Remove instances of hard admin credentials #981
Conversation
Signed-off-by: Derek Ho <[email protected]>
derek-ho
requested review from
xluo-aws,
Hailong-am,
SuZhou-Joe,
ruanyl,
wanglam and
raintygao
as code owners
|
Can somebody add backport 2.x label? |
|
Can somebody review my deletion of integtest.sh file? Is that unused in this repo? The idea is coming from: opensearch-project/opensearch-build#497, in which it seems this file should have been migrated to build repo. Additionally it contains reference to admin:admin so I removed it, but can bring it back if that's wrong/is actively being used by this repo somehow. |
Signed-off-by: Derek Ho <[email protected]>
| @@ -62,8 +62,8 @@ jobs: | |||
| else | |||
| echo "Keep OpenSearch Security" | |||
| nohup ./opensearch-windows-install.bat & | |||
| timeout 900 bash -c 'while [[ "$(curl -o /dev/null -w ''%{http_code}'' -u admin:admin -k https://localhost:9200)" != "200" ]]; do echo sleeping 5; sleep 5; done' | |||
| curl -sk https://localhost:9200/_cluster/health?pretty -u admin:admin | |||
| timeout 900 bash -c 'while [[ "$(curl -o /dev/null -w ''%{http_code}'' -u admin:${{ env.OPENSEARCH_INITIAL_ADMIN_PASSWORD }} -k https://localhost:9200)" != "200" ]]; do echo sleeping 5; sleep 5; done' | |||
There was a problem hiding this comment.
seems that env.OPENSEARCH_INITIAL_ADMIN_PASSWORD is not defined
There was a problem hiding this comment.
You're right, I was accidentally editing a backport branch, fixed now
Signed-off-by: Derek Ho <[email protected]>
There was a problem hiding this comment.
whoops. this is the one jenkins executes.
There was a problem hiding this comment.
Got it. I found this: https://github.com/opensearch-project/opensearch-build/blob/f92f571a42eecfc3279c217c5bd53922517054d0/scripts/components/functionalTestDashboards/build.sh. I will revert this deletion. @kavilla can you help me understand what/if any changes need to be made in integtest.sh in terms of the admin:admin credentials? I feel like there is some assumption about the setup of the OpenSearch backend that FTR would be running against, but I don't know where that is setup?
There was a problem hiding this comment.
There was a problem hiding this comment.
yeah that line just need to replace it with admin:urnewpassword if that is the expected password. basically the integtest.sh script gets executed after an OpenSearch and OpenSearch Dashboards of the same version and successful builds get scaled up. Then Jenkins will clone this repo and execute integtest.sh. So as long as you change that password in integtest.sh it will be the credential passed when the tests are executed.
There was a problem hiding this comment.
Do you have any idea about where those successful builds are generated? It seems like less work to modify that place to get spun up with admin:admin, so none of the component integtest.sh need to be changed.
|
#982 for checking if all tests run successfully if security enabled. |
Signed-off-by: Derek Ho <[email protected]>
|
@kavilla @SuZhou-Joe can you take another look? Added logic to handle the logic of 2.12.0 release and onwards. |
LGTM |
Signed-off-by: Derek Ho <[email protected]>
Signed-off-by: Derek Ho <[email protected]>
|
@kavilla , could you please take a look on this PR and unblock the requested change if it looks good to you? |
integtest.sh
Outdated
| USERNAME=`echo $CREDENTIAL | awk -F ':' '{print $1}'` | ||
| PASSWORD=`echo $CREDENTIAL | awk -F ':' '{print $2}'` | ||
| # Starting in 2.12.0, security demo configuration script requires an initial admin password | ||
| if (( ${version_array[0]} > 2 || (${version_array[0]} == 2 && ${version_array[1]} >= 12) )); then |
There was a problem hiding this comment.
imo i dont think this need. I'm not positive if version is being passed I can check but ideally. This file will be checked out via branches or tags. So since this is on main and main is expected to 3.0.0. Which just need to make sure we backport this to 2.x then it's in the 2.12 release branch. And then dont backport any further.
One other thing is I'm not positive how this password gets set. So when the integration tests get ran they get executed after the cluster is started.
Originally this takes from an environment variable that needs to be set pre opensearch-tar-install is that correct?
There was a problem hiding this comment.
I am not sure. I asked this question in a comment in a PR in the build repo. However, this seems plausible to me. I think in the build repo the default one is used on all branches so we need to add that logic there. I removed it for now, pending confirmation from build team that this would be checked out per branch.
Signed-off-by: Derek Ho <[email protected]>
|
@kavilla can you re-review and merge if it looks good? I applied your suggestions and this seems to be blocking a few other PRs and workflows, thanks! |
* Remove instances of hard admin credentials opensearch-project/opensearch-build#4302 Signed-off-by: Derek Ho <[email protected]> (cherry picked from commit 8391566)
* Remove instances of hard admin credentials opensearch-project/opensearch-build#4302 Signed-off-by: Derek Ho <[email protected]> (cherry picked from commit 8391566) Co-authored-by: Derek Ho <[email protected]>
Description
In 3.0.0 and backported to 2.12.0 release is a change where security demo configuration requires an initial admin password to be passed in on setup. This PR does that.
Issues Resolved
[List any issues this PR will resolve]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.