[BUG][opensearch-2.20.0] ADMIN_INITIAL_PASSWORD not used?

opensearch-project / helm-charts

:wheel_of_dharma: A community repository for Helm Charts of OpenSearch Project.

https://opensearch.org/docs/latest/opensearch/install/helm/

Apache License 2.0

173 stars 234 forks source link

[BUG][opensearch-2.20.0] ADMIN_INITIAL_PASSWORD not used? #548

Open cdprete opened 5 months ago

cdprete commented 5 months ago

Hello. I'm using the opensearch-2.20-0 Helm chart and, as per documentation, I've set

extraEnvs:
  - name: OPENSEARCH_INITIAL_ADMIN_PASSWORD
    value: "some-password"
  - name: DISABLE_INSTALL_DEMO_CONFIG
    value: "true"

So far, so good. :)

Now, trying to curl the health of the cluster from within the Pod itself with

curl -ku admin:some-password http://localhost:9200/_cluster/health

leads to a 401 response, while a curl like

curl -ku admin:admin http://localhost:9200/_cluster/health

works without any issue.

So, I was wondering if the admin initial password is really used and, if it's, how?

peterzhuamazon commented 5 months ago

Hi @cdprete if this is not a fresh install and you have previously setup a password already, then the old password will be used still.

peterzhuamazon commented 5 months ago

Also if the app version (not helm chart ver) is < 2.12.0 then this change is not taking effect.

Thanks.

cdprete commented 5 months ago

Hi. These are the information about the chart:

apiVersion: v2
appVersion: 2.14.0
description: A Helm chart for OpenSearch
home: https://opensearch.org
maintainers:
- name: DandyDeveloper
- name: bbarani
- name: gaiksaya
- name: peterzhuamazon
- name: prudhvigodithi
- name: TheAlgo
name: opensearch
sources:
- https://github.com/opensearch-project/opensearch
- https://github.com/opensearch-project/helm-charts
type: application
version: 2.20.0

Moreover, it's a fresh installation, in fact I had to set it up that env variable since the beginning.

brandonw62 commented 4 months ago

Also seeing the same behavior described above on a fresh cluster using appVersion: 2.15.0 and Chart Version 2.21.0

Also want to add that I can access the my configured opensearch endpoint in my browser without a need to login at all.

brandonw62 commented 4 months ago

@peterzhuamazon @prudhvigodithi Is there any documentation that can be followed for setting up a production level cluster via helm charts? In searching through other issues, I've injected an internal_users.yml file via a configmap & volume mount which contains a single admin user. Can you provide guidance for what files/configurations are needed to get the security plugin to initialize with a single admin user? I have have provisioned certificates per the opensearch documentation which are also successfully mounted into the cluster.

Is there a specific config that is required to pass the initial password to the admin user that I've defined in the internal_users.yml? or is it required to run the hash.sh script, update the configMap with the new hash and then run the securityadmin.sh script?

oliverwiegers commented 3 weeks ago

We're facing the same issue

prudhvigodithi commented 3 weeks ago

Hey when DISABLE_INSTALL_DEMO_CONFIG is set it wont run the demo security script and hence OPENSEARCH_INITIAL_ADMIN_PASSWORD will take any effect. When DISABLE_INSTALL_DEMO_CONFIG is set to true the expectation is for the user to setup cluster security or other way is do no set the DISABLE_INSTALL_DEMO_CONFIG and allow the demo script to create the security setup and later the user can update the security settings, then the cluster would start with OPENSEARCH_INITIAL_ADMIN_PASSWORD. Adding @cwperks @DarshitChanpura to provide some more details.

Thank you @peterzhuamazon @getsaurabh02

cwperks commented 3 weeks ago

When DISABLE_INSTALL_DEMO_CONFIG is set, you must provide the securityConfig explicitly. @prudhvigodithi Is there any examples of a custom security configuration for helm-charts?

cdprete commented 3 weeks ago

@prudhvigodithi in my case that was already set, but with no luck.

Il lun 28 ott 2024, 16:18 Prudhvi Godithi @.***> ha scritto:

Hey when DISABLE_INSTALL_DEMO_CONFIG is set it wont run the demo security script and hence OPENSEARCH_INITIAL_ADMIN_PASSWORD will take any effect. When DISABLE_INSTALL_DEMO_CONFIG is set to true the expectation is for the user to setup cluster security or other way is do no set the DISABLE_INSTALL_DEMO_CONFIG and allow the demo script to create the security setup and later the user can update the security settings, then the cluster would start with OPENSEARCH_INITIAL_ADMIN_PASSWORD. Adding @cwperks https://github.com/cwperks @DarshitChanpura https://github.com/DarshitChanpura to provide some more details.

Thank you @peterzhuamazon https://github.com/peterzhuamazon @getsaurabh02 https://github.com/getsaurabh02

— Reply to this email directly, view it on GitHub https://github.com/opensearch-project/helm-charts/issues/548#issuecomment-2441884147, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACAZGWBEFN3TDZNODL5DXX3Z5ZIT7AVCNFSM6AAAAABI4B4LM6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINBRHA4DIMJUG4 . You are receiving this because you were mentioned.Message ID: @.***>