Hi! Assuming I am not able to deploy the opensearch security plugin due to legal issues, is there any hope for me to deploy OpenSearch into a k8s cluster with different admin credentials than admin:admin?
The only thought I had so far would be to download and modify the source code to have a random password, then build from that.
Is that possible do you think or is there any better way?
Sorry for the ridiculous requirement, consider it a hypothetical problem if that helps
@nethlaria If you can’t deploy the security plugin then you don’t need to set an admin password as the login feature is part of the security plugin.
Hi @pablo. I must be missing something then, when I spin up a local opensearch cluster using docker compose, it seems to have admin:admin out of the box, this is how I log in to the dashboard at :5601. In fact there don’t seem to be any other users available.
The initial internal user databases are defined in a yml file that lives on disk. The documentation at YAML files - OpenSearch documentation under the section “internal_users.yml” might help clear things up.
Ah I see I was confused between the default dashboard login and the actual OpenSearch credentials.
Also at first I had the docker compose version running, did some experiments then tried out the minimal distro here and assumed the admin:admin creds would be the same for logstash, not realising that any credentials would work.
New question: is there any way to have even basic http authentication without the security plugin?
You can disable the security plugin (Disable security - OpenSearch documentation) and add a nginx or apache2 container to your docker-compose file configured as a reverse proxy with basic auth authentication.
@lguillaud thanks for this suggestion - I was thinking about making a plugin (there is an elasticsearch openssl proxy already that I can use) but this might well be better. It would be in k8s so I would define an nginx sidecar.
@lguillaud sorry for bumping an old-ish thread but do you have any advice in getting multi-node clusters to talk via reverse proxy (on port 9300 or the proxied equivalent)? Following the Nginx docs: TCP and UDP Load Balancing | NGINX Plus we couldn’t figure out how the nodes would know the certs etc to use for that protocol…
Looking at the ES docs, one would use the xpack.security.transport settings but we think that’s not possible with OS and/or without the security plugin
I am not sure I will answer right but here the configuration I am using for an API (using uwsgi) with a self-signed certificate for nginx. There are two API endpoints (backend_1 and backend_2) load-balanced by a ssl-ized nginx (upstream).
I would imagine you are trying to do the same but with your OS cluster.