-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added Password Setup Tool #1686
Added Password Setup Tool #1686
Conversation
… made progress on a password setup tool Signed-off-by: Ryan Bogan <[email protected]>
…e new password system Signed-off-by: Ryan Bogan <[email protected]>
Signed-off-by: Ryan Bogan <[email protected]>
…ting Signed-off-by: Ryan Bogan <[email protected]>
src/test/java/org/opensearch/security/SlowIntegrationTests.java
Outdated
Show resolved
Hide resolved
System.out.println("\nEnter password for " + user + ": "); | ||
String password = sc.nextLine(); | ||
setPasswordSingleUser(user, lowLevelClient, password); | ||
isWeakPassword = false; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what is the use of this flag isWeakPassword
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's to prevent the tool from closing if a password that doesn't meet the policy is entered. Instead of throwing an exception, it gives the user a chance to re-enter a new password for that user.
Signed-off-by: Ryan Bogan <[email protected]>
String password = sc.nextLine(); | ||
setPasswordSingleUser(user, lowLevelClient, password); | ||
isWeakPassword = false; | ||
} catch(ResponseException e) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't this too broad? Are we sure we're only catching password policy validation failure here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should just catch the password validation failure as long as internal_users.yml
is not modified. Is there another type of ResponseException that I'm missing?
setPasswordSingleUser(user, lowLevelClient, password); | ||
isWeakPassword = false; | ||
} catch(ResponseException e) { | ||
System.out.println("A password must be at least 8 characters long and contain at least one uppercase letter, one lowercase letter, one digit, and one special character."); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should log the message in plugins.security.restapi.password_validation_error_message
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the contribution, we do require new functionality had unit tests added to ensure it keeps working, please add unit tests.
We also require that basic documentation is added so that other users can know where/how to use it, please create a basic markdown readme for high level usage, no need to duplicate the great work you've done with the Command line options
While not required, I would highly recommend breaking this single file into many smaller classes, this will make it easier to author tests. Some classes that could be extracted would be CommandLineOptions, CommandLineParser, CommandLineValidator, UserPasswordApplier, SSLContextCreator, ClusterHealthChecker (This seems like it might already be implemented elsewhere in the codebase.)
final int returnCode = execute(args); | ||
System.exit(returnCode); | ||
} catch (Throwable e) { | ||
System.out.println("Unexpected error"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please include the error in the printed output
Hi @ryanbogan It has been many days since there was movement on this PR, what are you thoughts on moving forward? |
Hey @peternied, I have been out of the office since Monday, but last week I made most of the changes suggested above. I am currently working on unit testing, and then I want to explore breaking the file into separate classes. |
Signed-off-by: Ryan Bogan <[email protected]>
Signed-off-by: Ryan Bogan <[email protected]>
Signed-off-by: Ryan Bogan <[email protected]>
Signed-off-by: Ryan Bogan <[email protected]>
Codecov Report
@@ Coverage Diff @@
## main #1686 +/- ##
============================================
- Coverage 64.56% 62.41% -2.16%
- Complexity 3239 3287 +48
============================================
Files 249 254 +5
Lines 17479 18591 +1112
Branches 3096 3354 +258
============================================
+ Hits 11286 11604 +318
- Misses 4635 5243 +608
- Partials 1558 1744 +186
Continue to review full report at Codecov.
|
Signed-off-by: Ryan Bogan <[email protected]>
options.addOption(Option.builder("era").longOpt("enable-replica-autoexpand").desc("Enable replica auto expand and exit").build()); | ||
options.addOption(Option.builder("dra").longOpt("disable-replica-autoexpand").desc("Disable replica auto expand and exit").build()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why are these options required in password setup?
options.addOption(Option.builder("ff").longOpt("fail-fast").desc("fail-fast if something goes wrong").build()); | ||
options.addOption(Option.builder("dg").longOpt("diagnose").desc("Log diagnostic trace into a file").build()); | ||
options.addOption(Option.builder("dci").longOpt("delete-config-index").desc("Delete '.opendistro_security' config index and exit.").build()); | ||
options.addOption(Option.builder("esa").longOpt("enable-shard-allocation").desc("Enable all shard allocation and exit.").build()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems unnecessary
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are a lot of input arguments that are not applicable to the tool (see below). We should remove them unless there's a reason i'm missing.
-arc,--accept-red-cluster Also operate on a red
cluster. If not specified
the cluster state has to
be at least yellow.
-backup <folder> Backup configuration to
folder
-dci,--delete-config-index Delete
'.opendistro_security'
config index and exit.
-dra,--disable-replica-autoexpand Disable replica auto
expand and exit
-ec,--enabled-ciphers <cipers> Comma separated list of
enabled TLS ciphers
-ep,--enabled-protocols <protocols> Comma separated list of
enabled TLS protocols
-er,--explicit-replicas <number of replicas> Set explicit number of
replicas or autoexpand
expression for
.opendistro_security index
-era,--enable-replica-autoexpand Enable replica auto expand
and exit
-esa,--enable-shard-allocation Enable all shard
allocation and exit.
-f,--file <file> file
-migrate <folder> Migrate and use folder to
store migrated files
-mo,--migrate-offline <folder> Migrate and use folder to
store migrated files
-us,--update_settings <number of replicas> Update the number of
Security index replicas,
reload configuration on
all nodes and exit
-vc,--validate-configs <version> Validate config for
version 6 or 7 (default 7)
-w,--whoami Show information about the
used admin certificate
-r,--retrieve retrieve current config
-rev,--resolve-env-vars Resolve/Substitute env
vars in config with their
value before uploading
-rl,--reload Reload the configuration
on all nodes, flush all
Security caches and exit
-si,--show-info Show system and license
info
-sniff,--enable-sniffing Enable
client.transport.sniff
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Besides, some other settings like -cd (config directory), -key (admin key), -cert (admin cert), -cacert (root certs) should be optional to provide for users, with defaults set to what opensearch-security sets out of the box.
@ryanbogan After reviewing the state of our tooling within security - we are deprecating all of it in 3.0. As we are not investing in this space, this change will not be merged and I am closing this pull request. This change is valuable and I think it should live on as a part of an OpenSearch operations tool. Updating configuration programmatically like swapping out certificates, updating cluster configuration, and setting up user accounts with secure password are great use cases. |
On running this tool I see some unnecessary things going on, that need to be fixed
Pls fix this. logs
|
Yes, that's the plan. I'm going to post a commit on top of this PR/create a separate pr for |
@setiah lets not author this change in the security repository and instead create it in a new repo dedicated to this tooling. |
@peternied I would say let's do that independently. We should not block this change for any future plans on maintaining the tooling. We can move around the tooling as a separate consolidation effort with a separate issue, as-it-is, and package it in ways best for user experience. As part of that you would have to move other tools as well. |
Description
Adds a password setup tool and corresponding scripts to set passwords for internal users.
Issues Resolved
Progress on: Replace admin:admin default credentials
Testing
Manual testing: The plugin was built and installed into opensearch min version 1.2.4. The script was run to ensure all branches of the tool are functional.
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.