From 992218f0ab51dec1e6001bade76ceb3460f2e4bf Mon Sep 17 00:00:00 2001 From: Miki Date: Tue, 6 Feb 2024 15:32:58 -0800 Subject: [PATCH] [Security] Updates dev guide for security (#5736) (#5802) * [Docs] Updates dev guide for security * better default creds * undo changelog changes * Adds sample password --------- (cherry picked from commit 1a0cf47fe646458938e0892e4ed73326d581a122) Signed-off-by: Ashwin P Chandran Signed-off-by: Miki Co-authored-by: Ashwin P Chandran --- DEVELOPER_GUIDE.md | 65 +++++++++++++++++++++++------------------- src/cli/serve/serve.js | 9 +++--- 2 files changed, 40 insertions(+), 34 deletions(-) diff --git a/DEVELOPER_GUIDE.md b/DEVELOPER_GUIDE.md index 040c5ff4428a..366445b4513b 100644 --- a/DEVELOPER_GUIDE.md +++ b/DEVELOPER_GUIDE.md @@ -13,6 +13,7 @@ This guide applies to all development within the OpenSearch Dashboards project a - [Next Steps](#next-steps) - [Alternative development installations](#alternative-development-installations) - [Optional - Run OpenSearch with plugins](#optional---run-opensearch-with-plugins) + - [Plugin development](#plugin-development) - [Alternative - Run OpenSearch from tarball](#alternative---run-opensearch-from-tarball) - [Configure OpenSearch Dashboards for security](#configure-opensearch-dashboards-for-security) - [Building artifacts](#building-artifacts) @@ -61,6 +62,17 @@ We recommend using [Node Version Manager (nvm)](https://github.com/nvm-sh/nvm) t If it's the only version of node installed, it will automatically be set to the `default` alias. Otherwise, use `nvm list` to see all installed `node` versions, and `nvm use` to select the node version required by OpenSearch Dashboards. +### Fork and clone OpenSearch Dashboards + +All local development should be done in a [forked repository](https://docs.github.com/en/get-started/quickstart/fork-a-repo). +Fork OpenSearch Dashboards by clicking the "Fork" button at the top of the [GitHub repository](https://github.com/opensearch-project/OpenSearch-Dashboards). + +Clone your forked version of OpenSearch Dashboards to your local machine (replace `opensearch-project` in the command below with your GitHub username): + +```bash +$ git clone git@github.com:opensearch-project/OpenSearch-Dashboards.git +``` + #### Install `yarn` OpenSearch Dashboards is set up using yarn, which can be installed through corepack. To install yarn, run: @@ -75,17 +87,6 @@ $ corepack install (See the [corepack documentation](https://github.com/nodejs/corepack#-corepack) for more information.) -### Fork and clone OpenSearch Dashboards - -All local development should be done in a [forked repository](https://docs.github.com/en/get-started/quickstart/fork-a-repo). -Fork OpenSearch Dashboards by clicking the "Fork" button at the top of the [GitHub repository](https://github.com/opensearch-project/OpenSearch-Dashboards). - -Clone your forked version of OpenSearch Dashboards to your local machine (replace `opensearch-project` in the command below with your GitHub username): - -```bash -$ git clone git@github.com:opensearch-project/OpenSearch-Dashboards.git -``` - ### Bootstrap OpenSearch Dashboards If you haven't already, change directories to your cloned repository directory: @@ -178,6 +179,7 @@ For windows: $ wsl -d docker-desktop $ sysctl -w vm.max_map_count=262144 ``` + ### Next Steps Now that you have a development environment to play with, there are a number of different paths you may take next. @@ -211,6 +213,10 @@ $ yarn start --run-examples - [Project testing guidelines](https://github.com/opensearch-project/OpenSearch-Dashboards/blob/main/TESTING.md) - [Plugin conventions](https://github.com/opensearch-project/OpenSearch-Dashboards/blob/main/src/core/CONVENTIONS.md#technical-conventions) +#### Join the discussion + +See the [communication guide](COMMUNICATION.md)for information on how to join our slack workspace, forum, or developer office hours. + ## Alternative development installations Although the [getting started guide](#getting-started-guide) covers the recommended development environment setup, there are several alternatives worth being aware of. @@ -229,6 +235,10 @@ $ yarn opensearch snapshot --P https://repo1.maven.org/maven2/org/opensearch/plu Note - if you add the [`security` plugin](https://github.com/opensearch-project/security), you'll also need to [configure OpenSearch Dashboards for security](#configure-opensearch-dashboards-for-security). +### Plugin development + +The osd-plugin-generator tool makes it easier to create a plugin for OpenSearch Dashboards. It sets up the basic structure of the project and provides scripts to build it. Refer to [osd-plugin-generator](https://github.com/opensearch-project/OpenSearch-Dashboards/tree/main/packages/osd-plugin-generator) for more details. + #### Other snapshot configuration options Additional options can be passed after `yarn opensearch snapshot` to further configure the cluster snapshot. @@ -272,29 +282,26 @@ This method can also be used to develop against the [full distribution of OpenSe ### Configure OpenSearch Dashboards for security -_This step is only mandatory if you have the [`security` plugin](https://github.com/opensearch-project/security) installed on your OpenSearch cluster with https/authentication enabled._ +_This step is only needed if you want your dev environment to also start with security. To do so both the OpenSearch node and OpenSearch Dashboards cluster need to have the security plugin installed. Follow the steps below to get setup correctly._ -> 1. Run `export initialAdminPassword=` since it's needed by the configuration script -> 2. Run `yarn opensearch snapshot --security` -> 3. Wait a few seconds while the plugin is installed, configured, and OpenSearch starts up. +To startup the OpenSearch snapshot with security -Then within another window. You can start: +> OpenSearch has strong password requirements and will fail to bootstrap if the password requirements are not met. e.g. myStrongPassword123! -> 1. Run `export OPENSEARCH_USERNAME=admin` -> 2. Run `export OPENSEARCH_PASSWORD=` -> 3. Optional: Run `export OPENSEARCH_SECURITY_READONLY_ROLE=` -> 4. Run `yarn start:security` -> 5. Navigate to OpenSearch Dashboards and login with the above username and password. +1. Run `export OPENSEARCH_INITIAL_ADMIN_PASSWORD=` since it's needed by the configuration script +2. Run `yarn opensearch snapshot --security` +3. Wait a few seconds while the plugin is installed, configured, and OpenSearch starts up. -Once the bootstrap of OpenSearch Dashboards is finished, you need to apply some -changes to the default [`opensearch_dashboards.yml`](https://github.com/opensearch-project/OpenSearch-Dashboards/blob/main/config/opensearch_dashboards.yml#L25-L72) in order to connect to OpenSearch. +Then within another window you can start OpenSearch Dashboards: -```yml -opensearch.hosts: ["https://localhost:9200"] -opensearch.username: "admin" # Default username on the docker image -opensearch.password: "admin" # Default password on the docker image -opensearch.ssl.verificationMode: none -``` +_First make sure to clone the https://github.com/opensearch-project/security-dashboards-plugin repo into the plugins folder and build it (Using `yarn build`). You can follow the instructions here https://github.com/opensearch-project/security-dashboards-plugin/blob/main/DEVELOPER_GUIDE.md#install-opensearch-dashboards-with-security-dashboards-plugin._ + +> You do not have to edit the `config/opensearch-dashboards.yml` file since the `yarn start:security` command sets up the default overrides automatically + +Then do the following: + +1. Run `yarn start:security` +2. Navigate to OpenSearch Dashboards and login with the username `admin` and password ``. For more detailed documentation, see [Configure TLS for OpenSearch Dashboards](https://opensearch.org/docs/latest/install-and-configure/install-dashboards/tls). diff --git a/src/cli/serve/serve.js b/src/cli/serve/serve.js index 2ae3522b6b1c..e5af131dde2c 100644 --- a/src/cli/serve/serve.js +++ b/src/cli/serve/serve.js @@ -81,11 +81,11 @@ function applyConfigOverrides(rawConfig, opts, extraCliOptions) { set('env', 'development'); if (!has('opensearch.username')) { - set('opensearch.username', 'opensearch_dashboards_system'); + set('opensearch.username', 'kibanaserver'); } if (!has('opensearch.password')) { - set('opensearch.password', 'changeme'); + set('opensearch.password', 'kibanaserver'); } if (opts.ssl) { @@ -147,11 +147,10 @@ function applyConfigOverrides(rawConfig, opts, extraCliOptions) { set('opensearch.ssl.verificationMode', 'none'); } - if (get('opensearch.username') === 'opensearch_dashboards_system') { + if (process.env.OPENSEARCH_USERNAME) { set('opensearch.username', process.env.OPENSEARCH_USERNAME); } - - if (get('opensearch.password') === 'changeme') { + if (process.env.OPENSEARCH_PASSWORD) { set('opensearch.password', process.env.OPENSEARCH_PASSWORD); }