From a5da90814d2f69e810fcce2d795475e7c565d999 Mon Sep 17 00:00:00 2001 From: Michael Froh Date: Thu, 18 Jan 2024 22:13:29 +0000 Subject: [PATCH] Require password as an argument on 2.12 and higher For earlier versions, emit a warning if an admin password is specified on the command line, since it will be ignored. Signed-off-by: Michael Froh --- .../personalized_search_ranking_quickstart.sh | 38 +++++++++++++------ .../search_processing_kendra_quickstart.sh | 35 +++++++++++------ 2 files changed, 51 insertions(+), 22 deletions(-) diff --git a/helpers/personalized_search_ranking_quickstart.sh b/helpers/personalized_search_ranking_quickstart.sh index ee5c9a3..c78b3ad 100755 --- a/helpers/personalized_search_ranking_quickstart.sh +++ b/helpers/personalized_search_ranking_quickstart.sh @@ -26,7 +26,7 @@ fi function print_help() { cat << EOF Usage: $0 [-r ] [--profile ] - [--volume-name ] + [--volume-name ] [--admin-password ] -r | --region The AWS region for the Personalize Intelligent Ranking service endpoint. If not specified, will read from the AWS CLI for the default profile. @@ -39,6 +39,11 @@ Usage: $0 [-r ] [--profile ] named Docker volume to \$OPENSEARCH_ROOT/data, so index data will persist across executions. If the named volume does not exist, it will be created. + --admin-password For OpenSearch 2.12 and higher, we no longer use a default + password of "admin" for the admin user. Instead, the value + passed to this parameter will be used as the admin password. + For OpenSearch versions prior to 2.12, this argument will be + ignored with a warning. NOTE: If the --profile option is not specified, the script will attempt to read AWS credentials (access/secret key, optional session token) from environment variables, @@ -76,9 +81,27 @@ while [ "$#" -gt 0 ]; do VOLUME_NAME=$1 shift ;; - esac + --admin-password ) + shift + OPENSEARCH_INITIAL_ADMIN_PASSWORD="$1" + shift + ;; + esac done +# Starting in 2.12.0, security demo configuration script requires an initial admin password +OPENSEARCH_REQUIRED_VERSION="2.12.0" +COMPARE_VERSION=`echo $OPENSEARCH_REQUIRED_VERSION $OPENSEARCH_VERSION | tr ' ' '\n' | sort -V | uniq | head -n 1` +if [ "$COMPARE_VERSION" != "$OPENSEARCH_REQUIRED_VERSION" ]; then + if [ -n "${OPENSEARCH_INITIAL_ADMIN_PASSWORD:-}" ]; then + echo "WARNING: The --admin-password setting has no effect on OpenSearch ${OPENSEARCH_VERSION}. The admin password will be 'admin'." + fi + OPENSEARCH_INITIAL_ADMIN_PASSWORD="admin" +elif [ -z "${OPENSEARCH_INITIAL_ADMIN_PASSWORD:-}" ]; then + echo "Starting with OpenSearch 2.12, you must specify the admin password with the --admin-password parameter." + exit 1 +fi + # # Determine which credentials and region to use. By the end of this block, all specified # credentials will be loaded into environment variables (or we fail with an explanatory @@ -253,14 +276,7 @@ if [ -n "${VOLUME_NAME:-}" ]; then fi echo "Volume created" -# Starting in 2.12.0, security demo configuration script requires an initial admin password -OPENSEARCH_REQUIRED_VERSION="2.12.0" -COMPARE_VERSION=`echo $OPENSEARCH_REQUIRED_VERSION $OPENSEARCH_VERSION | tr ' ' '\n' | sort -V | uniq | head -n 1` -if [ "$COMPARE_VERSION" != "$OPENSEARCH_REQUIRED_VERSION" ]; then - OPENSEARCH_INITIAL_ADMIN_PASSWORD="admin" -else - OPENSEARCH_INITIAL_ADMIN_PASSWORD="myStrongPassword123!" -fi + # # Create a docker-compose.yml file that will launch an OpenSearch node with the image we @@ -395,4 +411,4 @@ applicable) by running The full text of this message is also available at $(pwd)/README EOF -cat README \ No newline at end of file +cat README diff --git a/helpers/search_processing_kendra_quickstart.sh b/helpers/search_processing_kendra_quickstart.sh index ba62405..3c0bba4 100755 --- a/helpers/search_processing_kendra_quickstart.sh +++ b/helpers/search_processing_kendra_quickstart.sh @@ -27,7 +27,7 @@ function print_help() { cat << EOF Usage: $0 [-p ] [-r ] [-e ] [--profile ] [--create-execution-plan] - [--volume-name ] + [--volume-name ] [--admin-password ] -p | --execution-plan-id The ID returned from Kendra Intelligent Ranking service from the call to CreateRescoreExecutionPlan. Required if --create-execution-plan is not set. @@ -50,6 +50,11 @@ Usage: $0 [-p ] [-r ] [-e ] named Docker volume to \$OPENSEARCH_ROOT/data, so index data will persist across executions. If the named volume does not exist, it will be created. + --admin-password For OpenSearch 2.12 and higher, we no longer use a default + password of "admin" for the admin user. Instead, the value + passed to this parameter will be used as the admin password. + For OpenSearch versions prior to 2.12, this argument will be + ignored with a warning. NOTE: If the --profile option is not specified, the script will attempt to read AWS credentials (access/secret key, optional session token) from environment variables, @@ -101,6 +106,11 @@ while [ "$#" -gt 0 ]; do VOLUME_NAME=$1 shift ;; + --admin-password ) + shift + OPENSEARCH_INITIAL_ADMIN_PASSWORD="$1" + shift + ;; esac done @@ -121,6 +131,19 @@ if [ "${FAILED_VALIDATION}" == "1" ]; then exit 1 fi +# Starting in 2.12.0, security demo configuration script requires an initial admin password +OPENSEARCH_REQUIRED_VERSION="2.12.0" +COMPARE_VERSION=`echo $OPENSEARCH_REQUIRED_VERSION $OPENSEARCH_VERSION | tr ' ' '\n' | sort -V | uniq | head -n 1` +if [ "$COMPARE_VERSION" != "$OPENSEARCH_REQUIRED_VERSION" ]; then + if [ -n "${OPENSEARCH_INITIAL_ADMIN_PASSWORD:-}" ]; then + echo "WARNING: The --admin-password setting has no effect on OpenSearch ${OPENSEARCH_VERSION}. The admin password will be 'admin'." + fi + OPENSEARCH_INITIAL_ADMIN_PASSWORD="admin" +elif [ -z "${OPENSEARCH_INITIAL_ADMIN_PASSWORD:-}" ]; then + echo "Starting with OpenSearch 2.12, you must specify the admin password with the --admin-password parameter." + exit 1 +fi + # # Determine which credentials and region to use. By the end of this block, all specified # credentials will be loaded into environment variables (or we fail with an explanatory @@ -359,16 +382,6 @@ if [ -n "${VOLUME_NAME:-}" ]; then external: true" fi -# Starting in 2.12.0, security demo configuration script requires an initial admin password -OPENSEARCH_REQUIRED_VERSION="2.12.0" -COMPARE_VERSION=`echo $OPENSEARCH_REQUIRED_VERSION $OPENSEARCH_VERSION | tr ' ' '\n' | sort -V | uniq | head -n 1` -if [ "$COMPARE_VERSION" != "$OPENSEARCH_REQUIRED_VERSION" ]; then - OPENSEARCH_INITIAL_ADMIN_PASSWORD="admin" -else - OPENSEARCH_INITIAL_ADMIN_PASSWORD="myStrongPassword123!" -fi - - # # Create a docker-compose.yml file that will launch an OpenSearch node with the image we # just built and an OpenSearch Dashboards node that points to the OpenSearch node.