-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Spike] Replace default admin password #3560
Comments
Hi @DarshitChanpura, first of all, thank you for creating this issue. I'd like to share my thoughts regarding the current spike and the options we have. The main point of discussion in phase 1 seems to revolve around the design and approach we should adopt. Here are the two options we discussed before: Option 1: Continuing with the Existing Demo Configuration Script: In my view, this option appears to be more of a short-term solution or a mitigation strategy. Based on the previous work done in PR #3329 and PR #3449, it seems we can address this by entirely removing the default
Option 2: Transitioning to a Java Tool for Demo Configuration Setup: In my opinion, this option aims to be a more long-term solution. It aligns with the original plan to deprecate the current demo configuration script. Some internal discussions suggest that this approach is in line with our broader goals.
Just a heads-up, the information above is based on my understanding. I'd like to hear your thoughts and any additional ideas you might have on these options. |
I disagree with this problem statement - maybe we should start here before we go into solutions? I think we should accept a provided password - or if none is provided make one and pass it back out to the consuming ecosystem. I think we are missing specific platforms and how the change will be picked up by them - I think working backwards from how a change gets to the platforms we want has been the biggest missing piece of the previous attempt. What do you think? |
Thanks @DarshitChanpura for putting this together (and everyone else for your feedback as well). I think we are coalescing around a path forward here, but I echo @peternied's feedback that the way we are getting there is not quite working backwards from a clear problem statement. The exit criteria looks too much like a laundry list of things we need to do vs. a list of verifications we can do from the problem statement's point of view. For example, I would like to have a clear exit criteria checkbox that reads:
The same for every other way we can validate that the problem statement was in fact addressed for every distribution. Then we work backwards from those changes and identify what needs to be done for each in terms of build changes, CI updates, and ramifications to other repos. Makes sense? to reiterate, I think the solution we are arriving at here makes sense, but I would love for us to arrive at it working backwards from a clear exit criteria, as a) it'll keep us honest and make sure we did address it and b) it will also help with us getting too much tunnel vision with our pre-conceived ideas/approaches. Food for thought: one should be able to write the exit criteria from the problem statement alone, without even having settled on an approach. |
Around the phasing, I'd suggest that we frontload building out an end to end flow for a specific distribution. There might be one that can be done independently of the others. This could allow for learnings in a lower risk timeline before we start clearing out all the distributions implementations. |
The outcome of this spike has been translated into following 3 meta issues:
Feel free to re-open if this needs more discussion. |
Problem Statement:
The current security plugin requires the admin password to be hardcoded, posing a security risk. To enhance security, we are proposing to modify the security plugin to enable cluster accept a custom password from the customer. If none is provided, the cluster should generate a secure password and pass it back to the consuming eco-system. This eco-system could be any of the supported OpenSearch distributions.
Past Implementation:
To resolve this issue, a design proposal[1][2] was put forward and subsequently implemented. The new approach allowed for the provision of a fresh admin password either through an environment variable or by utilizing a simple single-word text file. In cases where neither was provided, the installation demo configuration script would terminate, preventing any further setup of the security plugin. However, this script termination did not halt the cluster setup (e.g., via docker or through the execution of
./opensearch-install.sh
). Consequently, the cluster was established with the default credentialsadmin:admin
. This outcome was contrary to the original intention of the implementation, which aimed to have the demo script modify the internal_users.yml file to substitute the hash value for the admin user. Since the hash value remained unchanged and the cluster setup persisted, the admin user was consequently created with the default admin password. This situation prompted a reevaluation of our strategy for replacing the default admin password.Proposed Solution:
This is a multi-phase implementation that requires making changes in a few repositories. The most attention required outside security repository for this change would be opensearch-build as it would ultimately produce almost all distributions of Opensearch.
Phase 1: Designing with Security in mind
Maintainers of the security team would finalize the design.
The new design picks up the previous design, where a user is required to provide a custom password for admin. If none is provided, a new password will be provided.
If a password was generated, we can make the user aware about it one of the following two ways:
Option 1. Print it in the logs:
Option 2. Print it to the text file:
If a password was provided, it will be set for admin user, and the password will not be printed since the user is already aware of the password.
Phase 2: Ensuring the changes work with all OpenSearch distributions
Work with the opensearch-build team to finalize changes in the build repo, to ensure the distributions are shipped and will spin up the cluster as expected. (Either with the user provided password or one generated by the security plugin)
After Phase-1 is complete, next step would be to ensure that all the open-source distributions are shipped with this change.
To ensure this, work with the opensearch-build team to ensure all distribution have necessary changes, those changes are tested and ready to be shipped.
Refer to this comment to understand changes needed and the distributions supported.
Phase 3: Driving a campaign to fix all hard-coded instances across all repos
Post previous implementation, several hard-coded instances of admin:admin and demo configuration script usage were discovered across multiple repos. This phase will require driving a campaign to fix these.
During this phase, urge all the plugins currently using the hard-coded instance of admin-password to replace it with a custom generated value.
Here are the instances of demo-configuration script found across the repos: opensearch-project/opensearch-build#4094 (comment)
Maybe modify the demo config setup completely? SQL plugin has done something similar to fetch certificates from directly from security plugin repo: https://github.com/opensearch-project/sql/blob/297e26f9622e66cf01c777d229e9b13dbc19525d/integ-test/build.gradle#L82
Considerations:
Risks:
Acceptance Criteria (Consumer perspective)
admin_password
variable. If value is not provided, a password should be generated. A call with admin:admin should fail.Exit Criteria (Developer team perspective)
# Appendix
Previous Implementation references:
Design:
admin:admin
default credentials with configuration file password #3285admin:admin
default credentials with configuration file password #3285admin:admin
change requires Java to be installed #3511admin:admin
credential ifinitialAdminPassword
is not provided #3508Implementation:
The text was updated successfully, but these errors were encountered: