[BUG] DemoConfig gets read after upgrade #4735

dhoffend · 2024-09-16T10:49:47Z

What is the bug?
After upgrading opensearch software on our server, the can't start because the democonfig installer is re-adding the security demo configuration in out working production config.

How can one reproduce the bug?
Steps to reproduce the behavior:

Install oder opensearch version
configuration plugin.security in an hierarchic style and certificates
run opensearch
apt upgrade
opensearch won't start because of missing certificates and config issues

What is the expected behavior?
It should matter if the yml configuration is writting in an hierarchic or flat style. If the configuration is valid, opensearch democonfig installer should respect set

What is your host/environment?

OS: Debian 11
Version 2.16

Snippet of opensearch.yml

plugins:
    security:
        allow_unsafe_democertificates:           false
        allow_default_init_securityindex:        false
        enable_snapshot_restore_privilege:       true
        check_snapshot_restore_write_privileges: true
        ssl:
            transport:
                pemcert_filepath:              /etc/opensearch/opensearch.fullchain.crt
                pemkey_filepath:               /etc/opensearch/opensearch.key
                pemtrustedcas_filepath:        /etc/opensearch/internal-ca.pem
                enforce_hostname_verification: true
            http:
                enabled:                true
                pemcert_filepath:       /etc/opensearch/opensearch.fullchain.crt
                pemkey_filepath:        /etc/opensearch/opensearch.key
                pemtrustedcas_filepath: /etc/opensearch/internal-ca.pem

Do you have any additional context?

After upgrading opensearch the configuration looks like

plugins:
    security:
        allow_unsafe_democertificates:           false
        allow_default_init_securityindex:        false
        enable_snapshot_restore_privilege:       true
        check_snapshot_restore_write_privileges: true

        ssl:
            transport:
                pemcert_filepath:              /etc/opensearch/opensearch.fullchain.crt
                pemkey_filepath:               /etc/opensearch/opensearch.key
                pemtrustedcas_filepath:        /etc/opensearch/internal-ca.pem
                enforce_hostname_verification: true

            http:
                enabled:                true
                pemcert_filepath:       /etc/opensearch/opensearch.fullchain.crt
                pemkey_filepath:        /etc/opensearch/opensearch.key
                pemtrustedcas_filepath: /etc/opensearch/internal-ca.pem
[...]

######## Start OpenSearch Security Demo Configuration ########
# WARNING: revise all the lines below before you go into production
plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: esnode.pem
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn: ['CN=kirk,OU=client,O=client,L=test,C=de']
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [.plugins-ml-agent, .plugins-ml-config, .plugins-ml-connector,
  .plugins-ml-controller, .plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task,
  .plugins-ml-conversation-meta, .plugins-ml-conversation-interactions, .plugins-ml-memory-meta,
  .plugins-ml-memory-message, .plugins-ml-stop-words, .opendistro-alerting-config,
  .opendistro-alerting-alert*, .opendistro-anomaly-results*, .opendistro-anomaly-detector*,
  .opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state, .opendistro-reports-*,
  .opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability, .ql-datasources,
  .opendistro-asynchronous-search-response*, .replication-metadata-store, .opensearch-knn-models,
  .geospatial-ip2geo-data*, .plugins-flow-framework-config, .plugins-flow-framework-templates,
  .plugins-flow-framework-state]
node.max_local_storage_nodes: 3
######## End OpenSearch Security Demo Configuration ########

Here is the part where democonfig looks for the existence of "plugin.security"
https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java#L106-L128

The text was updated successfully, but these errors were encountered:

cwperks · 2024-09-16T15:07:49Z

[Triage] Thank you for filing this issue @dhoffend. This looks like an actual bug. Thank you for the report.

dhoffend added bug Something isn't working untriaged Require the attention of the repository maintainers and may need to be prioritized labels Sep 16, 2024

cwperks changed the title ~~[BUG] DemoConfig gets readded after upgrade~~ [BUG] DemoConfig gets read after upgrade Sep 16, 2024

cwperks added triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels Sep 16, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[BUG] DemoConfig gets read after upgrade #4735

[BUG] DemoConfig gets read after upgrade #4735

dhoffend commented Sep 16, 2024

cwperks commented Sep 16, 2024

[BUG] DemoConfig gets read after upgrade #4735

[BUG] DemoConfig gets read after upgrade #4735

Comments

dhoffend commented Sep 16, 2024

cwperks commented Sep 16, 2024