Security Deprecation message (OpenSearch 2.x): undocumented breaking change

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

OpenSearch 2.4.1

Describe the issue:
I am exploring migrating from OpenSearch 1.3.x to 2.4.1. We have a bash script that resets the password for some internal accounts. Our script calls the hash.sh utility (in the plugins/opensearch-security/tools sub-directory) to get a hash of the new password so we can pass it in on the API call.

The hash.sh script now emits a banner warning indicating that the tool will be deprecated in the next major OpenSearch release prior to returning the hashed password. Unfortunately, this change in output breaks our script (which was only expecting the hashed password as output).

While we can “fix” this, it was disappointing/surprising to have the utility’s output change without notice. I understand the desire/need to inform users of the deprecation and coming change but this change appears to have been made without any thought of its impact on existing code that uses the tool.

Relevant Logs or Screenshots:

The current (OpenSearch 2.4.1) output

-bash-4.2$ kubectl -n logging exec v4m-search-0 -c opensearch --  /usr/share/opensearch/plugins/opensearch-security/tools/hash.sh -p mypassword
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
$2y$12$gaqL2Hm29jWjb8otxUMbbeftVg1JYELZiQb1ji6kaRGLs4MPF4zTu

The expected (previous) output:

-bash-4.2$ kubectl -n logging exec v4m-search-0 -c opensearch --  /usr/share/opensearch/plugins/opensearch-security/tools/hash.sh -p mypassword
$2y$12$gaqL2Hm29jWjb8otxUMbbeftVg1JYELZiQb1ji6kaRGLs4MPF4zTu
1 Like