Pass in initial admin password and remove admin:admin references (opensearch-project#631)

derek-ho · web-flow · commit d3177a8bcb02 · 2024-06-18T11:44:21.000-04:00
* Update to pass in initial admin password

Signed-off-by: Derek Ho &lt;dxho@amazon.com&gt;

* Add changelog and logic to distinguish between versions

Signed-off-by: Derek Ho &lt;dxho@amazon.com&gt;

* fix syntax

Signed-off-by: Derek Ho &lt;dxho@amazon.com&gt;

* Revert tests

Signed-off-by: Derek Ho &lt;dxho@amazon.com&gt;

* Add 2.12 to the matrix and fix testing logic

Signed-off-by: Derek Ho &lt;dxho@amazon.com&gt;

* Fix version logic

Signed-off-by: Derek Ho &lt;dxho@amazon.com&gt;

* Try to split job into two batches

Signed-off-by: Derek Ho &lt;dxho@amazon.com&gt;

* Fix lint

Signed-off-by: Derek Ho &lt;dxho@amazon.com&gt;

* Change name

Signed-off-by: Derek Ho &lt;dxho@amazon.com&gt;

* Remove period

Signed-off-by: Derek Ho &lt;dxho@amazon.com&gt;

* Pull password dynamically

Signed-off-by: Derek Ho &lt;dxho@amazon.com&gt;

* Change to proper env var

Signed-off-by: Derek Ho &lt;dxho@amazon.com&gt;

* Try passing through

Signed-off-by: Derek Ho &lt;dxho@amazon.com&gt;

---------

Signed-off-by: Derek Ho &lt;dxho@amazon.com&gt;
Signed-off-by: Derek Ho &lt;derek01778@gmail.com&gt;
diff --git a/.ci/run-opensearch.sh b/.ci/run-opensearch.sh
@@ -27,6 +27,7 @@ environment=($(cat <<-END
   --env path.repo=/tmp
   --env repositories.url.allowed_urls=http://snapshot.test*
   --env action.destructive_requires_name=false
+  --env OPENSEARCH_INITIAL_ADMIN_PASSWORD=myStrongPassword123!
 END
 ))
 
@@ -54,14 +55,23 @@ END
 END
 ))
 
+OPENSEARCH_REQUIRED_VERSION="2.12.0"
+# Starting in 2.12.0, security demo configuration script requires an initial admin password
+COMPARE_VERSION=`echo $OPENSEARCH_REQUIRED_VERSION $OPENSEARCH_VERSION | tr ' ' '\n' | sort -V | uniq | head -n 1`
+if [ "$COMPARE_VERSION" != "$OPENSEARCH_REQUIRED_VERSION" ]; then
+  CREDENTIAL="admin:admin"
+else
+  CREDENTIAL="admin:myStrongPassword123!"
+fi
+
   # make sure we detach for all but the last node if DETACH=false (default) so all nodes are started
   local_detach="true"
   if [[ "$i" == "$((NUMBER_OF_NODES-1))" ]]; then local_detach=$DETACH; fi
 
   set -x
   healthcmd="curl -vvv -s --fail http://localhost:9200/_cluster/health || exit 1"
   if [[ "$SECURE_INTEGRATION" == "true" ]]; then
-    healthcmd="curl -vvv -s --insecure -u admin:admin --fail https://localhost:9200/_cluster/health || exit 1"
+    healthcmd="curl -vvv -s --insecure -u $CREDENTIAL --fail https://localhost:9200/_cluster/health || exit 1"
   fi
 
   CLUSTER_TAG=$CLUSTER
diff --git a/.ci/run-repository.sh b/.ci/run-repository.sh
@@ -30,7 +30,27 @@ docker build \
 echo -e "\033[1m>>>>> Run [opensearch-project/opensearch-py container] >>>>>>>>>>>>>>>>>>>>>>>>>>>>>\033[0m"
 
 mkdir -p junit
-docker run \
+
+OPENSEARCH_REQUIRED_VERSION="2.12.0"
+# Starting in 2.12.0, security demo configuration script requires an initial admin password
+COMPARE_VERSION=`echo $OPENSEARCH_REQUIRED_VERSION $OPENSEARCH_VERSION | tr ' ' '\n' | sort -V | uniq | head -n 1`
+if [ "$COMPARE_VERSION" != "$OPENSEARCH_REQUIRED_VERSION" ]; then
+  docker run \
+  --network=${network_name} \
+  --env "STACK_VERSION=${STACK_VERSION}" \
+  --env "OPENSEARCH_URL=${opensearch_url}" \
+  --env "OPENSEARCH_VERSION=${OPENSEARCH_VERSION}" \
+  --env "TEST_SUITE=${TEST_SUITE}" \
+  --env "PYTHON_CONNECTION_CLASS=${PYTHON_CONNECTION_CLASS}" \
+  --env "TEST_TYPE=server" \
+  --env "TEST_PATTERN=${TEST_PATTERN}" \
+  --env "OPENSEARCH_INITIAL_ADMIN_PASSWORD=admin" \
+  --name opensearch-py \
+  --rm \
+  opensearch-project/opensearch-py \
+  python setup.py test
+else
+  docker run \
   --network=${network_name} \
   --env "STACK_VERSION=${STACK_VERSION}" \
   --env "OPENSEARCH_URL=${opensearch_url}" \
@@ -39,9 +59,11 @@ docker run \
   --env "PYTHON_CONNECTION_CLASS=${PYTHON_CONNECTION_CLASS}" \
   --env "TEST_TYPE=server" \
   --env "TEST_PATTERN=${TEST_PATTERN}" \
+  --env "OPENSEARCH_INITIAL_ADMIN_PASSWORD=myStrongPassword123!" \
   --name opensearch-py \
   --rm \
   opensearch-project/opensearch-py \
   python setup.py test
+fi
 
 unset TEST_PATTERN
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -3,8 +3,8 @@ name: Integration Tests
 on: [push, pull_request]
 
 jobs:
-  integration:
-    name: Integ
+  integration-pre-212:
+    name: Integ-pre-212
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -22,3 +22,21 @@ jobs:
         uses: actions/checkout@v3
       - name: Integ OpenSearch secured=${{ matrix.secured }} version=${{ matrix.opensearch_version }}
         run: "./.ci/run-tests ${{ matrix.secured }} ${{ matrix.opensearch_version }}"
+
+  integration-post-212:
+    name: Integ-post-212
+    runs-on: ubuntu-latest
+    env:
+      OPENSEARCH_URL: 'https://admin:myStrongPassword123!@localhost:9200'
+      OPENSEARCH_INITIAL_ADMIN_PASSWORD: 'myStrongPassword123!'
+    strategy:
+      fail-fast: false
+      matrix:
+        opensearch_version: [ '2.12.0', '2.13.0', '2.14.0' ]
+        secured: [ "true", "false" ]
+        
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Integ OpenSearch secured=${{ matrix.secured }} version=${{ matrix.opensearch_version }}
+        run: "./.ci/run-tests ${{ matrix.secured }} ${{ matrix.opensearch_version }}"
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -62,6 +62,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 - Enhance generator to update changelog only if generated code differs from existing ([#684](https://github.com/opensearch-project/opensearch-py/pull/684))
 - Added guide for configuring ssl_assert_hostname ([#694](https://github.com/opensearch-project/opensearch-py/pull/694))
 ### Changed
+- Pass in initial admin password in setup and remove default `admin` password ([#631](https://github.com/opensearch-project/opensearch-py/pull/631))
 - Updated the `get_policy` API in the index_management plugin to allow the policy_id argument as optional ([#633](https://github.com/opensearch-project/opensearch-py/pull/633))
 - Updated the `point_in_time.md` guide with examples demonstrating the usage of the new APIs as alternatives to the deprecated ones. ([#661](https://github.com/opensearch-project/opensearch-py/pull/661))
 ### Deprecated
diff --git a/guides/index_lifecycle.md b/guides/index_lifecycle.md
@@ -13,7 +13,7 @@ This guide covers OpenSearch Python Client API actions for Index Lifecycle. You'
 
 ## Setup
 
-In this guide, we will need an OpenSearch cluster with more than one node. Let's use the sample [docker-compose.yml](https://opensearch.org/samples/docker-compose.yml) to start a cluster with two nodes. The cluster's API will be available at `localhost:9200` with basic authentication enabled with default username and password of `admin:admin`.
+In this guide, we will need an OpenSearch cluster with more than one node. Let's use the sample [docker-compose.yml](https://opensearch.org/samples/docker-compose.yml) to start a cluster with two nodes. The cluster's API will be available at `localhost:9200` with basic authentication enabled with default username and password of `admin:<admin password>`.
 
 To start the cluster, run the following command:
 
@@ -28,7 +28,7 @@ Let's create a client instance to access this cluster:
 from opensearchpy import OpenSearch
 
 client = OpenSearch(
-  hosts=['https://admin:admin@localhost:9200'],
+  hosts=['https://admin:<admin password>@localhost:9200'],
   use_ssl=True,
   verify_certs=False
 )
diff --git a/guides/log_collection.md b/guides/log_collection.md
@@ -36,19 +36,19 @@ docker pull opensearchproject/opensearch:latest
 ```
 
 ```
-docker run -d -p 9200:9200 -p 9600:9600 --name opensearch_opensearch_1 -e "discovery.type=single-node" opensearchproject/opensearch:latest 
+docker run -d -p 9200:9200 -p 9600:9600 --name opensearch_opensearch_1 -e "discovery.type=single-node" -e "OPENSEARCH_INITIAL_ADMIN_PASSWORD=<admin password>" opensearchproject/opensearch:latest 
 ```
 
 ## Setup Connection with OpenSearch
 
 Create a client instance:
 ```python
     opensearch_client: Any = OpenSearch(
-        "https://admin:admin@localhost:9200",
+        "https://admin:<admin password>@localhost:9200",
         use_ssl=True,
         verify_certs=False,
         ssl_show_warn=False,
-        http_auth=("admin", "admin"),
+        http_auth=("admin", "<admin password>"),
     )
 ```
 
diff --git a/test_opensearchpy/test_async/test_server/__init__.py b/test_opensearchpy/test_async/test_server/__init__.py
@@ -25,6 +25,7 @@
 #  under the License.
 
 
+import os
 from unittest import IsolatedAsyncioTestCase
 
 from opensearchpy._async.helpers.test import get_test_client
@@ -38,8 +39,9 @@ async def asyncSetUp(
         self,
     ) -> None:
         # pylint: disable=invalid-name,missing-function-docstring
+        password = os.environ.get("OPENSEARCH_INITIAL_ADMIN_PASSWORD", "admin")
         self.client = await get_test_client(
-            verify_certs=False, http_auth=("admin", "admin")
+            verify_certs=False, http_auth=("admin", password)
         )
         await add_connection("default", self.client)
 
diff --git a/test_opensearchpy/test_async/test_server_secured/test_security_plugin.py b/test_opensearchpy/test_async/test_server_secured/test_security_plugin.py
@@ -10,6 +10,7 @@
 
 from __future__ import unicode_literals
 
+import os
 from unittest import IsolatedAsyncioTestCase
 
 import pytest
@@ -42,8 +43,9 @@ class TestSecurityPlugin(IsolatedAsyncioTestCase):
 
     async def asyncSetUp(self) -> None:
         # pylint: disable=invalid-name, missing-function-docstring
+        password = os.environ.get("OPENSEARCH_INITIAL_ADMIN_PASSWORD", "admin")
         self.client = await get_test_client(
-            verify_certs=False, http_auth=("admin", "admin")
+            verify_certs=False, http_auth=("admin", password)
         )
         await add_connection("default", self.client)
 
diff --git a/test_opensearchpy/test_server_secured/test_clients.py b/test_opensearchpy/test_server_secured/test_clients.py
@@ -7,6 +7,7 @@
 # Modifications Copyright OpenSearch Contributors. See
 # GitHub history for details.
 
+import os
 from unittest import TestCase
 
 from opensearchpy import OpenSearch
@@ -15,9 +16,10 @@
 
 class TestSecurity(TestCase):
     def test_security(self) -> None:
+        password = os.environ.get("OPENSEARCH_INITIAL_ADMIN_PASSWORD", "admin")
         client = OpenSearch(
             OPENSEARCH_URL,
-            http_auth=("admin", "admin"),
+            http_auth=("admin", password),
             verify_certs=False,
         )
 
diff --git a/test_opensearchpy/test_server_secured/test_security_plugin.py b/test_opensearchpy/test_server_secured/test_security_plugin.py
@@ -10,6 +10,7 @@
 
 from __future__ import unicode_literals
 
+import os
 from unittest import TestCase
 
 from opensearchpy.connection.connections import add_connection
@@ -36,7 +37,8 @@ class TestSecurityPlugin(TestCase):
     USER_CONTENT = {"password": "opensearchpy@123", "opendistro_security_roles": []}
 
     def setUp(self) -> None:
-        self.client = get_test_client(verify_certs=False, http_auth=("admin", "admin"))
+        password = os.environ.get("OPENSEARCH_INITIAL_ADMIN_PASSWORD", "admin")
+        self.client = get_test_client(verify_certs=False, http_auth=("admin", password))
         add_connection("default", self.client)
 
     def tearDown(self) -> None:
