Adds Windows security documentation #1821
Conversation
Signed-off-by: Fanit Kolchina <[email protected]>
kolchfa-aws
added
3 - Tech review
|
Could I have @peternied or anyone from @opensearch-project/security review this PR please? |
There was a problem hiding this comment.
@kolchfa-aws Looks good! Can you update from securityadmin.sh to securityadmin.bat in the windows section? I will approve once the PR is updated.
|
|
||
| On Windows, the equivalent of `securityadmin.sh` is the `securityadmin.bat` script located in the `path/to/opensearch-{{site.opensearch_version}}/plugins/opensearch-security/tools/` directory. | ||
|
|
||
| When running the example commands in the preceding sections, use the **command prompt**. You can open the command prompt by entering `cmd` in the search box next to **Start** on the taskbar. |
There was a problem hiding this comment.
Powershell has a different method of calling .bat files. I didn't want to make it too complicated, so I assume the users who are familiar with Powershell can translate the commands easily. Any thoughts?
There was a problem hiding this comment.
I wouldn't assume that. I imagine there are quite a number of people today who are learning how to interact with a terminal for the first time via Powershell.
There was a problem hiding this comment.
Sure. I am referencing a thread here https://stackoverflow.com/questions/20645326/safest-way-to-run-bat-file-from-powershell-script. Which method of running the script from Powershell do you think I should include?
| For example, to load your initial configuration (all YAML files), use the following command: | ||
|
|
||
| ```bat | ||
| call ./securityadmin.sh -cd ../../../config/opensearch-security/ -icl -nhnv ^ |
There was a problem hiding this comment.
Thank you, good catch! I will update.
|
|
||
| When running the example commands in the preceding sections, use the **command prompt**. You can open the command prompt by entering `cmd` in the search box next to **Start** on the taskbar. | ||
|
|
||
| Note that on Windows you need the `call` command to call a batch script. |
There was a problem hiding this comment.
Is call necessary? From what I am reading it looks like call was introduced to call batch scripts within a batch script.
Reference: https://stackoverflow.com/a/14732373
There was a problem hiding this comment.
I tried without call and it didn't work: it said that .\ is not recognized as a command.
There was a problem hiding this comment.
Interesting. Does it work without the .\? i.e. plugins/opensearch-security/tools/securityadmin.bat instead of call ./plugins/opensearch-security/tools/securityadmin.bat
The official documentation from MS seems to indicate that call does not have any effect outside of a script or batch file: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/call
Note
Call has no effect at the command prompt when it is used outside of a script or batch file.
I bring this up because if we can use the same set of commands on both cmd and Powershell then it simplifies the documentation.
There was a problem hiding this comment.
I just tried without call on cmd on Windows Server 2016 Datacenter and it ran the script.
Running: .\plugins\opensearch-security\tools\install_demo_configuration.bat within the OpenSearch home directory.
There was a problem hiding this comment.
@cwperks thank you for testing and confirming! It must be me then. I updated the docs.
There was a problem hiding this comment.
Last thing to make sure the same command works on both cmd and powershell. In my testing it looks like cmd requires backslashes while powershell can work with either. I think we should make all of these windows commands use backslashes so that it works in both terminals.
There was a problem hiding this comment.
Interesting. I'm on Windows 10, and both forward slashes and backslashes work in command prompt. In any case, I have updated the docs to have backslashes only. Thank you!
Signed-off-by: Fanit Kolchina <[email protected]>
|
@cwperks Thank you for reviewing! I updated to .bat and addressed the comments - please let me know your thoughts. |
Signed-off-by: Fanit Kolchina <[email protected]>
Signed-off-by: Fanit Kolchina <[email protected]>
| @@ -13,11 +13,11 @@ redirect_from: | |||
| The plugin includes demo certificates so that you can get up and running quickly, but before using OpenSearch in a production environment, you must configure it manually: | |||
There was a problem hiding this comment.
I recommend breaking this sentence into two sentences: "The plugin includes demo certificates so that you can get up and running quickly. Before using OpenSearch in a production environment, you must configure it manually:"
Signed-off-by: Fanit Kolchina <[email protected]>
There was a problem hiding this comment.
@kolchfa-aws Please see my comments and change and let me know if you have any questions. Thanks!
| parent: Configuration | ||
| nav_order: 20 | ||
| --- | ||
|
|
||
| # Apply changes using securityadmin.sh | ||
| # Apply changes using the securityadmin script |
There was a problem hiding this comment.
Should the heading and the title match (with vs. using)?
There was a problem hiding this comment.
In this situation, it makes perfect sense, so I'll change it. Sometimes though we have to keep them different.
|
|
||
| On Windows, the equivalent of `securityadmin.sh` is the `securityadmin.bat` script located in the `\path\to\opensearch-{{site.opensearch_version}}\plugins\opensearch-security\tools\` directory. | ||
|
|
||
| When running the example commands in the preceding sections, use the **command prompt** or **Powershell**. Open the command prompt by entering `cmd` or Powershell by entering `powershell` in the search box next to **Start** on the taskbar. |
There was a problem hiding this comment.
| When running the example commands in the preceding sections, use the **command prompt** or **Powershell**. Open the command prompt by entering `cmd` or Powershell by entering `powershell` in the search box next to **Start** on the taskbar. | |
| When running the example commands in the preceding sections, use the **command prompt** or **Powershell**. Open the command prompt by entering `cmd`, or Powershell by entering `powershell`, in the search box next to **Start** on the taskbar. |
| @@ -91,7 +91,7 @@ If your node certificates have an Object ID (OID) identifier in the SAN section, | |||
|
|
|||
| ## Configure admin certificates | |||
|
|
|||
| Admin certificates are regular client certificates that have elevated rights to perform administrative tasks. You need an admin certificate to change the the security plugin configuration using `plugins/opensearch-security/tools/securityadmin.sh` or the REST API. Admin certificates are configured in `opensearch.yml` by stating their DN(s): | |||
| Admin certificates are regular client certificates that have elevated rights to perform administrative tasks. You need an admin certificate to change the the security plugin configuration using [`plugins/opensearch-security/tools/securityadmin.sh`]({{site.url}}{{site.baseurl}}/security-plugin/configuration/security-admin/) or the REST API. Admin certificates are configured in `opensearch.yml` by stating their DN(s): | |||
There was a problem hiding this comment.
| Admin certificates are regular client certificates that have elevated rights to perform administrative tasks. You need an admin certificate to change the the security plugin configuration using [`plugins/opensearch-security/tools/securityadmin.sh`]({{site.url}}{{site.baseurl}}/security-plugin/configuration/security-admin/) or the REST API. Admin certificates are configured in `opensearch.yml` by stating their DN(s): | |
| Admin certificates are regular client certificates that have elevated rights to perform administrative tasks. You need an admin certificate to change the security plugin configuration using [`plugins/opensearch-security/tools/securityadmin.sh`]({{site.url}}{{site.baseurl}}/security-plugin/configuration/security-admin/) or the REST API. Admin certificates are configured in `opensearch.yml` by stating their DN(s): |
| @@ -7,7 +7,7 @@ nav_order: 4 | |||
|
|
|||
| # YAML files | |||
|
|
|||
| Before running `securityadmin.sh` to load the settings into the `.opendistro_security` index, configure the YAML files in `config/opensearch-security`. You might want to back up these files so that you can reuse them on other clusters. | |||
| Before running [`securityadmin.sh`]({{site.url}}{{site.baseurl}}/security-plugin/configuration/security-admin/) to load the settings into the `.opendistro_security` index, configure the YAML files in `config/opensearch-security`. You might want to back up these files so that you can reuse them on other clusters. | |||
There was a problem hiding this comment.
In "on other clusters", is "on" the right preposition?
There was a problem hiding this comment.
I think so. It's like "on the computer" or "on the server".
Signed-off-by: Fanit Kolchina <[email protected]>
|
The backport to To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.3 1.3
# Navigate to the new working tree
cd .worktrees/backport-1.3
# Create a new branch
git switch --create backport/backport-1821-to-1.3
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 12715e30fb0eafb930efcb31ea3db73271eab3e8
# Push it to GitHub
git push --set-upstream origin backport/backport-1821-to-1.3
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.3Then, create a pull request where the |
kolchfa-aws
added
backport 1.3
|
The backport to To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.3 1.3
# Navigate to the new working tree
cd .worktrees/backport-1.3
# Create a new branch
git switch --create backport/backport-1821-to-1.3
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 12715e30fb0eafb930efcb31ea3db73271eab3e8
# Push it to GitHub
git push --set-upstream origin backport/backport-1821-to-1.3
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.3Then, create a pull request where the |
Fixes #1714
Checklist
For more information on following Developer Certificate of Origin and signing off your commits, please check here.