From 34b4537570abbf7eeba9941da392b6c2ab1bcfc4 Mon Sep 17 00:00:00 2001 From: Kawika Avilla Date: Thu, 30 Nov 2023 04:43:15 -0800 Subject: [PATCH] [Chore] `--security` for snapshot and OSD server (#5451) Add the ability to run: ``` yarn opensearch snapshot --security ``` which will start the OpenSearch cluster with the security plugin. And add the ability to run: ``` yarn start:security ``` which will start the OpenSearch Dashboards server if the security plugin is available. This is only intended for demo and local purposes. Issue: n/a Signed-off-by: Kawika Avilla --- CHANGELOG.md | 5 +- DEVELOPER_GUIDE.md | 15 ++++- package.json | 1 + .../src/cli_commands/snapshot.js | 7 +++ packages/osd-opensearch/src/cluster.js | 35 +++++++++++- packages/osd-opensearch/src/paths.js | 7 +++ src/cli/serve/serve.js | 55 +++++++++++++++++++ 7 files changed, 121 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a4a7ca254b70..905f5e13bc05 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -40,8 +40,11 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) ### 🛠 Maintenance +- Removes `minimatch` manual resolution ([#3019](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3019)) +- Upgrade `vega-lite` dependency from `4.17.0` to `^5.6.0` ([#3076](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3076)). Backwards-compatible version included in v2.5.0 release. +- Bump `js-yaml` from `3.14.0` to `4.1.0` ([#3770](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3770)) - Replace `node-sass` with `sass-embedded` ([#5338](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/5338)) -- [Version] Bump version to 2.12.0 ([#5294](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/5294)) +- Bump `chromedriver` from `107.0.3` to `119.0.1` ([#5465](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/5465)) ### 🪛 Refactoring diff --git a/DEVELOPER_GUIDE.md b/DEVELOPER_GUIDE.md index 289cc3c5a656..4889fab67a9a 100644 --- a/DEVELOPER_GUIDE.md +++ b/DEVELOPER_GUIDE.md @@ -244,10 +244,11 @@ Options: -E Additional key=value settings to pass to OpenSearch --download-only Download the snapshot but don't actually start it --ssl Sets up SSL on OpenSearch + --security Installs and sets up OpenSearch Security plugin on the cluster --P OpenSearch plugin artifact URL to install it on the cluster. ```bash -$ yarn opensearch snapshot --version 2.2.0 -E cluster.name=test -E path.data=/tmp/opensearch-data --P org.opensearch.plugin:test-plugin:2.2.0.0 --P file:/home/user/opensearch-test-plugin-2.2.0.0.zip +$ yarn opensearch snapshot --version 2.2.0 -E cluster.name=test -E path.data=/tmp/opensearch-data --P org.opensearch.plugin:test-plugin:2.2.0.0 --P file:/home/user/opensearch-test-plugin-2.2.0.0.zip --security ``` ### Alternative - Run OpenSearch from tarball @@ -267,6 +268,18 @@ This method can also be used to develop against the [full distribution of OpenSe _This step is only mandatory if you have the [`security` plugin](https://github.com/opensearch-project/security) installed on your OpenSearch cluster with https/authentication enabled._ +> 1. Run `export initialAdminPassword=` since it's needed by the configuration script +> 2. Run `yarn opensearch snapshot --security` +> 3. Wait a few seconds while the plugin is installed, configured, and OpenSearch starts up. + +Then within another window. You can start: + +> 1. Run `export OPENSEARCH_USERNAME=admin` +> 2. Run `export OPENSEARCH_PASSWORD=` +> 3. Optional: Run `export OPENSEARCH_SECURITY_READONLY_ROLE=` +> 4. Run `yarn start:security` +> 5. Navigate to OpenSearch Dashboards and login with the above username and password. + Once the bootstrap of OpenSearch Dashboards is finished, you need to apply some changes to the default [`opensearch_dashboards.yml`](https://github.com/opensearch-project/OpenSearch-Dashboards/blob/main/config/opensearch_dashboards.yml#L25-L72) in order to connect to OpenSearch. diff --git a/package.json b/package.json index 57ff878bbfd1..ebb872f7ab20 100644 --- a/package.json +++ b/package.json @@ -62,6 +62,7 @@ "build": "scripts/use_node scripts/build --all-platforms", "start": "scripts/use_node scripts/opensearch_dashboards --dev", "start:docker": "scripts/use_node scripts/opensearch_dashboards --dev --opensearch.hosts=$OPENSEARCH_HOSTS --opensearch.ignoreVersionMismatch=true --server.host=$SERVER_HOST", + "start:security": "scripts/use_node scripts/opensearch_dashboards --dev --security", "debug": "scripts/use_node --nolazy --inspect scripts/opensearch_dashboards --dev", "debug-break": "scripts/use_node --nolazy --inspect-brk scripts/opensearch_dashboards --dev", "lint": "yarn run lint:es && yarn run lint:style", diff --git a/packages/osd-opensearch/src/cli_commands/snapshot.js b/packages/osd-opensearch/src/cli_commands/snapshot.js index 3cf8701856bd..ff21dbe851c8 100644 --- a/packages/osd-opensearch/src/cli_commands/snapshot.js +++ b/packages/osd-opensearch/src/cli_commands/snapshot.js @@ -49,6 +49,7 @@ exports.help = (defaults = {}) => { -E Additional key=value settings to pass to OpenSearch --download-only Download the snapshot but don't actually start it --ssl Sets up SSL on OpenSearch + --security Installs and sets up the OpenSearch Security plugin on the cluster --P OpenSearch plugin artifact URL to install it on the cluster. We can use the flag multiple times to install multiple plugins on the cluster snapshot. The argument value can be url to zip file, maven coordinates of the plugin or for local zip files, use file:. @@ -74,6 +75,8 @@ exports.run = async (defaults = {}) => { boolean: ['download-only'], + boolean: ['security'], + default: defaults, }); @@ -91,6 +94,10 @@ exports.run = async (defaults = {}) => { await cluster.installOpenSearchPlugins(installPath, options.opensearchPlugins); } + if (options.security) { + await cluster.setupSecurity(installPath, options.version ?? defaults.version); + } + options.bundledJDK = true; await cluster.run(installPath, options); diff --git a/packages/osd-opensearch/src/cluster.js b/packages/osd-opensearch/src/cluster.js index 3527668eed05..455a1e5f919f 100644 --- a/packages/osd-opensearch/src/cluster.js +++ b/packages/osd-opensearch/src/cluster.js @@ -34,7 +34,7 @@ const execa = require('execa'); const chalk = require('chalk'); const path = require('path'); const { downloadSnapshot, installSnapshot, installSource, installArchive } = require('./install'); -const { OPENSEARCH_BIN, OPENSEARCH_PLUGIN } = require('./paths'); +const { OPENSEARCH_BIN, OPENSEARCH_PLUGIN, OPENSEARCH_SECURITY_INSTALL } = require('./paths'); const { log: defaultLog, parseOpenSearchLog, extractConfigFiles, decompress } = require('./utils'); const { createCliError } = require('./errors'); const { promisify } = require('util'); @@ -42,6 +42,19 @@ const treeKillAsync = promisify(require('tree-kill')); const { parseSettings, SettingsFilter } = require('./settings'); const { CA_CERT_PATH, OPENSEARCH_P12_PATH, OPENSEARCH_P12_PASSWORD } = require('@osd/dev-utils'); const readFile = util.promisify(fs.readFile); +const chmodAsync = util.promisify(fs.chmod); + +const LATEST_ENGINE_PLUGIN_BASE_URL = + 'https://ci.opensearch.org/ci/dbc/distribution-build-opensearch'; + +function generateEnginePluginUrl(version, plugin) { + const legacyVersion = `${version}.0`; + const [platform, type] = + process.platform === 'win32' ? ['windows', 'zip'] : [process.platform, 'tar']; + const arch = process.arch === 'arm64' ? 'arm64' : 'x64'; + + return `${LATEST_ENGINE_PLUGIN_BASE_URL}/${version}/latest/${platform}/${arch}/${type}/builds/opensearch/plugins/${plugin}-${legacyVersion}.zip`; +} // listen to data on stream until map returns anything but undefined const first = (stream, map) => @@ -57,9 +70,10 @@ const first = (stream, map) => }); exports.Cluster = class Cluster { - constructor({ log = defaultLog, ssl = false } = {}) { + constructor({ log = defaultLog, ssl = false, security = false } = {}) { this._log = log; this._ssl = ssl; + this._security = security; this._caCertPromise = ssl ? readFile(CA_CERT_PATH) : undefined; } @@ -193,6 +207,23 @@ exports.Cluster = class Cluster { } } + /** + * Setups cluster with security demo configuration + * + * @param {string} installPath + * @property {String} version - version of OpenSearch + */ + async setupSecurity(installPath, version) { + const pluginUrl = generateEnginePluginUrl(version, 'opensearch-security'); + await this.installOpenSearchPlugins(installPath, pluginUrl); + this._log.info('Setting up security'); + const pluginPath = path.resolve(installPath, OPENSEARCH_SECURITY_INSTALL); + if (pluginPath) { + await chmodAsync(pluginPath, '755'); + await execa(OPENSEARCH_SECURITY_INSTALL, ['-y', '-i', '-s'], { cwd: installPath }); + } + } + /** * Starts OpenSearch and returns resolved promise once started * diff --git a/packages/osd-opensearch/src/paths.js b/packages/osd-opensearch/src/paths.js index 93bb80e97ff1..d316f7cd41bf 100644 --- a/packages/osd-opensearch/src/paths.js +++ b/packages/osd-opensearch/src/paths.js @@ -35,6 +35,10 @@ function maybeUseBat(bin) { return os.platform().startsWith('win') ? `${bin}.bat` : bin; } +function maybeUseBatOrShell(bin) { + return os.platform().startsWith('win') ? `${bin}.bat` : `${bin}.sh`; +} + const tempDir = os.tmpdir(); exports.BASE_PATH = path.resolve(tempDir, 'osd-opensearch'); @@ -45,3 +49,6 @@ exports.OPENSEARCH_CONFIG = 'config/opensearch.yml'; exports.OPENSEARCH_KEYSTORE_BIN = maybeUseBat('./bin/opensearch-keystore'); exports.OPENSEARCH_PLUGIN = maybeUseBat('./bin/opensearch-plugin'); +exports.OPENSEARCH_SECURITY_INSTALL = maybeUseBatOrShell( + './plugins/opensearch-security/tools/install_demo_configuration' +); diff --git a/src/cli/serve/serve.js b/src/cli/serve/serve.js index 34c03c2547bc..2ae3522b6b1c 100644 --- a/src/cli/serve/serve.js +++ b/src/cli/serve/serve.js @@ -126,6 +126,60 @@ function applyConfigOverrides(rawConfig, opts, extraCliOptions) { set('opensearch.hosts', opensearchHosts); set('opensearch.ssl.certificateAuthorities', CA_CERT_PATH); } + + if (opts.security) { + const customOpenSearchHosts = opts.opensearch + ? opts.opensearch.split(',') + : [].concat(get('opensearch.hosts') || []); + + const opensearchHosts = ( + (customOpenSearchHosts.length > 0 && customOpenSearchHosts) || ['https://localhost:9200'] + ).map((hostUrl) => { + const parsedUrl = new URL('', hostUrl); + return `https://localhost:${parsedUrl.port}`; + }); + + if (!get('opensearch.hosts')) { + set('opensearch.hosts', opensearchHosts); + } + + if (!get('opensearch.ssl.verificationMode')) { + set('opensearch.ssl.verificationMode', 'none'); + } + + if (get('opensearch.username') === 'opensearch_dashboards_system') { + set('opensearch.username', process.env.OPENSEARCH_USERNAME); + } + + if (get('opensearch.password') === 'changeme') { + set('opensearch.password', process.env.OPENSEARCH_PASSWORD); + } + + if (!get('opensearch.requestHeadersWhitelist')) { + set('opensearch.requestHeadersWhitelist', ['authorization', 'securitytenant']); + } + + if (!get('opensearch_security.multitenancy.enabled')) { + set('opensearch_security.multitenancy.enabled', true); + } + + if (!get('opensearch_security.multitenancy.tenants.preferred')) { + set('opensearch_security.multitenancy.tenants.preferred', ['Private', 'Global']); + } + + if ( + !get('opensearch_security.readonly_mode.roles') && + process.env.OPENSEARCH_SECURITY_READONLY_ROLE + ) { + set('opensearch_security.readonly_mode.roles', [ + process.env.OPENSEARCH_SECURITY_READONLY_ROLE, + ]); + } + + if (!get('opensearch_security.cookie.secure')) { + set('opensearch_security.cookie.secure', false); + } + } } if (opts.opensearch) set('opensearch.hosts', opts.opensearch.split(',')); @@ -196,6 +250,7 @@ export default function (program) { command .option('--dev', 'Run the server with development mode defaults') .option('--ssl', 'Run the dev server using HTTPS') + .option('--security', 'Run the dev server using security defaults') .option('--dist', 'Use production assets from osd/optimizer') .option( '--no-base-path',