Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG][opensearch-2.20.0] ADMIN_INITIAL_PASSWORD not used? #548

Open
cdprete opened this issue Jun 6, 2024 · 9 comments
Open

[BUG][opensearch-2.20.0] ADMIN_INITIAL_PASSWORD not used? #548

cdprete opened this issue Jun 6, 2024 · 9 comments
Labels
bug Something isn't working

Comments

@cdprete
Copy link

cdprete commented Jun 6, 2024

Hello.
I'm using the opensearch-2.20-0 Helm chart and, as per documentation, I've set

extraEnvs:
  - name: OPENSEARCH_INITIAL_ADMIN_PASSWORD
    value: "some-password"
  - name: DISABLE_INSTALL_DEMO_CONFIG
    value: "true"

So far, so good. :)

Now, trying to curl the health of the cluster from within the Pod itself with

curl -ku admin:some-password http://localhost:9200/_cluster/health

leads to a 401 response, while a curl like

curl -ku admin:admin http://localhost:9200/_cluster/health

works without any issue.

So, I was wondering if the admin initial password is really used and, if it's, how?
@cdprete cdprete added bug Something isn't working untriaged Issues that have not yet been triaged labels Jun 6, 2024
@peterzhuamazon
Copy link
Member

Hi @cdprete if this is not a fresh install and you have previously setup a password already, then the old password will be used still.

@prudhvigodithi prudhvigodithi removed the untriaged Issues that have not yet been triaged label Jun 6, 2024
@peterzhuamazon
Copy link
Member

Also if the app version (not helm chart ver) is < 2.12.0 then this change is not taking effect.

Thanks.

@cdprete
Copy link
Author

cdprete commented Jun 7, 2024

Hi.
These are the information about the chart:

apiVersion: v2
appVersion: 2.14.0
description: A Helm chart for OpenSearch
home: https://opensearch.org
maintainers:
- name: DandyDeveloper
- name: bbarani
- name: gaiksaya
- name: peterzhuamazon
- name: prudhvigodithi
- name: TheAlgo
name: opensearch
sources:
- https://github.com/opensearch-project/opensearch
- https://github.com/opensearch-project/helm-charts
type: application
version: 2.20.0

Moreover, it's a fresh installation, in fact I had to set it up that env variable since the beginning.

@brandonw62
Copy link

brandonw62 commented Jun 27, 2024
edited
Loading

Also seeing the same behavior described above on a fresh cluster using appVersion: 2.15.0 and Chart Version 2.21.0

Also want to add that I can access the my configured opensearch endpoint in my browser without a need to login at all.

@brandonw62
Copy link

@peterzhuamazon @prudhvigodithi Is there any documentation that can be followed for setting up a production level cluster via helm charts? In searching through other issues, I've injected an internal_users.yml file via a configmap & volume mount which contains a single admin user. Can you provide guidance for what files/configurations are needed to get the security plugin to initialize with a single admin user? I have have provisioned certificates per the opensearch documentation which are also successfully mounted into the cluster.

Is there a specific config that is required to pass the initial password to the admin user that I've defined in the internal_users.yml? or is it required to run the hash.sh script, update the configMap with the new hash and then run the securityadmin.sh script?

@getsaurabh02 getsaurabh02 moved this from 🆕 New to Later (6 months plus) in Engineering Effectiveness Board Jul 18, 2024
@oliverwiegers
Copy link

We're facing the same issue

@prudhvigodithi
Copy link
Member

Hey when DISABLE_INSTALL_DEMO_CONFIG is set it wont run the demo security script and hence OPENSEARCH_INITIAL_ADMIN_PASSWORD will take any effect. When DISABLE_INSTALL_DEMO_CONFIG is set to true the expectation is for the user to setup cluster security or other way is do no set the DISABLE_INSTALL_DEMO_CONFIG and allow the demo script to create the security setup and later the user can update the security settings, then the cluster would start with OPENSEARCH_INITIAL_ADMIN_PASSWORD. Adding @cwperks @DarshitChanpura to provide some more details.

Thank you
@peterzhuamazon @getsaurabh02

@cwperks
Copy link
Member

cwperks commented Oct 28, 2024

When DISABLE_INSTALL_DEMO_CONFIG is set, you must provide the securityConfig explicitly. @prudhvigodithi Is there any examples of a custom security configuration for helm-charts?

@cdprete
Copy link
Author

cdprete commented Oct 28, 2024 via email
edited
Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Engineering Effectiveness Board
Status: No status
Milestone
No milestone
Development

No branches or pull requests
6 participants
@cdprete @oliverwiegers @cwperks @prudhvigodithi @brandonw62 @peterzhuamazon