From d3177a8bcb023e23ebaae3a289189949113dd7b1 Mon Sep 17 00:00:00 2001 From: Derek Ho Date: Tue, 18 Jun 2024 11:44:21 -0400 Subject: [PATCH] Pass in initial admin password and remove admin:admin references (#631) * Update to pass in initial admin password Signed-off-by: Derek Ho * Add changelog and logic to distinguish between versions Signed-off-by: Derek Ho * fix syntax Signed-off-by: Derek Ho * Revert tests Signed-off-by: Derek Ho * Add 2.12 to the matrix and fix testing logic Signed-off-by: Derek Ho * Fix version logic Signed-off-by: Derek Ho * Try to split job into two batches Signed-off-by: Derek Ho * Fix lint Signed-off-by: Derek Ho * Change name Signed-off-by: Derek Ho * Remove period Signed-off-by: Derek Ho * Pull password dynamically Signed-off-by: Derek Ho * Change to proper env var Signed-off-by: Derek Ho * Try passing through Signed-off-by: Derek Ho --------- Signed-off-by: Derek Ho Signed-off-by: Derek Ho --- .ci/run-opensearch.sh | 12 +++++++++- .ci/run-repository.sh | 24 ++++++++++++++++++- .github/workflows/integration.yml | 22 +++++++++++++++-- CHANGELOG.md | 1 + guides/index_lifecycle.md | 4 ++-- guides/log_collection.md | 6 ++--- .../test_async/test_server/__init__.py | 4 +++- .../test_security_plugin.py | 4 +++- .../test_server_secured/test_clients.py | 4 +++- .../test_security_plugin.py | 4 +++- 10 files changed, 72 insertions(+), 13 deletions(-) diff --git a/.ci/run-opensearch.sh b/.ci/run-opensearch.sh index 87ad1afe2..cb05bd348 100755 --- a/.ci/run-opensearch.sh +++ b/.ci/run-opensearch.sh @@ -27,6 +27,7 @@ environment=($(cat <<-END --env path.repo=/tmp --env repositories.url.allowed_urls=http://snapshot.test* --env action.destructive_requires_name=false + --env OPENSEARCH_INITIAL_ADMIN_PASSWORD=myStrongPassword123! END )) @@ -54,6 +55,15 @@ END END )) +OPENSEARCH_REQUIRED_VERSION="2.12.0" +# Starting in 2.12.0, security demo configuration script requires an initial admin password +COMPARE_VERSION=`echo $OPENSEARCH_REQUIRED_VERSION $OPENSEARCH_VERSION | tr ' ' '\n' | sort -V | uniq | head -n 1` +if [ "$COMPARE_VERSION" != "$OPENSEARCH_REQUIRED_VERSION" ]; then + CREDENTIAL="admin:admin" +else + CREDENTIAL="admin:myStrongPassword123!" +fi + # make sure we detach for all but the last node if DETACH=false (default) so all nodes are started local_detach="true" if [[ "$i" == "$((NUMBER_OF_NODES-1))" ]]; then local_detach=$DETACH; fi @@ -61,7 +71,7 @@ END set -x healthcmd="curl -vvv -s --fail http://localhost:9200/_cluster/health || exit 1" if [[ "$SECURE_INTEGRATION" == "true" ]]; then - healthcmd="curl -vvv -s --insecure -u admin:admin --fail https://localhost:9200/_cluster/health || exit 1" + healthcmd="curl -vvv -s --insecure -u $CREDENTIAL --fail https://localhost:9200/_cluster/health || exit 1" fi CLUSTER_TAG=$CLUSTER diff --git a/.ci/run-repository.sh b/.ci/run-repository.sh index df9daae2b..4ad01d69f 100755 --- a/.ci/run-repository.sh +++ b/.ci/run-repository.sh @@ -30,7 +30,27 @@ docker build \ echo -e "\033[1m>>>>> Run [opensearch-project/opensearch-py container] >>>>>>>>>>>>>>>>>>>>>>>>>>>>>\033[0m" mkdir -p junit -docker run \ + +OPENSEARCH_REQUIRED_VERSION="2.12.0" +# Starting in 2.12.0, security demo configuration script requires an initial admin password +COMPARE_VERSION=`echo $OPENSEARCH_REQUIRED_VERSION $OPENSEARCH_VERSION | tr ' ' '\n' | sort -V | uniq | head -n 1` +if [ "$COMPARE_VERSION" != "$OPENSEARCH_REQUIRED_VERSION" ]; then + docker run \ + --network=${network_name} \ + --env "STACK_VERSION=${STACK_VERSION}" \ + --env "OPENSEARCH_URL=${opensearch_url}" \ + --env "OPENSEARCH_VERSION=${OPENSEARCH_VERSION}" \ + --env "TEST_SUITE=${TEST_SUITE}" \ + --env "PYTHON_CONNECTION_CLASS=${PYTHON_CONNECTION_CLASS}" \ + --env "TEST_TYPE=server" \ + --env "TEST_PATTERN=${TEST_PATTERN}" \ + --env "OPENSEARCH_INITIAL_ADMIN_PASSWORD=admin" \ + --name opensearch-py \ + --rm \ + opensearch-project/opensearch-py \ + python setup.py test +else + docker run \ --network=${network_name} \ --env "STACK_VERSION=${STACK_VERSION}" \ --env "OPENSEARCH_URL=${opensearch_url}" \ @@ -39,9 +59,11 @@ docker run \ --env "PYTHON_CONNECTION_CLASS=${PYTHON_CONNECTION_CLASS}" \ --env "TEST_TYPE=server" \ --env "TEST_PATTERN=${TEST_PATTERN}" \ + --env "OPENSEARCH_INITIAL_ADMIN_PASSWORD=myStrongPassword123!" \ --name opensearch-py \ --rm \ opensearch-project/opensearch-py \ python setup.py test +fi unset TEST_PATTERN diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 599909026..dd8f28043 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -3,8 +3,8 @@ name: Integration Tests on: [push, pull_request] jobs: - integration: - name: Integ + integration-pre-212: + name: Integ-pre-212 runs-on: ubuntu-latest strategy: fail-fast: false @@ -22,3 +22,21 @@ jobs: uses: actions/checkout@v3 - name: Integ OpenSearch secured=${{ matrix.secured }} version=${{ matrix.opensearch_version }} run: "./.ci/run-tests ${{ matrix.secured }} ${{ matrix.opensearch_version }}" + + integration-post-212: + name: Integ-post-212 + runs-on: ubuntu-latest + env: + OPENSEARCH_URL: 'https://admin:myStrongPassword123!@localhost:9200' + OPENSEARCH_INITIAL_ADMIN_PASSWORD: 'myStrongPassword123!' + strategy: + fail-fast: false + matrix: + opensearch_version: [ '2.12.0', '2.13.0', '2.14.0' ] + secured: [ "true", "false" ] + + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Integ OpenSearch secured=${{ matrix.secured }} version=${{ matrix.opensearch_version }} + run: "./.ci/run-tests ${{ matrix.secured }} ${{ matrix.opensearch_version }}" diff --git a/CHANGELOG.md b/CHANGELOG.md index d37dd32d5..eff1e4d37 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -62,6 +62,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) - Enhance generator to update changelog only if generated code differs from existing ([#684](https://github.com/opensearch-project/opensearch-py/pull/684)) - Added guide for configuring ssl_assert_hostname ([#694](https://github.com/opensearch-project/opensearch-py/pull/694)) ### Changed +- Pass in initial admin password in setup and remove default `admin` password ([#631](https://github.com/opensearch-project/opensearch-py/pull/631)) - Updated the `get_policy` API in the index_management plugin to allow the policy_id argument as optional ([#633](https://github.com/opensearch-project/opensearch-py/pull/633)) - Updated the `point_in_time.md` guide with examples demonstrating the usage of the new APIs as alternatives to the deprecated ones. ([#661](https://github.com/opensearch-project/opensearch-py/pull/661)) ### Deprecated diff --git a/guides/index_lifecycle.md b/guides/index_lifecycle.md index 6971ebce6..3324e6a28 100644 --- a/guides/index_lifecycle.md +++ b/guides/index_lifecycle.md @@ -13,7 +13,7 @@ This guide covers OpenSearch Python Client API actions for Index Lifecycle. You' ## Setup -In this guide, we will need an OpenSearch cluster with more than one node. Let's use the sample [docker-compose.yml](https://opensearch.org/samples/docker-compose.yml) to start a cluster with two nodes. The cluster's API will be available at `localhost:9200` with basic authentication enabled with default username and password of `admin:admin`. +In this guide, we will need an OpenSearch cluster with more than one node. Let's use the sample [docker-compose.yml](https://opensearch.org/samples/docker-compose.yml) to start a cluster with two nodes. The cluster's API will be available at `localhost:9200` with basic authentication enabled with default username and password of `admin:`. To start the cluster, run the following command: @@ -28,7 +28,7 @@ Let's create a client instance to access this cluster: from opensearchpy import OpenSearch client = OpenSearch( - hosts=['https://admin:admin@localhost:9200'], + hosts=['https://admin:@localhost:9200'], use_ssl=True, verify_certs=False ) diff --git a/guides/log_collection.md b/guides/log_collection.md index ed07c4da3..43f2d60e3 100644 --- a/guides/log_collection.md +++ b/guides/log_collection.md @@ -36,7 +36,7 @@ docker pull opensearchproject/opensearch:latest ``` ``` -docker run -d -p 9200:9200 -p 9600:9600 --name opensearch_opensearch_1 -e "discovery.type=single-node" opensearchproject/opensearch:latest +docker run -d -p 9200:9200 -p 9600:9600 --name opensearch_opensearch_1 -e "discovery.type=single-node" -e "OPENSEARCH_INITIAL_ADMIN_PASSWORD=" opensearchproject/opensearch:latest ``` ## Setup Connection with OpenSearch @@ -44,11 +44,11 @@ docker run -d -p 9200:9200 -p 9600:9600 --name opensearch_opensearch_1 -e "disco Create a client instance: ```python opensearch_client: Any = OpenSearch( - "https://admin:admin@localhost:9200", + "https://admin:@localhost:9200", use_ssl=True, verify_certs=False, ssl_show_warn=False, - http_auth=("admin", "admin"), + http_auth=("admin", ""), ) ``` diff --git a/test_opensearchpy/test_async/test_server/__init__.py b/test_opensearchpy/test_async/test_server/__init__.py index ef07ae080..1092cbdf2 100644 --- a/test_opensearchpy/test_async/test_server/__init__.py +++ b/test_opensearchpy/test_async/test_server/__init__.py @@ -25,6 +25,7 @@ # under the License. +import os from unittest import IsolatedAsyncioTestCase from opensearchpy._async.helpers.test import get_test_client @@ -38,8 +39,9 @@ async def asyncSetUp( self, ) -> None: # pylint: disable=invalid-name,missing-function-docstring + password = os.environ.get("OPENSEARCH_INITIAL_ADMIN_PASSWORD", "admin") self.client = await get_test_client( - verify_certs=False, http_auth=("admin", "admin") + verify_certs=False, http_auth=("admin", password) ) await add_connection("default", self.client) diff --git a/test_opensearchpy/test_async/test_server_secured/test_security_plugin.py b/test_opensearchpy/test_async/test_server_secured/test_security_plugin.py index bb8c9957c..9b4bacde6 100644 --- a/test_opensearchpy/test_async/test_server_secured/test_security_plugin.py +++ b/test_opensearchpy/test_async/test_server_secured/test_security_plugin.py @@ -10,6 +10,7 @@ from __future__ import unicode_literals +import os from unittest import IsolatedAsyncioTestCase import pytest @@ -42,8 +43,9 @@ class TestSecurityPlugin(IsolatedAsyncioTestCase): async def asyncSetUp(self) -> None: # pylint: disable=invalid-name, missing-function-docstring + password = os.environ.get("OPENSEARCH_INITIAL_ADMIN_PASSWORD", "admin") self.client = await get_test_client( - verify_certs=False, http_auth=("admin", "admin") + verify_certs=False, http_auth=("admin", password) ) await add_connection("default", self.client) diff --git a/test_opensearchpy/test_server_secured/test_clients.py b/test_opensearchpy/test_server_secured/test_clients.py index c885b58df..d959cd519 100644 --- a/test_opensearchpy/test_server_secured/test_clients.py +++ b/test_opensearchpy/test_server_secured/test_clients.py @@ -7,6 +7,7 @@ # Modifications Copyright OpenSearch Contributors. See # GitHub history for details. +import os from unittest import TestCase from opensearchpy import OpenSearch @@ -15,9 +16,10 @@ class TestSecurity(TestCase): def test_security(self) -> None: + password = os.environ.get("OPENSEARCH_INITIAL_ADMIN_PASSWORD", "admin") client = OpenSearch( OPENSEARCH_URL, - http_auth=("admin", "admin"), + http_auth=("admin", password), verify_certs=False, ) diff --git a/test_opensearchpy/test_server_secured/test_security_plugin.py b/test_opensearchpy/test_server_secured/test_security_plugin.py index 8f8c6937f..55443989b 100644 --- a/test_opensearchpy/test_server_secured/test_security_plugin.py +++ b/test_opensearchpy/test_server_secured/test_security_plugin.py @@ -10,6 +10,7 @@ from __future__ import unicode_literals +import os from unittest import TestCase from opensearchpy.connection.connections import add_connection @@ -36,7 +37,8 @@ class TestSecurityPlugin(TestCase): USER_CONTENT = {"password": "opensearchpy@123", "opendistro_security_roles": []} def setUp(self) -> None: - self.client = get_test_client(verify_certs=False, http_auth=("admin", "admin")) + password = os.environ.get("OPENSEARCH_INITIAL_ADMIN_PASSWORD", "admin") + self.client = get_test_client(verify_certs=False, http_auth=("admin", password)) add_connection("default", self.client) def tearDown(self) -> None: