Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

plugins.security.disabled setting no longer working in 2.12 leading to errors (Docker) #4062

Open
gygitlab opened this issue Feb 21, 2024 · 14 comments
Open

plugins.security.disabled setting no longer working in 2.12 leading to errors (Docker) #4062

gygitlab opened this issue Feb 21, 2024 · 14 comments
Labels
bug Something isn't working Plugins triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@gygitlab
Copy link

gygitlab commented Feb 21, 2024
edited
Loading

Describe the bug

The plugins.security.disabled no longer looks to be working in the 2.12 release.

Setting the variable as an environment variable now leads to the following error in the logs:

### OpenSearch Security Demo Installer
### ** Warning: Do not use on production or public reachable systems **
OpenSearch install type: rpm/deb on Linux 5.15.0-1051-gcp amd64
OpenSearch config dir: /usr/share/opensearch/config/
OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
OpenSearch bin dir: /usr/share/opensearch/bin/
OpenSearch plugins dir: /usr/share/opensearch/plugins/
OpenSearch lib dir: /usr/share/opensearch/lib/
Detected OpenSearch Version: 2.12.0
Detected OpenSearch Security Version: 2.12.0.0
No custom admin password found. Please provide a password via the environment variable OPENSEARCH_INITIAL_ADMIN_PASSWORD

This setting was working fine in 2.11.

Looking through the Docker documentation specifically there appears to be a different format for this variable:

"DISABLE_SECURITY_PLUGIN=true" # Disables Security plugin

This does appear to still work but the normal setting does not. This is effectively a breaking change as a result.

Related component

Plugins

To Reproduce

  • Attempt to start up OpenSearch 2.12 as a Docker container with plugins.security.disabled set as an environment variable.
  • Notice it will fail due to the plugin enabling anyways and it requiring additional config.

Expected behavior

That both plugins.security.disabled and it's variant DISABLE_SECURITY_PLUGIN work when passed in as environment variables.

Additional Details

No response
@gygitlab gygitlab added bug Something isn't working untriaged Require the attention of the repository maintainers and may need to be prioritized labels Feb 21, 2024
@peternied peternied transferred this issue from opensearch-project/OpenSearch Feb 21, 2024
@dbwiddis
Copy link
Member

@DarshitChanpura @derek-ho is this possibly related to #3624?

@DarshitChanpura
Copy link
Member

2.11.1

2.11.1 test scenarios:

custom opensearch.yml (has setting plugins.security.disabled: true)

opensearch-node2  | Detected OpenSearch Version: x-content-2.11.1
opensearch-node2  | Detected OpenSearch Security Version: 2.11.1.0
opensearch-node1  | /usr/share/opensearch/config/opensearch.yml seems to be already configured for Security. Quit.
opensearch-node2  | /usr/share/opensearch/config/opensearch.yml seems to be already configured for Security. Quit.

``zsh
➜ 2.11.1 curl http://localhost:9200
{
"name" : "opensearch-node1",
"cluster_name" : "opensearch-cluster",
"cluster_uuid" : "ZHSpLOqWR8ehc0LrpZ0nRQ",
"version" : {
"distribution" : "opensearch",
"number" : "2.11.1",
"build_type" : "tar",
"build_hash" : "6b1986e964d440be9137eba1413015c31c5a7752",
"build_date" : "2023-11-29T21:45:35.524809067Z",
"build_snapshot" : false,
"lucene_version" : "9.7.0",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}



### providing "plugins.security.disabled=true" as env variable in docker-compose

```zsh
opensearch-node2  | Detected OpenSearch Version: x-content-2.11.1
opensearch-node2  | Detected OpenSearch Security Version: 2.11.1.0
opensearch-node1  | 
opensearch-node2  | 
opensearch-node1  | ### Success
opensearch-node1  | ### Execute this script now on all your nodes and then start all nodes
opensearch-node1  | ### OpenSearch Security will be automatically initialized.
opensearch-node1  | ### If you like to change the runtime configuration 
opensearch-node1  | ### change the files in ../../../config/opensearch-security and execute: 
opensearch-node1  | "/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh" -cd "/usr/share/opensearch/config/opensearch-security" -icl -key "/usr/share/opensearch/config/kirk-key.pem" -cert "/usr/share/opensearch/config/kirk.pem" -cacert "/usr/share/opensearch/config/root-ca.pem" -nhnv
opensearch-node1  | ### or run ./securityadmin_demo.sh
opensearch-node1  | ### To use the Security Plugin ConfigurationGUI
opensearch-node1  | ### To access your secured cluster open https://<hostname>:<HTTP port> and log in with admin/admin.
opensearch-node1  | ### (Ignore the SSL certificate warning because we installed self-signed demo certificates)
opensearch-node1  | Enabling OpenSearch Security Plugin
opensearch-node1  | Enabling execution of OPENSEARCH_HOME/bin/opensearch-performance-analyzer/performance-analyzer-agent-cli for OpenSearch Performance Analyzer Plugin
opensearch-node2  | ### Success
opensearch-node2  | ### Execute this script now on all your nodes and then start all nodes
opensearch-node2  | ### OpenSearch Security will be automatically initialized.
opensearch-node2  | ### If you like to change the runtime configuration 
opensearch-node2  | ### change the files in ../../../config/opensearch-security and execute: 
opensearch-node2  | "/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh" -cd "/usr/share/opensearch/config/opensearch-security" -icl -key "/usr/share/opensearch/config/kirk-key.pem" -cert "/usr/share/opensearch/config/kirk.pem" -cacert "/usr/share/opensearch/config/root-ca.pem" -nhnv
opensearch-node2  | ### or run ./securityadmin_demo.sh
opensearch-node2  | ### To use the Security Plugin ConfigurationGUI
opensearch-node2  | ### To access your secured cluster open https://<hostname>:<HTTP port> and log in with admin/admin.
opensearch-node2  | ### (Ignore the SSL certificate warning because we installed self-signed demo certificates)
opensearch-node2  | Enabling OpenSearch Security Plugin

➜  2.11.1 curl http://localhost:9200
{
  "name" : "opensearch-node1",
  "cluster_name" : "opensearch-cluster",
  "cluster_uuid" : "PKhXmPJOT-SA6jWssYcUrg",
  "version" : {
    "distribution" : "opensearch",
    "number" : "2.11.1",
    "build_type" : "tar",
    "build_hash" : "6b1986e964d440be9137eba1413015c31c5a7752",
    "build_date" : "2023-11-29T21:45:35.524809067Z",
    "build_snapshot" : false,
    "lucene_version" : "9.7.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

providing "DISABLE_SECURITY_PLUGIN=true"

opensearch-node2  | Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin
opensearch-node2  | **************************************************************************
opensearch-node2  | ** This tool will be deprecated in the next major release of OpenSearch **
opensearch-node2  | ** https://github.com/opensearch-project/security/issues/1755           **
opensearch-node2  | **************************************************************************
opensearch-node2  | OpenSearch Security Demo Installer
opensearch-node2  |  ** Warning: Do not use on production or public reachable systems **
opensearch-node2  | Basedir: /usr/share/opensearch
opensearch-node2  | OpenSearch install type: rpm/deb on Amazon Linux release 2023 (Amazon Linux)
opensearch-node2  | OpenSearch config dir: /usr/share/opensearch/config
opensearch-node2  | OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
opensearch-node2  | OpenSearch bin dir: /usr/share/opensearch/bin
opensearch-node2  | OpenSearch plugins dir: /usr/share/opensearch/plugins
opensearch-node2  | OpenSearch lib dir: /usr/share/opensearch/lib
opensearch-node2  | Detected OpenSearch Version: x-content-2.11.1
opensearch-node2  | Detected OpenSearch Security Version: 2.11.1.0
opensearch-node1  | Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin
opensearch-node1  | **************************************************************************
opensearch-node1  | ** This tool will be deprecated in the next major release of OpenSearch **
opensearch-node1  | ** https://github.com/opensearch-project/security/issues/1755           **
opensearch-node1  | **************************************************************************
opensearch-node1  | OpenSearch Security Demo Installer
opensearch-node1  |  ** Warning: Do not use on production or public reachable systems **
opensearch-node1  | Basedir: /usr/share/opensearch
opensearch-node2  | 
opensearch-node1  | OpenSearch install type: rpm/deb on Amazon Linux release 2023 (Amazon Linux)
opensearch-node1  | OpenSearch config dir: /usr/share/opensearch/config
opensearch-node1  | OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
opensearch-node1  | OpenSearch bin dir: /usr/share/opensearch/bin
opensearch-node1  | OpenSearch plugins dir: /usr/share/opensearch/plugins
opensearch-node1  | OpenSearch lib dir: /usr/share/opensearch/lib
opensearch-node1  | Detected OpenSearch Version: x-content-2.11.1
opensearch-node1  | Detected OpenSearch Security Version: 2.11.1.0
opensearch-node1  | 
opensearch-node2  | ### Success
opensearch-node2  | ### Execute this script now on all your nodes and then start all nodes
opensearch-node2  | ### OpenSearch Security will be automatically initialized.
opensearch-node2  | ### If you like to change the runtime configuration 
opensearch-node2  | ### change the files in ../../../config/opensearch-security and execute: 
opensearch-node2  | "/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh" -cd "/usr/share/opensearch/config/opensearch-security" -icl -key "/usr/share/opensearch/config/kirk-key.pem" -cert "/usr/share/opensearch/config/kirk.pem" -cacert "/usr/share/opensearch/config/root-ca.pem" -nhnv
opensearch-node2  | ### or run ./securityadmin_demo.sh
opensearch-node2  | ### To use the Security Plugin ConfigurationGUI
opensearch-node2  | ### To access your secured cluster open https://<hostname>:<HTTP port> and log in with admin/admin.
opensearch-node2  | ### (Ignore the SSL certificate warning because we installed self-signed demo certificates)
opensearch-node2  | Disabling OpenSearch Security Plugin
opensearch-node2  | Enabling execution of OPENSEARCH_HOME/bin/opensearch-performance-analyzer/performance-analyzer-agent-cli for OpenSearch Performance Analyzer Plugin
opensearch-node1  | ### or run ./securityadmin_demo.sh
opensearch-node1  | ### To use the Security Plugin ConfigurationGUI
opensearch-node1  | ### To access your secured cluster open https://<hostname>:<HTTP port> and log in with admin/admin.
opensearch-node1  | ### (Ignore the SSL certificate warning because we installed self-signed demo certificates)
opensearch-node1  | Disabling OpenSearch Security Plugin
➜  2.11.1 curl http://localhost:9200
{
  "name" : "opensearch-node1",
  "cluster_name" : "opensearch-cluster",
  "cluster_uuid" : "14GfRQJ-Q4Gvagd1hH4evQ",
  "version" : {
    "distribution" : "opensearch",
    "number" : "2.11.1",
    "build_type" : "tar",
    "build_hash" : "6b1986e964d440be9137eba1413015c31c5a7752",
    "build_date" : "2023-11-29T21:45:35.524809067Z",
    "build_snapshot" : false,
    "lucene_version" : "9.7.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

2.12.0

2.12.0 test scenarios:

custom opensearch.yml (has setting plugins.security.disabled: true)

opensearch-node2  | Detected OpenSearch Version: 2.12.0
opensearch-node2  | Detected OpenSearch Security Version: 2.12.0.0
opensearch-node1  | /usr/share/opensearch/config/opensearch.yml seems to be already configured for Security. Quit.
opensearch-node2  | /usr/share/opensearch/config/opensearch.yml seems to be already configured for Security. Quit.
➜  curl http://localhost:9200
{
  "name" : "opensearch-node1",
  "cluster_name" : "opensearch-cluster",
  "cluster_uuid" : "g_JelkxcTXafoQyC-AScww",
  "version" : {
    "distribution" : "opensearch",
    "number" : "2.12.0",
    "build_type" : "tar",
    "build_hash" : "2c355ce1a427e4a528778d4054436b5c4b756221",
    "build_date" : "2024-02-20T02:20:12.084014282Z",
    "build_snapshot" : false,
    "lucene_version" : "9.9.2",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

providing "plugins.security.disabled=true" as env variable in docker-compose

without providing OPENSEARCH_INITIAL_ADMIN_PASSWORD

Attaching to opensearch-node1, opensearch-node2
opensearch-node1  | Enabling OpenSearch Security Plugin
opensearch-node1  | Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin 
opensearch-node1  | OpenSearch 2.12.0 onwards, the OpenSearch Security Plugin a change that requires an initial password for 'admin' user. 
opensearch-node1  | Please define an environment variable 'OPENSEARCH_INITIAL_ADMIN_PASSWORD' with a strong password string. 
opensearch-node1  | If a password is not provided, the setup will quit. 
opensearch-node1  |  For more details, please visit: https://opensearch.org/docs/latest/install-and-configure/install-opensearch/docker/
opensearch-node2  | Enabling OpenSearch Security Plugin
opensearch-node2  | Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin 
opensearch-node2  | OpenSearch 2.12.0 onwards, the OpenSearch Security Plugin a change that requires an initial password for 'admin' user. 
opensearch-node2  | Please define an environment variable 'OPENSEARCH_INITIAL_ADMIN_PASSWORD' with a strong password string. 
opensearch-node2  | If a password is not provided, the setup will quit. 
opensearch-node2  |  For more details, please visit: https://opensearch.org/docs/latest/install-and-configure/install-opensearch/docker/
opensearch-node1  | ### OpenSearch Security Demo Installer
opensearch-node1  | ### ** Warning: Do not use on production or public reachable systems **
opensearch-node2  | ### OpenSearch Security Demo Installer
opensearch-node2  | ### ** Warning: Do not use on production or public reachable systems **
opensearch-node2  | OpenSearch install type: rpm/deb on Linux 6.6.12-linuxkit aarch64
opensearch-node1  | OpenSearch install type: rpm/deb on Linux 6.6.12-linuxkit aarch64
opensearch-node1  | OpenSearch config dir: /usr/share/opensearch/config/
opensearch-node1  | OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
opensearch-node1  | OpenSearch bin dir: /usr/share/opensearch/bin/
opensearch-node1  | OpenSearch plugins dir: /usr/share/opensearch/plugins/
opensearch-node1  | OpenSearch lib dir: /usr/share/opensearch/lib/
opensearch-node1  | Detected OpenSearch Version: 2.12.0
opensearch-node1  | Detected OpenSearch Security Version: 2.12.0.0
opensearch-node2  | OpenSearch config dir: /usr/share/opensearch/config/
opensearch-node2  | OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
opensearch-node2  | OpenSearch bin dir: /usr/share/opensearch/bin/
opensearch-node2  | OpenSearch plugins dir: /usr/share/opensearch/plugins/
opensearch-node2  | OpenSearch lib dir: /usr/share/opensearch/lib/
opensearch-node2  | Detected OpenSearch Version: 2.12.0
opensearch-node2  | Detected OpenSearch Security Version: 2.12.0.0
opensearch-node1  | No custom admin password found. Please provide a password via the environment variable OPENSEARCH_INITIAL_ADMIN_PASSWORD.
opensearch-node2  | No custom admin password found. Please provide a password via the environment variable OPENSEARCH_INITIAL_ADMIN_PASSWORD.
opensearch-node1 exited with code 1
opensearch-node2 exited with code 1
➜  2.12.0 curl http://localhost:9200
{
  "name" : "opensearch-node1",
  "cluster_name" : "opensearch-cluster",
  "cluster_uuid" : "mgQoDpTVS7i90tPJpQzRgw",
  "version" : {
    "distribution" : "opensearch",
    "number" : "2.12.0",
    "build_type" : "tar",
    "build_hash" : "2c355ce1a427e4a528778d4054436b5c4b756221",
    "build_date" : "2024-02-20T02:20:12.084014282Z",
    "build_snapshot" : false,
    "lucene_version" : "9.9.2",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

providing OPENSEARCH_INITIAL_ADMIN_PASSWORD

opensearch-node1  | Enabling OpenSearch Security Plugin
opensearch-node1  | Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin 
opensearch-node1  | OpenSearch 2.12.0 onwards, the OpenSearch Security Plugin a change that requires an initial password for 'admin' user. 
opensearch-node1  | Please define an environment variable 'OPENSEARCH_INITIAL_ADMIN_PASSWORD' with a strong password string. 
opensearch-node1  | If a password is not provided, the setup will quit. 
opensearch-node1  |  For more details, please visit: https://opensearch.org/docs/latest/install-and-configure/install-opensearch/docker/
opensearch-node2  | Enabling OpenSearch Security Plugin
opensearch-node2  | Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin 
opensearch-node2  | OpenSearch 2.12.0 onwards, the OpenSearch Security Plugin a change that requires an initial password for 'admin' user. 
opensearch-node2  | Please define an environment variable 'OPENSEARCH_INITIAL_ADMIN_PASSWORD' with a strong password string. 
opensearch-node2  | If a password is not provided, the setup will quit. 
opensearch-node2  |  For more details, please visit: https://opensearch.org/docs/latest/install-and-configure/install-opensearch/docker/
opensearch-node2  | ### OpenSearch Security Demo Installer
opensearch-node2  | ### ** Warning: Do not use on production or public reachable systems **
opensearch-node2  | OpenSearch install type: rpm/deb on Linux 6.6.12-linuxkit aarch64
opensearch-node2  | OpenSearch config dir: /usr/share/opensearch/config/
opensearch-node2  | OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
opensearch-node1  | ### OpenSearch Security Demo Installer
opensearch-node1  | ### ** Warning: Do not use on production or public reachable systems **
opensearch-node2  | OpenSearch bin dir: /usr/share/opensearch/bin/
opensearch-node2  | OpenSearch plugins dir: /usr/share/opensearch/plugins/
opensearch-node2  | OpenSearch lib dir: /usr/share/opensearch/lib/
opensearch-node2  | Detected OpenSearch Version: 2.12.0
opensearch-node2  | Detected OpenSearch Security Version: 2.12.0.0
opensearch-node1  | OpenSearch install type: rpm/deb on Linux 6.6.12-linuxkit aarch64
opensearch-node1  | OpenSearch config dir: /usr/share/opensearch/config/
opensearch-node1  | OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
opensearch-node1  | OpenSearch bin dir: /usr/share/opensearch/bin/
opensearch-node1  | OpenSearch plugins dir: /usr/share/opensearch/plugins/
opensearch-node1  | OpenSearch lib dir: /usr/share/opensearch/lib/
opensearch-node1  | Detected OpenSearch Version: 2.12.0
opensearch-node1  | Detected OpenSearch Security Version: 2.12.0.0
opensearch-node2  | Admin password set successfully.
opensearch-node1  | Admin password set successfully.
opensearch-node1  | ### Success
opensearch-node1  | ### Execute this script now on all your nodes and then start all nodes
opensearch-node1  | ### OpenSearch Security will be automatically initialized.
opensearch-node1  | ### If you like to change the runtime configuration 
opensearch-node2  | ### Success
opensearch-node2  | ### Execute this script now on all your nodes and then start all nodes
opensearch-node1  | ### change the files in ../../../config/opensearch-security and execute: 
opensearch-node1  | sudo "/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh" -cd "/usr/share/opensearch/config/opensearch-security" -icl -key "/usr/share/opensearch/config/kirk-key.pem" -cert "/usr/share/opensearch/config/kirk.pem" -cacert "/usr/share/opensearch/config/root-ca.pem" -nhnv
opensearch-node1  | ### or run ./securityadmin_demo.sh
opensearch-node1  | ### To use the Security Plugin ConfigurationGUI
opensearch-node1  | ### To access your secured cluster open https://<hostname>:<HTTP port> and log in with admin/<your-custom-admin-password>.
opensearch-node1  | ### (Ignore the SSL certificate warning because we installed self-signed demo certificates)
opensearch-node2  | ### OpenSearch Security will be automatically initialized.
opensearch-node2  | ### If you like to change the runtime configuration 
opensearch-node2  | ### change the files in ../../../config/opensearch-security and execute: 
opensearch-node2  | sudo "/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh" -cd "/usr/share/opensearch/config/opensearch-security" -icl -key "/usr/share/opensearch/config/kirk-key.pem" -cert "/usr/share/opensearch/config/kirk.pem" -cacert "/usr/share/opensearch/config/root-ca.pem" -nhnv
opensearch-node2  | ### or run ./securityadmin_demo.sh
opensearch-node2  | ### To use the Security Plugin ConfigurationGUI
opensearch-node2  | ### To access your secured cluster open https://<hostname>:<HTTP port> and log in with admin/<your-custom-admin-password>.
opensearch-node2  | ### (Ignore the SSL certificate warning because we installed self-signed demo certificates)
➜  2.12.0 curl http://localhost:9200
{
  "name" : "opensearch-node1",
  "cluster_name" : "opensearch-cluster",
  "cluster_uuid" : "c519SyZKRJOqbqF8gZsAgA",
  "version" : {
    "distribution" : "opensearch",
    "number" : "2.12.0",
    "build_type" : "tar",
    "build_hash" : "2c355ce1a427e4a528778d4054436b5c4b756221",
    "build_date" : "2024-02-20T02:20:12.084014282Z",
    "build_snapshot" : false,
    "lucene_version" : "9.9.2",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}
➜  2.12.0 curl -XGET "https://localhost:9200/_cat/nodes" -k -u 'admin:myStrongPassword123!'
curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version

providing DISABLE_SECURITY_PLUGIN=true as env variable in docker-compose (no need for the OPENSEARCH_INITIAL_ADMIN_PASSWORD variable)

opensearch-node2  | Disabling OpenSearch Security Plugin
opensearch-node1  | Disabling OpenSearch Security Plugin
➜  2.12.0 curl http://localhost:9200
{
  "name" : "opensearch-node1",
  "cluster_name" : "opensearch-cluster",
  "cluster_uuid" : "mgQoDpTVS7i90tPJpQzRgw",
  "version" : {
    "distribution" : "opensearch",
    "number" : "2.12.0",
    "build_type" : "tar",
    "build_hash" : "2c355ce1a427e4a528778d4054436b5c4b756221",
    "build_date" : "2024-02-20T02:20:12.084014282Z",
    "build_snapshot" : false,
    "lucene_version" : "9.9.2",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

@gygitlab As you can see from the logs the behavior for plugins.security.disabled and DISABLE_SECURITY_PLUGIN is different. Providing the former always results in execution of demo configuration and then the security plugin is disabled later. While the later, disables the security plugin from start, thus preventing execution of demo install script completely.

The behavior you discovered actually has existed but didn't surface until 2.12.0 as a custom admin password was required. The documentation for disabling security states that adding the plugins.security.disabled should disable security. This also prevents demo configuration script from modifying opensearch.yml thereby not requiring the password. I believe the flag plugins.security.disabled was intended to be used by placing inside opensearch.yml and the flag DISABLE_SECURITY_PLUGIN is meant to be passed as env variable in the docker-compose file.

TLDR; not a bug. You can configure this in two ways:

  1. Mount custom opensearch.yml with plugins.security.disabled: true
  2. Add DISABLE_SECURITY_PLUGIN=true under environment: in docker-compose

Hope this helps!

@gygitlab
Copy link
Author

Ok thanks. It's a little confusing as some of the main settings can be passed verbatim as environment variables, e.g. cluster.initial_cluster_manager_nodes or discovery.seed_hosts.

Either way you may want to add this detail into the release notes so others don't get caught out with this indirect change.

@DarshitChanpura
Copy link
Member

DarshitChanpura commented Feb 22, 2024
edited
Loading

@gygitlab Another piece of information that might help clarify. This block of code states that the environment variables passed to docker as in fact passed as env variables with -E when starting the opensearch process (./bin/opensearch) inside docker container. This invokes a slightly different behavior, than passing the same params inside opensearch.yml.

@derek-ho
Copy link
Collaborator

[Triage] this seems related to the default admin credential changes, and that the behavior is working as intended. @gygitlab can you provide any more details or what you want changed so we can turn this into a feature request? If not I think we will close this.

@derek-ho derek-ho added triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels Feb 26, 2024
@dbwiddis
Copy link
Member

@gygitlab can you provide any more details or what you want changed so we can turn this into a feature request?

@derek-ho Looks like in this comment there's a request for more clear documentation of the change in the release notes, not a request for a change in functionality.

@gygitlab
Copy link
Author

Yeah so the feedback I can give from my perspective is that this was effectively an undocumented breaking change for us and we had to pivot quickly to fix our scripts and environments. I understand that it was a "sleeping" issue but nonetheless the effects were the same and we were in the dark for a while there.

Assuming that the behaviour is now correct and that the intention is not to allow plugins.security.disabled to work as a docker env var, in terms of release notes and documentation it could be clearer. I was "disabling" the plugin with the documented setting but it was no longer working. Most of the normal settings documented work as environment variables for the Docker Image so it's a fair assumption that this would have been the same. Not until you go through the Install Docker documentation does the separate variable DISABLE_SECURITY_PLUGIN get mentioned.

TL;DR:

  • The release notes should've called this out in full as a potential breaking change by proxy
  • There should be clear documentation on what variables do work with the Docker image and what ones do not and have specific alternatives instead
  • The disable security page should mention DISABLE_SECURITY_PLUGIN setting specifically for Docker images

@DarshitChanpura
Copy link
Member

@gygitlab Would you mind opening an issue in the documentation-website repository detailing the gap in docs and the changes that should be addressed?

@DarshitChanpura DarshitChanpura mentioned this issue Feb 28, 2024
Closed
@simlu
Copy link

simlu commented Aug 1, 2024

Just ran into this as well. Definitely a breaking change

I'm so grateful this ticket exists! Much appreciated @gygitlab

@MahatmaFatalError
Copy link

I am still confused. I am trying to setup the most simple environment in local docker compose, and this issue is blocking me.
I have this docker compose

  opensearch:
    image: opensearchproject/opensearch:latest
    environment:
      - discovery.type=single-node
      - DISABLE_SECURITY_PLUGIN=true
      #- OPENSEARCH_INITIAL_ADMIN_PASSWORD=admin
    ports:
      - "9200:9200"
      - "9600:9600"
    volumes:
      - opensearch-data:/usr/share/opensearch/data
    networks:
      - my-net

  opensearch-dashboards:
    image: opensearchproject/opensearch-dashboards:latest
    ports:
      - "5601:5601"
    environment:
      - OPENSEARCH_HOSTS=http://opensearch:9200
    networks:
      - my-net

but still I get {"type":"log","@timestamp":"2024-09-24T14:55:02Z","tags":["error","plugins","securityDashboards"],"pid":1,"message":"Failed authentication: Error: no handler found for uri [/_plugins/_security/authinfo] and method [GET]"} when I try login into the dashboard using admin:admin

@jhs88
Copy link

jhs88 commented Sep 27, 2024

@MahatmaFatalError I'm doing the same config as you and I am having problems as well. Have you had any luck logging into it?

@MahatmaFatalError
Copy link

nope, it is not working. Very frustrating that progress is stopped by such kind of problems

@jhs88
Copy link

jhs88 commented Oct 2, 2024
edited
Loading

@MahatmaFatalError I figured it out! It has to do with some demo config thing?

Use "latest" of the containers

Environment vars for OpenSearch container:

DISABLE_INSTALL_DEMO_CONFIG=true
DISABLE_SECURITY_PLUGIN=true

Environment vars Dashboard container:

DISABLE_SECURITY_DASHBOARDS_PLUGIN=true

@MahatmaFatalError
Copy link

thanks, that works 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working Plugins triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@MahatmaFatalError @simlu @dbwiddis @derek-ho @DarshitChanpura @jhs88 @gygitlab