Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug Fix] Fix the demo configuration script and remove the admin credential from internal_user.yml #3449

Closed
wants to merge 24 commits into from
Closed

[Bug Fix] Fix the demo configuration script and remove the admin credential from internal_user.yml #3449

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
f63b081
Fix the .sh script for removing admin block and append it to the end …
RyanL1997 Oct 3, 2023
91726a3
Delete the original admin from the internal_users.yml
RyanL1997 Oct 3, 2023
4ae0900
Change the .bat too
RyanL1997 Oct 4, 2023
423b483
Try to add admin credential into internal_users.yml c0
RyanL1997 Oct 4, 2023
23731b9
Add ls
RyanL1997 Oct 4, 2023
33a9d86
Try to add admin credential into internal_users.yml c1
RyanL1997 Oct 4, 2023
61dfac4
Fix DC's comment
RyanL1997 Oct 4, 2023
25c6dff
Set up gha step for windows ci runner
RyanL1997 Oct 4, 2023
65fca5e
add Get-Location to see where am i
RyanL1997 Oct 4, 2023
459a6d2
Where am i for windows
RyanL1997 Oct 4, 2023
3a42cc0
Correct the windows runner path
RyanL1997 Oct 4, 2023
5a90c32
Enable long path for windows runner
RyanL1997 Oct 4, 2023
a2b5dfd
Correct the path again for windows runner
RyanL1997 Oct 4, 2023
14f8110
Simplify the windows script
RyanL1997 Oct 4, 2023
9bc47e0
Simplify the windows script 1
RyanL1997 Oct 4, 2023
de2d7eb
Relocate the logic under the step of integration-tests
RyanL1997 Oct 4, 2023
2d2b7bf
Add the logic into integration-tests.yml
RyanL1997 Oct 4, 2023
c61a9db
Add cat for debugging on linux
RyanL1997 Oct 4, 2023
8b5bcc2
Remove the space
RyanL1997 Oct 4, 2023
39aa145
Refactor the position again
RyanL1997 Oct 4, 2023
96c1e59
Try single quote for linux
RyanL1997 Oct 4, 2023
280e94a
Add type for windows to check user file
RyanL1997 Oct 4, 2023
68302de
Add single quote for EOL
RyanL1997 Oct 4, 2023
a3fdf3c
Add backtick escape for windows hash
RyanL1997 Oct 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,12 @@ jobs:
runs-on: ${{ matrix.platform }}

steps:
# Configure longpath names if on Windows
- name: Enable Longpaths if on Windows
if: ${{ runner.os == 'Windows' }}
run: git config --system core.longpaths true
shell: pwsh

- name: Set up JDK for build and test
uses: actions/setup-java@v3
with:
Expand All @@ -52,6 +58,33 @@ jobs:
- name: Checkout security
uses: actions/checkout@v4

- name: Insert Admin Credential on Linux
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is broken without this section?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on the log:

 - org.opensearch.security.InitializationIntegrationTests.testDefaultConfig
 - org.opensearch.security.InitializationIntegrationTests.testInvalidDefaultConfig
 - org.opensearch.security.TransportUserInjectorIntegTest.testSecurityUserInjection
 - org.opensearch.security.SlowIntegrationTests.testDelayInSecurityIndexInitialization

For example, the test of InitializationIntegrationTests.testDefaultConfig is using the admin admin credential to send out the request:

security/src/test/java/org/opensearch/security/InitializationIntegrationTests.java

Line 287 in 93f79f8

HttpResponse res = rh.executeGetRequest("/_cluster/health", encodeBasicHeader("admin", "admin"));

if: ${{ runner.os == 'Linux' }}
run: |
cat <<'EOL' >> /home/runner/work/security/security/config/internal_users.yml
admin:
hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"
reserved: true
backend_roles:
- "admin"
description: "Demo admin user"
EOL
cat /home/runner/work/security/security/config/internal_users.yml
shell: bash

- name: Add Admin Credential on Windows
if: ${{ runner.os == 'Windows' }}
run: |
$filePath = "D:\a\security\security\config\internal_users.yml"
Add-Content -Path $filePath -Value "admin:"
Add-Content -Path $filePath -Value " hash: `"`$2a`$12`$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG`""
Add-Content -Path $filePath -Value " reserved: true"
Add-Content -Path $filePath -Value " backend_roles:"
Add-Content -Path $filePath -Value " - `"admin`""
Add-Content -Path $filePath -Value " description: `"Demo admin user`""
type $filePath
shell: pwsh

- name: Build and Test
uses: gradle/gradle-build-action@v2
with:
Expand Down
7 changes: 0 additions & 7 deletions config/internal_users.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,6 @@ _meta:

## Demo users

admin:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the cluster fail to startup with this change? Could you include what that looks like?

hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"
reserved: true
backend_roles:
- "admin"
description: "Demo admin user"

anomalyadmin:
hash: "$2y$12$TRwAAJgnNo67w3rVUz4FIeLx9Dy/llB79zf9I15CKJ9vkM4ZzAd3."
reserved: false
Expand Down
21 changes: 10 additions & 11 deletions tools/install_demo_configuration.bat
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -359,17 +359,16 @@ if errorlevel 1 (
exit /b 1
)

set "default_line= hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG""
set "search=%default_line%"
set "replace= hash: "%HASHED_ADMIN_PASSWORD%""

setlocal enableextensions
for /f "delims=" %%i in ('type "%INTERNAL_USERS_FILE%" ^& break ^> "%INTERNAL_USERS_FILE%" ') do (
set "line=%%i"
setlocal enabledelayedexpansion
>>"%INTERNAL_USERS_FILE%" echo(!line:%search%=%replace%!
endlocal
)
:: Append the admin credential to the end of the internal_users.yml file
echo admin: >> !INTERNAL_USERS_FILE!
echo hash: "!HASHED_ADMIN_PASSWORD!" >> !INTERNAL_USERS_FILE!
echo reserved: true >> !INTERNAL_USERS_FILE!
echo backend_roles: >> !INTERNAL_USERS_FILE!
echo - "admin" >> !INTERNAL_USERS_FILE!
echo description: "Demo admin user" >> !INTERNAL_USERS_FILE!

echo Admin user has been appended to !INTERNAL_USERS_FILE!
endlocal

:: network.host
>nul findstr /b /c:"network.host" "%OPENSEARCH_CONF_FILE%" && (
Expand Down
21 changes: 12 additions & 9 deletions tools/install_demo_configuration.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -415,15 +415,18 @@ if [ $? -ne 0 ]; then
exit 1
fi

# Find the line number containing 'admin:' in the internal_users.yml file
ADMIN_HASH_LINE=$(grep -n 'admin:' "$INTERNAL_USERS_FILE" | cut -f1 -d:)

awk -v hashed_admin_password="$HASHED_ADMIN_PASSWORD" '
/^ *hash: *"\$2a\$12\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR\/YFJcgHp0UGns5JDymv..TOG"/ {
sub(/"\$2a\$12\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR\/YFJcgHp0UGns5JDymv..TOG"/, "\"" hashed_admin_password "\"");
}
{ print }
' "$INTERNAL_USERS_FILE" > temp_file && mv temp_file "$INTERNAL_USERS_FILE"
# Append content to the end of the YAML file
cat >> $INTERNAL_USERS_FILE <<EOL

admin:
hash: "$HASHED_ADMIN_PASSWORD"
reserved: true
backend_roles:
- "admin"
description: "Demo admin user"
EOL

echo "Admin user has been appended to $INTERNAL_USERS_FILE"

#network.host
if $SUDO_CMD grep --quiet -i "^network.host" "$OPENSEARCH_CONF_FILE"; then
Expand Down
Loading