[DEPRECATION] Security Plugin Tools will be replaced

[peternied]

Security Plugin tools will be replaced

This list of tools that will be replaced

.\tools\audit_config_migrater.bat
.\tools\audit_config_migrater.sh
.\tools\hash.bat
.\tools\hash.sh
.\tools\install_demo_configuration.sh
.\tools\securityadmin.bat
.\tools\securityadmin.sh

This issue will be updated with the recommended replacement.

Semantic Versioning Aside

OpenSearch will never remove functionality without a major version change to OpenSearch (e.g. v3.0.0+) so while these tools are marked deprecated, it is signal that they will be replaced at some point in the future major version update. I suspect that even after we have a replacement we will keep these tools through a major version to give time for migration.

[ComBin]

Can I know will replaced for what?

[realulli]

Several questions:

• Any pointers as to what hash.sh will be replaced with?
• Any pointers to the greater plan for security?

Right now, I can have my internal userbase under version control and just update the hashes. Since they're bcrypt, I consider them secure enough. The script could be simplified, yes, but other than that? Also, with the userbase there in the file, I can set up new systems rather quickly and efficiently.

[peternied]

@realulli Great questions. We are rethinking the shape of the security ecosystem and these utilities (hash.sh, securityadmin.sh) are useful, they should be secondary to well-authored and documented APIs. Updating a user password should be possible via an API call that could be called from a tool, but the tool shouldn't be the starting point.

We are still in the design / prototype phases of many areas, the following issue is tracking the larger support. Additional we will need a clear migration story "if you used hash.sh, instead you can do...".

This issue is tracking some of these high level goals and we will be publishing more communications as we have a clear roadmap - expect blog posts and community meeting spotlights.

• [Security] OpenSearch should support authentication and authorization natively OpenSearch#4514

Semantic Versioning Aside; we will never remove functionality without a major version change to OpenSearch (e.g. v3.0.0+) so while these tools are marked deprecated, it is signal that they will be replaced at some point in the future major version update. I suspect that even after we have a replacement we will keep these tools through a major version to give time for migration.

Finally if there are still aspects you'd like to follow up on please feel free to join our public triage meeting if that is a better forum for discussion.

[sultanovich]

hi @peternied , Thank you very much for the detail in your comment. Is there a specific place where we can see the progress on this topic in general or at least of these tools? Or, should we follow this issue to see the definitions?
At this point really tools like hash.sh or securityadmin.sh have become critical in our environment.

[peternied]

This issue is a great place to watch for updates, we will use this issue to call out the details of the removal/replacement of these tools when we have concrete details.

[sultanovich]

Excellent, we will follow the topic here. Thank's @peternied

[matthid]

I feel like the warning to users is a bit early, if there is not even a replacement or any actionable thing users can do?
Users now learn to ignore the warning and will be surprised once it is removed, no?

[stephen-crawford]

HI @matthid, I understand your concern that the deprecation label could lose its impact on users. Currently, we are in the process of redesigning many of the security features as part of the Identity project. This project takes much of the existing security functionality and moves it directly into core. As part of this, the legacy security plugin tools are being phased out likely maintaining operation through 3.x and being fully deprecated at 4.0.

Right now there is nothing users can do to upgrade because the Identity release is not launched. However, this issue is made to be associated with that progress and will include helpful links for migrating as soon as the alternative approaches are live.

[artificial-intelligence]

Hi there,

is there any information what will be the replacement for https://github.com/opensearch-project/security/blob/ab6778d135109e460d7019672a8c4cbecb2a4018/tools/install_demo_configuration.sh ?

I'm currently trying to track down an issue with complaints about insecure file paths in opensearch but I have the feeling that the installer from opensearch itself does this, need to track it down though, so no definite answer until now.

[smortex]

I'm currently trying to track down an issue with complaints about insecure file paths in opensearch but I have the feeling that the installer from opensearch itself does this, need to track it down though, so no definite answer until now.

@artificial-intelligence I tried to improve this in two PR (opensearch-build#3898, opensearch-build#3952), but i don't recall seeing an explicit warning / error. Can you show at which step you see these "complaints" so that I can reproduce the issue and see if the changes helped.

[artificial-intelligence]

@smortex sorry for replying late, afaik my mentioned issues got fixed in opensearch-project/opensearch-build#3898

[smortex]

@artificial-intelligence unfortunately these changes where rolled back in opensearch-project/opensearch-build#4041 😭

opensearch-project/opensearch-build#4043 was opened to redo this (not in the upcoming 2.11.0 unfortunately, maybe 2.12.0), and I also created a meta-issue opensearch-project/opensearch-build#4087 to track the various package improvements progress. Feel free to comment in this issue so that we can have a place for all these packaging issues.

[CarterPape]

Is there any update on what is going to replace the security plugin tools? I don't see anything about it in the roadmap.

Edit: The roadmap for this is here, as part of the security plugin.