Security On opensearch

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Open search 2.10

Describe the issue:
Added security to opensearch, its considering by default username as admin and pwd as admin, not able to change that in the configuration

Configuration:

---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: opensearch
spec:
  serviceName: "opensearch"
  replicas: 1
  selector:
    matchLabels:
      app: opensearch
  template:
    metadata:
      labels:
        app: opensearch
    spec:
      securityContext:
        runAsUser: 1000
        fsGroup: 1000
      containers:
      - name: opensearch
        image: opensearchproject/opensearch:2.10.0
        env:
        - name: OPENSEARCH_JAVA_OPTS
          value: "-Xms2g -Xmx2g"
        - name: node.name
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: cluster.name
          value: opensearch-cluster
        - name: node.name
          value: opensearch
        - name: discovery.seed_hosts
          value: opensearch
        - name: cluster.initial_cluster_manager_nodes
          value: opensearch
        - name: JAVA_HOME
          value: /usr/share/opensearch/jdk
        - name: DISABLE_SECURITY_PLUGIN
          value: "false"
        - name: plugins.security.restapi.roles_enabled
          value: all_access, security_rest_api_access
        ports:
        - containerPort: 9200
          name: http
        - containerPort: 9300
          name: transport
        volumeMounts:
        - name: config
          mountPath: /usr/share/opensearch/config/opensearch-security/config.yml
          subPath: config.yml
        - name: roles
          mountPath: /usr/share/opensearch/config/opensearch-security/roles.yml
          subPath: roles.yml
        - name: rolemap
          mountPath: /usr/share/opensearch/config/opensearch-security/roles_mapping.yml
          subPath: roles_mapping.yml
        - name: opensearch-data
          mountPath: /usr/share/opensearch/data
      volumes:
      - name: config
        configMap:
          name: opensearch-config
      - name: rolemap
        configMap:
          name: rolemap-config
      - name: roles
        configMap:
          name: role-config
      - name: opensearch-data
        persistentVolumeClaim:
          claimName: opensearch-pvc
---

Relevant Logs or Screenshots:
But not able to change the pwd of opensearch after modifying the config file could you please suggest how can we change the default pwd

2

@Sarala The admin password can be changed only by securityadmin.sh script.

3

Hi @pablo,
Trying to change the password for admin but not sure how to move forward any idea? how to change the default password for opensearch adn opensearch-dashboard for Kubernetes manifests?

4

@Sarala Did you follow the suggested documentation?
Once the nodes are deployed with charts then the only way to update the admin’s password is with securityadmin.sh script.

First you need to hash the password with the hash.sh tool.

[opensearch@bc92c8c73b26 ~]$ /usr/share/opensearch/plugins/opensearch-security/tools/hash.sh
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
[Password:]
$2y$12$XN3gMw.MkQhQon5QHd4PPOX55Y3sXFVlO9pfTwW0BKqC9Ak7faev6

Then use the hash password in the internal_users.yml file and replace the existing hash of the admin user.

admin:
  hash: "$2y$12$XN3gMw.MkQhQon5QHd4PPOX55Y3sXFVlO9pfTwW0BKqC9Ak7faev6"
  reserved: true
  backend_roles:
  - "admin"
  description: "Demo admin user"

Next, use the securityadmin.sh script to upload the updated password to the cluster.
Please run the backup of the security configuration first, then change the hash of the admin user and upload back updated files.
Please be aware that updating without the back overwrites changes in the security configuration if they were made through the OpenSearch Dashboards portal.