not break current clusters that get upgraded to a newer version, as those would already have created their admin user/password.

That said, we want to make sure that at the very least we fix the docker images we publish alongside our artifacts (and the functional tests) to account for this change. Until those are addressed, the 2.x backport in #3414 should be blocked.

@DarshitChanpura DarshitChanpura added v2.12.0 Items targeting 2.12.0 and removed v2.11.0 Issues targeting the 2.11 release labels Oct 6, 2023
@guldil
Copy link

guldil commented Nov 16, 2023

Opensearch admin:admin Debian/Ubuntu Solution:

 # Login ( Can now manage all users from GUI ) 
 http://ip-of-server:5601
 user: admin
 pass: admin
 manage users > management > security > internal users > delete & change passwords

i can't update admin account : {"status":"FORBIDDEN","message":"Resource 'admin' is reserved."}
i can remove all "non reserved" account
i move to this step

(Optional) Opensearch Security Script Method:

Add your chosen password has to the internal users yml.

sudo /usr/share/opensearch/plugins/opensearch-security/tools/hash.sh -p

Update the Internal users yml

sudo vim /etc/opensearch/opensearch-security/internal_users.yml

Dev certs, to generate your own - https://opensearch.org/docs/latest/security/configuration/generate-certificates/

This appears on three lines, except should be one command.

sudo /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh -f /etc/opensearch/opensearch-security
/internal_users.yml -t internalusers -icl -nhnv -cacert /etc/opensearch/root-ca.pem -cert /etc/opensearch/kirk.pem -key
/etc/opensearch/kirk-key.pem

and it's working admin password is changed and demo account are back gain...

at least I was able to change the default password so thank you :)

@stephen-crawford
Copy link
Contributor

Opensearch admin:admin Debian/Ubuntu Solution:

 # Login ( Can now manage all users from GUI ) 
 http://ip-of-server:5601
 user: admin
 pass: admin
 manage users > management > security > internal users > delete & change passwords

i can't update admin account : {"status":"FORBIDDEN","message":"Resource 'admin' is reserved."} i can remove all "non reserved" account i move to this step

(Optional) Opensearch Security Script Method:

Add your chosen password has to the internal users yml.

sudo /usr/share/opensearch/plugins/opensearch-security/tools/hash.sh -p

Update the Internal users yml

sudo vim /etc/opensearch/opensearch-security/internal_users.yml

Dev certs, to generate your own - https://opensearch.org/docs/latest/security/configuration/generate-certificates/

This appears on three lines, except should be one command.

sudo /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh -f /etc/opensearch/opensearch-security
/internal_users.yml -t internalusers -icl -nhnv -cacert /etc/opensearch/root-ca.pem -cert /etc/opensearch/kirk.pem -key
/etc/opensearch/kirk-key.pem

and it's working admin password is changed and demo account are back gain...

at least I was able to change the default password so thank you :)

Hey @guldil, I don't think these changes have gone out yet. You should still be able to use the default credentials admin:admin for the time being. We will have to wait for the next release to roll out these changes (some of which are still in progress courtesy of @DarshitChanpura ) :)

@guldil
Copy link

guldil commented Nov 16, 2023

@scrawfor99 but i dont want to use default password, i start a VM with OpenSearch on my private cloud and i can't let the VM with default password, i need remote access on it.

For me it's a good solution, i installed OpenSearch 2.11, i change certificates used by default (root-ca / kirk) with my own certificates issued with my "root-ca-new" and i change admin password with my own "admin" (the default kirk). It helped me understand how this part worked.

@stephen-crawford
Copy link
Contributor

Hi @guldil, thanks for the clarification. What you described should work--I was just trying to clarify why the steps on this issue may not be operable quite yet. Everything listed on the documentation website should still work for your use case.

@guldil
Copy link

guldil commented Nov 16, 2023

@scrawfor99 yes i found documentation too late https://opensearch.org/docs/latest/install-and-configure/install-opensearch/debian/#configure-tls, eveything is on it.

Maybe documentation installation of Dashboard could be better https://opensearch.org/docs/latest/install-and-configure/install-dashboards/debian/ and https://opensearch.org/docs/latest/install-and-configure/install-dashboards/tls/ when you change Certificates / CA (like the TLS one of OpenSearch Only)

@LinTechSo
Copy link

Hi,
any updates ?

@kingnarmer
Copy link

I am having same issue . Would be good if this cloud be automated. Ideal situation will be to pass the desired password as input to script or playbook.

@zalseryani
Copy link

zalseryani commented Dec 10, 2023

if you are using helm charts for deploying opensearch, you can update your opensearch helm chart to use internal_users.yml template and add your admin user password there,

for future changes, you can use securityadmin.sh for retrieving the security index data (users, roles, rolesmapping, etc) and put them into a folder and update them and re-uploading them to security index again using securityadmin.sh shell also.

  • retrieve security index information
./securityadmin.sh -cd ../../../config/security_backup/ -icl -nhnv \
    -cacert ../../../config/root-ca.pem \
    -cert ../../../config/admin.pem \
    -key ../../../config/admin-key.pem -r
  • update admin bycrypt hash and reupload using the same script (please make sure to rename all the files again without the timestamp or date in the files naming)
./securityadmin.sh -cd ../../../config/security_backup/ -icl -nhnv \
    -cacert ../../../config/root-ca.pem \
    -cert ../../../config/admin.pem \
    -key ../../../config/admin-key.pem
  • Note: if you are using opensearch security plugin to have plugins.security.ssl.http.enabled: true in order for secuirtyadmin.sh to work properly

Opensearch Version: 2.9.0 -- deployed with helm chart version (opensearch-2.14.0)

References

@stephen-crawford
Copy link
Contributor

stephen-crawford commented Dec 11, 2023

Hi @LinTechSo, @guldil, etc. Just an update: This is actively being worked on by @derek-ho and @DarshitChanpura they are making great progress and hoping to get this out in 2.12. That being said, we have to wait for 2.12 at the earliest since this marks a fairly large UX/UI change from the current way of doing things. You are welcome to check out some of their work over on the repo's pull request list.

@peternied
Copy link
Member

@DarshitChanpura Could you link this to the meta issue where we are addressing this?

@DarshitChanpura
Copy link
Member

DarshitChanpura commented Jan 30, 2024

The effort replace default admin password with a custom supplied password is being tracked here:

The issues stemmed from this spike: #3560

If you would like to, please follow these issues along to compute the work done as we target to ship this change with the next release.

@DarshitChanpura
Copy link
Member

The default credentials for demo admin user have been replaced with a custom password requirement, and this feature has been shipped in 2.12.0. Marking this issue as complete.

Please feel free to re-open if something was missed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
breaking This issue is or proposes a breaking change enhancement New feature or request triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. v2.12.0 Items targeting 2.12.0
Projects
None yet
Development

No branches or pull requests