-
Notifications
You must be signed in to change notification settings - Fork 284
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
plugins.security.disabled setting no longer working in 2.12 leading to errors (Docker) #4062
Comments
@DarshitChanpura @derek-ho is this possibly related to #3624? |
2.11.12.11.1 test scenarios:custom opensearch.yml (has setting plugins.security.disabled: true)opensearch-node2 | Detected OpenSearch Version: x-content-2.11.1
opensearch-node2 | Detected OpenSearch Security Version: 2.11.1.0
opensearch-node1 | /usr/share/opensearch/config/opensearch.yml seems to be already configured for Security. Quit.
opensearch-node2 | /usr/share/opensearch/config/opensearch.yml seems to be already configured for Security. Quit. ``zsh
➜ 2.11.1 curl http://localhost:9200
{
"name" : "opensearch-node1",
"cluster_name" : "opensearch-cluster",
"cluster_uuid" : "PKhXmPJOT-SA6jWssYcUrg",
"version" : {
"distribution" : "opensearch",
"number" : "2.11.1",
"build_type" : "tar",
"build_hash" : "6b1986e964d440be9137eba1413015c31c5a7752",
"build_date" : "2023-11-29T21:45:35.524809067Z",
"build_snapshot" : false,
"lucene_version" : "9.7.0",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
} providing "DISABLE_SECURITY_PLUGIN=true"opensearch-node2 | Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin
opensearch-node2 | **************************************************************************
opensearch-node2 | ** This tool will be deprecated in the next major release of OpenSearch **
opensearch-node2 | ** https://github.com/opensearch-project/security/issues/1755 **
opensearch-node2 | **************************************************************************
opensearch-node2 | OpenSearch Security Demo Installer
opensearch-node2 | ** Warning: Do not use on production or public reachable systems **
opensearch-node2 | Basedir: /usr/share/opensearch
opensearch-node2 | OpenSearch install type: rpm/deb on Amazon Linux release 2023 (Amazon Linux)
opensearch-node2 | OpenSearch config dir: /usr/share/opensearch/config
opensearch-node2 | OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
opensearch-node2 | OpenSearch bin dir: /usr/share/opensearch/bin
opensearch-node2 | OpenSearch plugins dir: /usr/share/opensearch/plugins
opensearch-node2 | OpenSearch lib dir: /usr/share/opensearch/lib
opensearch-node2 | Detected OpenSearch Version: x-content-2.11.1
opensearch-node2 | Detected OpenSearch Security Version: 2.11.1.0
opensearch-node1 | Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin
opensearch-node1 | **************************************************************************
opensearch-node1 | ** This tool will be deprecated in the next major release of OpenSearch **
opensearch-node1 | ** https://github.com/opensearch-project/security/issues/1755 **
opensearch-node1 | **************************************************************************
opensearch-node1 | OpenSearch Security Demo Installer
opensearch-node1 | ** Warning: Do not use on production or public reachable systems **
opensearch-node1 | Basedir: /usr/share/opensearch
opensearch-node2 |
opensearch-node1 | OpenSearch install type: rpm/deb on Amazon Linux release 2023 (Amazon Linux)
opensearch-node1 | OpenSearch config dir: /usr/share/opensearch/config
opensearch-node1 | OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
opensearch-node1 | OpenSearch bin dir: /usr/share/opensearch/bin
opensearch-node1 | OpenSearch plugins dir: /usr/share/opensearch/plugins
opensearch-node1 | OpenSearch lib dir: /usr/share/opensearch/lib
opensearch-node1 | Detected OpenSearch Version: x-content-2.11.1
opensearch-node1 | Detected OpenSearch Security Version: 2.11.1.0
opensearch-node1 |
opensearch-node2 | ### Success
opensearch-node2 | ### Execute this script now on all your nodes and then start all nodes
opensearch-node2 | ### OpenSearch Security will be automatically initialized.
opensearch-node2 | ### If you like to change the runtime configuration
opensearch-node2 | ### change the files in ../../../config/opensearch-security and execute:
opensearch-node2 | "/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh" -cd "/usr/share/opensearch/config/opensearch-security" -icl -key "/usr/share/opensearch/config/kirk-key.pem" -cert "/usr/share/opensearch/config/kirk.pem" -cacert "/usr/share/opensearch/config/root-ca.pem" -nhnv
opensearch-node2 | ### or run ./securityadmin_demo.sh
opensearch-node2 | ### To use the Security Plugin ConfigurationGUI
opensearch-node2 | ### To access your secured cluster open https://<hostname>:<HTTP port> and log in with admin/admin.
opensearch-node2 | ### (Ignore the SSL certificate warning because we installed self-signed demo certificates)
opensearch-node2 | Disabling OpenSearch Security Plugin
opensearch-node2 | Enabling execution of OPENSEARCH_HOME/bin/opensearch-performance-analyzer/performance-analyzer-agent-cli for OpenSearch Performance Analyzer Plugin
opensearch-node1 | ### or run ./securityadmin_demo.sh
opensearch-node1 | ### To use the Security Plugin ConfigurationGUI
opensearch-node1 | ### To access your secured cluster open https://<hostname>:<HTTP port> and log in with admin/admin.
opensearch-node1 | ### (Ignore the SSL certificate warning because we installed self-signed demo certificates)
opensearch-node1 | Disabling OpenSearch Security Plugin ➜ 2.11.1 curl http://localhost:9200
{
"name" : "opensearch-node1",
"cluster_name" : "opensearch-cluster",
"cluster_uuid" : "14GfRQJ-Q4Gvagd1hH4evQ",
"version" : {
"distribution" : "opensearch",
"number" : "2.11.1",
"build_type" : "tar",
"build_hash" : "6b1986e964d440be9137eba1413015c31c5a7752",
"build_date" : "2023-11-29T21:45:35.524809067Z",
"build_snapshot" : false,
"lucene_version" : "9.7.0",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
} 2.12.02.12.0 test scenarios:custom opensearch.yml (has setting plugins.security.disabled: true)opensearch-node2 | Detected OpenSearch Version: 2.12.0
opensearch-node2 | Detected OpenSearch Security Version: 2.12.0.0
opensearch-node1 | /usr/share/opensearch/config/opensearch.yml seems to be already configured for Security. Quit.
opensearch-node2 | /usr/share/opensearch/config/opensearch.yml seems to be already configured for Security. Quit. ➜ curl http://localhost:9200
{
"name" : "opensearch-node1",
"cluster_name" : "opensearch-cluster",
"cluster_uuid" : "g_JelkxcTXafoQyC-AScww",
"version" : {
"distribution" : "opensearch",
"number" : "2.12.0",
"build_type" : "tar",
"build_hash" : "2c355ce1a427e4a528778d4054436b5c4b756221",
"build_date" : "2024-02-20T02:20:12.084014282Z",
"build_snapshot" : false,
"lucene_version" : "9.9.2",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
} providing "plugins.security.disabled=true" as env variable in docker-composewithout providing OPENSEARCH_INITIAL_ADMIN_PASSWORDAttaching to opensearch-node1, opensearch-node2
opensearch-node1 | Enabling OpenSearch Security Plugin
opensearch-node1 | Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin
opensearch-node1 | OpenSearch 2.12.0 onwards, the OpenSearch Security Plugin a change that requires an initial password for 'admin' user.
opensearch-node1 | Please define an environment variable 'OPENSEARCH_INITIAL_ADMIN_PASSWORD' with a strong password string.
opensearch-node1 | If a password is not provided, the setup will quit.
opensearch-node1 | For more details, please visit: https://opensearch.org/docs/latest/install-and-configure/install-opensearch/docker/
opensearch-node2 | Enabling OpenSearch Security Plugin
opensearch-node2 | Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin
opensearch-node2 | OpenSearch 2.12.0 onwards, the OpenSearch Security Plugin a change that requires an initial password for 'admin' user.
opensearch-node2 | Please define an environment variable 'OPENSEARCH_INITIAL_ADMIN_PASSWORD' with a strong password string.
opensearch-node2 | If a password is not provided, the setup will quit.
opensearch-node2 | For more details, please visit: https://opensearch.org/docs/latest/install-and-configure/install-opensearch/docker/
opensearch-node1 | ### OpenSearch Security Demo Installer
opensearch-node1 | ### ** Warning: Do not use on production or public reachable systems **
opensearch-node2 | ### OpenSearch Security Demo Installer
opensearch-node2 | ### ** Warning: Do not use on production or public reachable systems **
opensearch-node2 | OpenSearch install type: rpm/deb on Linux 6.6.12-linuxkit aarch64
opensearch-node1 | OpenSearch install type: rpm/deb on Linux 6.6.12-linuxkit aarch64
opensearch-node1 | OpenSearch config dir: /usr/share/opensearch/config/
opensearch-node1 | OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
opensearch-node1 | OpenSearch bin dir: /usr/share/opensearch/bin/
opensearch-node1 | OpenSearch plugins dir: /usr/share/opensearch/plugins/
opensearch-node1 | OpenSearch lib dir: /usr/share/opensearch/lib/
opensearch-node1 | Detected OpenSearch Version: 2.12.0
opensearch-node1 | Detected OpenSearch Security Version: 2.12.0.0
opensearch-node2 | OpenSearch config dir: /usr/share/opensearch/config/
opensearch-node2 | OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
opensearch-node2 | OpenSearch bin dir: /usr/share/opensearch/bin/
opensearch-node2 | OpenSearch plugins dir: /usr/share/opensearch/plugins/
opensearch-node2 | OpenSearch lib dir: /usr/share/opensearch/lib/
opensearch-node2 | Detected OpenSearch Version: 2.12.0
opensearch-node2 | Detected OpenSearch Security Version: 2.12.0.0
opensearch-node1 | No custom admin password found. Please provide a password via the environment variable OPENSEARCH_INITIAL_ADMIN_PASSWORD.
opensearch-node2 | No custom admin password found. Please provide a password via the environment variable OPENSEARCH_INITIAL_ADMIN_PASSWORD.
opensearch-node1 exited with code 1
opensearch-node2 exited with code 1 ➜ 2.12.0 curl http://localhost:9200
{
"name" : "opensearch-node1",
"cluster_name" : "opensearch-cluster",
"cluster_uuid" : "mgQoDpTVS7i90tPJpQzRgw",
"version" : {
"distribution" : "opensearch",
"number" : "2.12.0",
"build_type" : "tar",
"build_hash" : "2c355ce1a427e4a528778d4054436b5c4b756221",
"build_date" : "2024-02-20T02:20:12.084014282Z",
"build_snapshot" : false,
"lucene_version" : "9.9.2",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
} providing OPENSEARCH_INITIAL_ADMIN_PASSWORDopensearch-node1 | Enabling OpenSearch Security Plugin
opensearch-node1 | Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin
opensearch-node1 | OpenSearch 2.12.0 onwards, the OpenSearch Security Plugin a change that requires an initial password for 'admin' user.
opensearch-node1 | Please define an environment variable 'OPENSEARCH_INITIAL_ADMIN_PASSWORD' with a strong password string.
opensearch-node1 | If a password is not provided, the setup will quit.
opensearch-node1 | For more details, please visit: https://opensearch.org/docs/latest/install-and-configure/install-opensearch/docker/
opensearch-node2 | Enabling OpenSearch Security Plugin
opensearch-node2 | Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin
opensearch-node2 | OpenSearch 2.12.0 onwards, the OpenSearch Security Plugin a change that requires an initial password for 'admin' user.
opensearch-node2 | Please define an environment variable 'OPENSEARCH_INITIAL_ADMIN_PASSWORD' with a strong password string.
opensearch-node2 | If a password is not provided, the setup will quit.
opensearch-node2 | For more details, please visit: https://opensearch.org/docs/latest/install-and-configure/install-opensearch/docker/
opensearch-node2 | ### OpenSearch Security Demo Installer
opensearch-node2 | ### ** Warning: Do not use on production or public reachable systems **
opensearch-node2 | OpenSearch install type: rpm/deb on Linux 6.6.12-linuxkit aarch64
opensearch-node2 | OpenSearch config dir: /usr/share/opensearch/config/
opensearch-node2 | OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
opensearch-node1 | ### OpenSearch Security Demo Installer
opensearch-node1 | ### ** Warning: Do not use on production or public reachable systems **
opensearch-node2 | OpenSearch bin dir: /usr/share/opensearch/bin/
opensearch-node2 | OpenSearch plugins dir: /usr/share/opensearch/plugins/
opensearch-node2 | OpenSearch lib dir: /usr/share/opensearch/lib/
opensearch-node2 | Detected OpenSearch Version: 2.12.0
opensearch-node2 | Detected OpenSearch Security Version: 2.12.0.0
opensearch-node1 | OpenSearch install type: rpm/deb on Linux 6.6.12-linuxkit aarch64
opensearch-node1 | OpenSearch config dir: /usr/share/opensearch/config/
opensearch-node1 | OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
opensearch-node1 | OpenSearch bin dir: /usr/share/opensearch/bin/
opensearch-node1 | OpenSearch plugins dir: /usr/share/opensearch/plugins/
opensearch-node1 | OpenSearch lib dir: /usr/share/opensearch/lib/
opensearch-node1 | Detected OpenSearch Version: 2.12.0
opensearch-node1 | Detected OpenSearch Security Version: 2.12.0.0
opensearch-node2 | Admin password set successfully.
opensearch-node1 | Admin password set successfully.
opensearch-node1 | ### Success
opensearch-node1 | ### Execute this script now on all your nodes and then start all nodes
opensearch-node1 | ### OpenSearch Security will be automatically initialized.
opensearch-node1 | ### If you like to change the runtime configuration
opensearch-node2 | ### Success
opensearch-node2 | ### Execute this script now on all your nodes and then start all nodes
opensearch-node1 | ### change the files in ../../../config/opensearch-security and execute:
opensearch-node1 | sudo "/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh" -cd "/usr/share/opensearch/config/opensearch-security" -icl -key "/usr/share/opensearch/config/kirk-key.pem" -cert "/usr/share/opensearch/config/kirk.pem" -cacert "/usr/share/opensearch/config/root-ca.pem" -nhnv
opensearch-node1 | ### or run ./securityadmin_demo.sh
opensearch-node1 | ### To use the Security Plugin ConfigurationGUI
opensearch-node1 | ### To access your secured cluster open https://<hostname>:<HTTP port> and log in with admin/<your-custom-admin-password>.
opensearch-node1 | ### (Ignore the SSL certificate warning because we installed self-signed demo certificates)
opensearch-node2 | ### OpenSearch Security will be automatically initialized.
opensearch-node2 | ### If you like to change the runtime configuration
opensearch-node2 | ### change the files in ../../../config/opensearch-security and execute:
opensearch-node2 | sudo "/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh" -cd "/usr/share/opensearch/config/opensearch-security" -icl -key "/usr/share/opensearch/config/kirk-key.pem" -cert "/usr/share/opensearch/config/kirk.pem" -cacert "/usr/share/opensearch/config/root-ca.pem" -nhnv
opensearch-node2 | ### or run ./securityadmin_demo.sh
opensearch-node2 | ### To use the Security Plugin ConfigurationGUI
opensearch-node2 | ### To access your secured cluster open https://<hostname>:<HTTP port> and log in with admin/<your-custom-admin-password>.
opensearch-node2 | ### (Ignore the SSL certificate warning because we installed self-signed demo certificates) ➜ 2.12.0 curl http://localhost:9200
{
"name" : "opensearch-node1",
"cluster_name" : "opensearch-cluster",
"cluster_uuid" : "c519SyZKRJOqbqF8gZsAgA",
"version" : {
"distribution" : "opensearch",
"number" : "2.12.0",
"build_type" : "tar",
"build_hash" : "2c355ce1a427e4a528778d4054436b5c4b756221",
"build_date" : "2024-02-20T02:20:12.084014282Z",
"build_snapshot" : false,
"lucene_version" : "9.9.2",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
➜ 2.12.0 curl -XGET "https://localhost:9200/_cat/nodes" -k -u 'admin:myStrongPassword123!'
curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version providing DISABLE_SECURITY_PLUGIN=true as env variable in docker-compose (no need for the OPENSEARCH_INITIAL_ADMIN_PASSWORD variable)opensearch-node2 | Disabling OpenSearch Security Plugin
opensearch-node1 | Disabling OpenSearch Security Plugin ➜ 2.12.0 curl http://localhost:9200
{
"name" : "opensearch-node1",
"cluster_name" : "opensearch-cluster",
"cluster_uuid" : "mgQoDpTVS7i90tPJpQzRgw",
"version" : {
"distribution" : "opensearch",
"number" : "2.12.0",
"build_type" : "tar",
"build_hash" : "2c355ce1a427e4a528778d4054436b5c4b756221",
"build_date" : "2024-02-20T02:20:12.084014282Z",
"build_snapshot" : false,
"lucene_version" : "9.9.2",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
} @gygitlab As you can see from the logs the behavior for The behavior you discovered actually has existed but didn't surface until 2.12.0 as a custom admin password was required. The documentation for disabling security states that adding the TLDR; not a bug. You can configure this in two ways:
Hope this helps! |
Ok thanks. It's a little confusing as some of the main settings can be passed verbatim as environment variables, e.g. Either way you may want to add this detail into the release notes so others don't get caught out with this indirect change. |
@gygitlab Another piece of information that might help clarify. This block of code states that the environment variables passed to docker as in fact passed as env variables with |
[Triage] this seems related to the default admin credential changes, and that the behavior is working as intended. @gygitlab can you provide any more details or what you want changed so we can turn this into a feature request? If not I think we will close this. |
@derek-ho Looks like in this comment there's a request for more clear documentation of the change in the release notes, not a request for a change in functionality. |
Yeah so the feedback I can give from my perspective is that this was effectively an undocumented breaking change for us and we had to pivot quickly to fix our scripts and environments. I understand that it was a "sleeping" issue but nonetheless the effects were the same and we were in the dark for a while there. Assuming that the behaviour is now correct and that the intention is not to allow TL;DR:
|
@gygitlab Would you mind opening an issue in the documentation-website repository detailing the gap in docs and the changes that should be addressed? |
Just ran into this as well. Definitely a breaking change I'm so grateful this ticket exists! Much appreciated @gygitlab |
I am still confused. I am trying to setup the most simple environment in local docker compose, and this issue is blocking me. opensearch:
image: opensearchproject/opensearch:latest
environment:
- discovery.type=single-node
- DISABLE_SECURITY_PLUGIN=true
#- OPENSEARCH_INITIAL_ADMIN_PASSWORD=admin
ports:
- "9200:9200"
- "9600:9600"
volumes:
- opensearch-data:/usr/share/opensearch/data
networks:
- my-net
opensearch-dashboards:
image: opensearchproject/opensearch-dashboards:latest
ports:
- "5601:5601"
environment:
- OPENSEARCH_HOSTS=http://opensearch:9200
networks:
- my-net but still I get |
@MahatmaFatalError I'm doing the same config as you and I am having problems as well. Have you had any luck logging into it? |
nope, it is not working. Very frustrating that progress is stopped by such kind of problems |
@MahatmaFatalError I figured it out! It has to do with some demo config thing? Use "latest" of the containers Environment vars for OpenSearch container:
Environment vars Dashboard container:
|
thanks, that works 👍 |
Describe the bug
The
plugins.security.disabled
no longer looks to be working in the 2.12 release.Setting the variable as an environment variable now leads to the following error in the logs:
This setting was working fine in 2.11.
Looking through the Docker documentation specifically there appears to be a different format for this variable:
This does appear to still work but the normal setting does not. This is effectively a breaking change as a result.
Related component
Plugins
To Reproduce
plugins.security.disabled
set as an environment variable.Expected behavior
That both
plugins.security.disabled
and it's variantDISABLE_SECURITY_PLUGIN
work when passed in as environment variables.Additional Details
No response
The text was updated successfully, but these errors were encountered: