Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Password set in OPENSEARCH_INITIAL_ADMIN_PASSWORD actually not used, OpenSearch uses the default password #178

Open
svok opened this issue May 18, 2024 · 4 comments
Open

[BUG] Password set in OPENSEARCH_INITIAL_ADMIN_PASSWORD actually not used, OpenSearch uses the default password #178

svok opened this issue May 18, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@svok
Copy link

svok commented May 18, 2024

Describe the bug

I use docker-compose file with the following content:

  fluent-bit:
    container_name: fluent-bit
    image: fluent/fluent-bit
    ports:
      - "24224:24224"
      - "24224:24224/udp"
      - "2020:2020"
    environment:
      - opensearch_host=opensearch
      - opensearch_user=admin
      - opensearch_pass=admin # THIS IS WOERKING
#      - opensearch_pass=adm-Password0 # THIS IS NOT WORKING
    volumes:
      - ./volumes/fluent-bit-etc/fluent-bit.conf:/fluent-bit/etc/fluent-bit.conf
      - ./volumes/fluent-bit-etc/parsers.conf:/fluent-bit/etc/parsers.conf

  opensearch:
    container_name: opensearch
    image: opensearchproject/opensearch:latest
    environment:
      - discovery.type=single-node
      - http.port=9200
      - bootstrap.memory_lock=true
      - ES_JAVA_OPTS=-Xms512m -Xmx512m
      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=adm-Password0
    ports:
      - '9200:9200'
      - '9600:9600'
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - opensearch-data:/usr/share/opensearch/data

In this docker-compose I set OPENSEARCH_INITIAL_ADMIN_PASSWORD with 'adm-Password0' for OpenSearch. Fluentbit uses OpenSearch for disposing logs. But it doesn't work with password of OpenSearch. It works actually only with the default password 'admin'.

According to https://opensearch.org/blog/replacing-default-admin-credentials/ I have to use 'adm-Password0' indeed. But the test from this blog is not passing. It is getting passed if I use the default password 'admin'.

curl -ku admin:admin https://localhost:9200/_cluster/health?pretty
{
  "cluster_name" : "docker-cluster",
  "status" : "yellow",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 45,
  "active_shards" : 45,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 37,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 54.87804878048781
}

On the other hand, variable OPENSEARCH_INITIAL_ADMIN_PASSWORD is used indeed. If I remove it from the configuration I get the following error:

No custom admin password found. Please provide a password via the environment variable OPENSEARCH_INITIAL_ADMIN_PASSWORD.

Related component

Other

To Reproduce

  1. Use above docker-compose to start OpenSearch
  2. Use curl -ku admin:adm-Password0 https://localhost:9200/_cluster/health?pretty
  3. See error

Expected behavior

OpenSearch should use password that is set via OPENSEARCH_INITIAL_ADMIN_PASSWORD variable. Requests with default password admin should cause 403 error.

Additional Details

Plugins
By default in docker image of OpenSearch

Screenshots
Not applicable

Host/Environment (please complete the following information):

  • OS: Linux Ubuntu
  • Version 20.04
  • OpenSearch docker image 756d24015378
  • OpenSearch version: 2.14.0
  • Docker Compose version v2.27.0

Additional context
Nothing special
@svok svok added bug Something isn't working untriaged Issues that have not yet been triaged labels May 18, 2024
@dblock dblock transferred this issue from opensearch-project/OpenSearch May 20, 2024
@dblock
Copy link
Member

dblock commented May 20, 2024

Does your cluster fail to start with an error along the lines of "this password doesn't meet complexity requirements"? Try with a password that we know works, like yourStrongPassword123!?

@gaiksaya
Copy link
Member

Hi @svok ,

The volume attached to the docker container, does it already contain the security index? If possible can you destroy the volume or attach a new one to see if it takes effect?

@gaiksaya gaiksaya removed the untriaged Issues that have not yet been triaged label May 21, 2024
@svok
Copy link
Author

svok commented May 22, 2024

@dblock

Does your cluster fail to start with an error along the lines of "this password doesn't meet complexity requirements"? Try with a password that we know works, like yourStrongPassword123!?

  1. I have no cluster. In the issue the official docker image is discussed
  2. I have no problems with providing password. The issue says that provided password in fact is not used

@svok
Copy link
Author

svok commented May 22, 2024

@gaiksaya
Thank you. You are absolutely right. The volume really changes the used password.
In spite of this solves my own problem, there are yet two questions remaining:

  1. Is it correct that the password is required in OPENSEARCH_INITIAL_ADMIN_PASSWORD if it is really not used?
  2. Is it correct that stored password is not affected by the password policy and no warnings are placed in logs on that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dblock @svok @gaiksaya