search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.54k stars 3.86k forks source link

opensearchservice: master user is not added to domain #18375

Closed jdotw closed 1 year ago

jdotw commented 2 years ago

What is the problem?

The master user isn't actually created when a username is specified and/or if a password is specified.

Reproduction Steps

Create a domain like this:

const prodDomain = new opensearch.Domain(this, "Domain", {
  version: opensearch.EngineVersion.OPENSEARCH_1_0,
  capacity: {
    masterNodes: 3,
    masterNodeInstanceType: "m4.large.search",
    dataNodes: 3,
    dataNodeInstanceType: "m4.large.search",
  },
  ebs: {
    volumeSize: 20,
  },
  zoneAwareness: {
    availabilityZoneCount: 3,
  },
  logging: {
    slowSearchLogEnabled: true,
    appLogEnabled: true,
    slowIndexLogEnabled: true,
  },
  enforceHttps: true,
  nodeToNodeEncryption: true,
  encryptionAtRest: {
    enabled: true,
  },
  fineGrainedAccessControl: {
    masterUserName: "master-user",
  },
});

The same issue happens even if you specify a master password secret.

What did you expect to happen?

The credentials in the automatically-created secret should work when trying to use the dashboard and/or for REST clients attempting to use the domain.

What actually happened?

The secret is created, a username and password is present, but the domain does not have that master username or password configured. Attempting to access the dashboard throws a "anonymous access not allowed" error and REST clients can not connect using the username and password in the secret.

Workaround: Go to the domain in the AWS Console, add a new master user (using the same username and password from the secret) and then the dashboard works as expected, and REST clients can connect to the domain.

CDK CLI Version

2.5.0 (build 0951122)

Framework Version

No response

Node.js Version

v16.13.1

OS

macOS 12.1

Language

Typescript

Language Version

No response

Other information

No response

jdotw commented 2 years ago

I tried a work-around of setting the master username and password using the cli... but it still failed

ES_MASTER_SECRET_ARN=$(aws secretsmanager list-secrets --query "SecretList[?starts_with(Name, 'DomainMasterUser')].ARN" --output text)
echo "ES_MASTER_SECRET_ARN: ${ES_MASTER_SECRET_ARN}"
ES_MASTER_USERNAME=$(aws secretsmanager get-secret-value --secret-id ${ES_MASTER_SECRET_ARN} | jq --raw-output '.SecretString' | jq -r .username)
echo "ES_MASTER_USERNAME: ${ES_MASTER_USERNAME}"
ES_MASTER_PASSWORD=$(aws secretsmanager get-secret-value --secret-id ${ES_MASTER_SECRET_ARN} | jq --raw-output '.SecretString' | jq -r .password)
if [[ -z $ES_MASTER_PASSWORD ]]; then
  echo "ES Master password was not found"
  exit 1
fi
echo "ES_MASTER_PASSWORD: ${ES_MASTER_PASSWORD}"

ES_MASTER_USER_RESULT=$(aws opensearch update-domain-config --domain-name ${ES_DOMAIN_NAME} --advanced-security-options "{ \"MasterUserOptions\": { \"MasterUserName\": \"${ES_MASTER_USERNAME}\", \"MasterUserPassword\": \"${ES_MASTER_PASSWORD}\" } }")
echo "ES_MASTER_USER_RESULT: ${ES_MASTER_USER_RESULT}"
kaizencc commented 2 years ago

I seem to have the master user and domain set up correctly when I deploy a similar opensearch domain. I don't have any experience with opensearch dashboards and I'm not sure if we considered that use case when this module was created. This is going to require some work to determine how CDK opensearch domains interact with opensearch dashboards and then determine if there is a need for a fix.

I'm determining this to be a use case that might not be unlocked, and hopefully we can determine how common this is with +1s on the issue. I'm marking as p2 for now.

github-actions[bot] commented 1 year ago

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.