epiphany
epiphany copied to clipboard
hitachienergy
[BUG] Make OpenSearch Dashboards user configurable
Describe the bug In the OpenSearch Dashboards schema, we theoretically have the option to set a username and password.
---
kind: configuration/opensearch-dashboards
title: "OpenSearch-Dashboards"
name: default
specification:
dashboards_user: kibanaserver
dashboards_user_password: PASSWORD_TO_CHANGE
But it is not entirely true. These values are only used to render the template, so they really need to be set correctly for the cluster to work.
This means that if you change the username and password to anything you like, the dashbaords will most probably not work, because neither the user nor the password will match/exist at all. Users are created in the OpenSearch role and that's where we create the kibanaserver user and the filebeatservice user, which means that in the dashboard configuration we cannot freely change the user name. It must only be kibanaserver.
Same with the password. If we want to change the password from the default, we have to change it in the dashboard configuration and in the configuration for the logging/opensearch component, because that's where it is actually set.
---
kind: configuration/logging
title: Logging Config
name: default
provider: aws
specification:
kibanaserver_password: XXXXX
---
kind: configuration/opensearch-dashboards
title: "OpenSearch-Dashboards"
name: default
provider: aws
specification:
dashboards_user: kibanaserver
dashboards_user_password: XXXXX
So if we want to have a configurable user in one place, the logging and opensearch roles should read the dashboard configuration and create such a user and password automatically. Otherwise, changing these parameters in only one place will result in broken dashboards as the user or password will not be correct.
All hardcoded values for username in templates related to the opensearch / logging component (including filebeat and dashbaords) have to be verified and set automatically according to the schema.
How to reproduce Steps to reproduce the behavior:
- Deploy any cluster with logging component enabled
- Change username and password for dashbaords
---
kind: configuration/opensearch-dashboards
title: "OpenSearch-Dashboards"
name: default
provider: aws
specification:
dashboards_user: testuser
dashboards_user_password: testpass
- execute
epicli apply ...
Expected behavior OpenSearch Dashboards should be available and accessible to the user and password that has been set
Environment
- Cloud provider: [all]
- OS: [all]
epicli version: [2.0.1dev]
Describe alternatives you've considered
Use kibanaserver user and password that is set in logging/opensearch configuration and remove it from dashboards schema.
DoD checklist
- Changelog
- [ ] updated
- [ ] not needed
- COMPONENTS.md
- [ ] updated
- [ ] not needed
- Schema
- [ ] updated
- [ ] not needed
- Backport tasks
- [ ] created
- [ ] not needed
- Documentation
- [ ] added
- [ ] updated
- [ ] not needed
- [ ] Feature has automated tests
- [ ] Automated tests passed (QA pipelines)
- [ ] apply
- [ ] upgrade
- [ ] backup/restore
- [ ] Idempotency tested
- [ ] All conversations in PR resolved
According to my talk with @przemyslavic, we will keep previous way of configuring dashboards user, therefore dashboards user configuration for opensearch-dashboards will be removed -> the reasons behind such a decision:
- having only default
kibanaserveruser for dashboards (and not dedicated, configurable one) is keeping things simple. If user would like to have additional user for dashboards means that he/she knows their specific case and most probably are experienced enough to create that user by themselves. So default user is only needed for the initial configuration - keeping separated passwords for
opensearchandlogginggroup, and not having one password configured underdashboardsis more secure - also, having 2 components (
loggingandopensearch) at the same time, means that 2 different OpenSearch instances (or clusters) are running and being able to configure different dashboards password for both components is more flexible
