security
security copied to clipboard
opensearch-project
plugins.security.disabled setting no longer working in 2.12 leading to errors (Docker)
Describe the bug
The plugins.security.disabled no longer looks to be working in the 2.12 release.
Setting the variable as an environment variable now leads to the following error in the logs:
### OpenSearch Security Demo Installer
### ** Warning: Do not use on production or public reachable systems **
OpenSearch install type: rpm/deb on Linux 5.15.0-1051-gcp amd64
OpenSearch config dir: /usr/share/opensearch/config/
OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
OpenSearch bin dir: /usr/share/opensearch/bin/
OpenSearch plugins dir: /usr/share/opensearch/plugins/
OpenSearch lib dir: /usr/share/opensearch/lib/
Detected OpenSearch Version: 2.12.0
Detected OpenSearch Security Version: 2.12.0.0
No custom admin password found. Please provide a password via the environment variable OPENSEARCH_INITIAL_ADMIN_PASSWORD
This setting was working fine in 2.11.
Looking through the Docker documentation specifically there appears to be a different format for this variable:
"DISABLE_SECURITY_PLUGIN=true" # Disables Security plugin
This does appear to still work but the normal setting does not. This is effectively a breaking change as a result.
Related component
Plugins
To Reproduce
- Attempt to start up OpenSearch 2.12 as a Docker container with
plugins.security.disabledset as an environment variable. - Notice it will fail due to the plugin enabling anyways and it requiring additional config.
Expected behavior
That both plugins.security.disabled and it's variant DISABLE_SECURITY_PLUGIN work when passed in as environment variables.
Additional Details
No response
@DarshitChanpura @derek-ho is this possibly related to https://github.com/opensearch-project/security/issues/3624?
2.11.1
2.11.1 test scenarios:
custom opensearch.yml (has setting plugins.security.disabled: true)
opensearch-node2 | Detected OpenSearch Version: x-content-2.11.1
opensearch-node2 | Detected OpenSearch Security Version: 2.11.1.0
opensearch-node1 | /usr/share/opensearch/config/opensearch.yml seems to be already configured for Security. Quit.
opensearch-node2 | /usr/share/opensearch/config/opensearch.yml seems to be already configured for Security. Quit.
``zsh ➜ 2.11.1 curl http://localhost:9200 { "name" : "opensearch-node1", "cluster_name" : "opensearch-cluster", "cluster_uuid" : "ZHSpLOqWR8ehc0LrpZ0nRQ", "version" : { "distribution" : "opensearch", "number" : "2.11.1", "build_type" : "tar", "build_hash" : "6b1986e964d440be9137eba1413015c31c5a7752", "build_date" : "2023-11-29T21:45:35.524809067Z", "build_snapshot" : false, "lucene_version" : "9.7.0", "minimum_wire_compatibility_version" : "7.10.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "The OpenSearch Project: https://opensearch.org/" }
### providing "plugins.security.disabled=true" as env variable in docker-compose
```zsh
opensearch-node2 | Detected OpenSearch Version: x-content-2.11.1
opensearch-node2 | Detected OpenSearch Security Version: 2.11.1.0
opensearch-node1 |
opensearch-node2 |
opensearch-node1 | ### Success
opensearch-node1 | ### Execute this script now on all your nodes and then start all nodes
opensearch-node1 | ### OpenSearch Security will be automatically initialized.
opensearch-node1 | ### If you like to change the runtime configuration
opensearch-node1 | ### change the files in ../../../config/opensearch-security and execute:
opensearch-node1 | "/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh" -cd "/usr/share/opensearch/config/opensearch-security" -icl -key "/usr/share/opensearch/config/kirk-key.pem" -cert "/usr/share/opensearch/config/kirk.pem" -cacert "/usr/share/opensearch/config/root-ca.pem" -nhnv
opensearch-node1 | ### or run ./securityadmin_demo.sh
opensearch-node1 | ### To use the Security Plugin ConfigurationGUI
opensearch-node1 | ### To access your secured cluster open https://<hostname>:<HTTP port> and log in with admin/admin.
opensearch-node1 | ### (Ignore the SSL certificate warning because we installed self-signed demo certificates)
opensearch-node1 | Enabling OpenSearch Security Plugin
opensearch-node1 | Enabling execution of OPENSEARCH_HOME/bin/opensearch-performance-analyzer/performance-analyzer-agent-cli for OpenSearch Performance Analyzer Plugin
opensearch-node2 | ### Success
opensearch-node2 | ### Execute this script now on all your nodes and then start all nodes
opensearch-node2 | ### OpenSearch Security will be automatically initialized.
opensearch-node2 | ### If you like to change the runtime configuration
opensearch-node2 | ### change the files in ../../../config/opensearch-security and execute:
opensearch-node2 | "/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh" -cd "/usr/share/opensearch/config/opensearch-security" -icl -key "/usr/share/opensearch/config/kirk-key.pem" -cert "/usr/share/opensearch/config/kirk.pem" -cacert "/usr/share/opensearch/config/root-ca.pem" -nhnv
opensearch-node2 | ### or run ./securityadmin_demo.sh
opensearch-node2 | ### To use the Security Plugin ConfigurationGUI
opensearch-node2 | ### To access your secured cluster open https://<hostname>:<HTTP port> and log in with admin/admin.
opensearch-node2 | ### (Ignore the SSL certificate warning because we installed self-signed demo certificates)
opensearch-node2 | Enabling OpenSearch Security Plugin
➜ 2.11.1 curl http://localhost:9200
{
"name" : "opensearch-node1",
"cluster_name" : "opensearch-cluster",
"cluster_uuid" : "PKhXmPJOT-SA6jWssYcUrg",
"version" : {
"distribution" : "opensearch",
"number" : "2.11.1",
"build_type" : "tar",
"build_hash" : "6b1986e964d440be9137eba1413015c31c5a7752",
"build_date" : "2023-11-29T21:45:35.524809067Z",
"build_snapshot" : false,
"lucene_version" : "9.7.0",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
providing "DISABLE_SECURITY_PLUGIN=true"
opensearch-node2 | Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin
opensearch-node2 | **************************************************************************
opensearch-node2 | ** This tool will be deprecated in the next major release of OpenSearch **
opensearch-node2 | ** https://github.com/opensearch-project/security/issues/1755 **
opensearch-node2 | **************************************************************************
opensearch-node2 | OpenSearch Security Demo Installer
opensearch-node2 | ** Warning: Do not use on production or public reachable systems **
opensearch-node2 | Basedir: /usr/share/opensearch
opensearch-node2 | OpenSearch install type: rpm/deb on Amazon Linux release 2023 (Amazon Linux)
opensearch-node2 | OpenSearch config dir: /usr/share/opensearch/config
opensearch-node2 | OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
opensearch-node2 | OpenSearch bin dir: /usr/share/opensearch/bin
opensearch-node2 | OpenSearch plugins dir: /usr/share/opensearch/plugins
opensearch-node2 | OpenSearch lib dir: /usr/share/opensearch/lib
opensearch-node2 | Detected OpenSearch Version: x-content-2.11.1
opensearch-node2 | Detected OpenSearch Security Version: 2.11.1.0
opensearch-node1 | Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin
opensearch-node1 | **************************************************************************
opensearch-node1 | ** This tool will be deprecated in the next major release of OpenSearch **
opensearch-node1 | ** https://github.com/opensearch-project/security/issues/1755 **
opensearch-node1 | **************************************************************************
opensearch-node1 | OpenSearch Security Demo Installer
opensearch-node1 | ** Warning: Do not use on production or public reachable systems **
opensearch-node1 | Basedir: /usr/share/opensearch
opensearch-node2 |
opensearch-node1 | OpenSearch install type: rpm/deb on Amazon Linux release 2023 (Amazon Linux)
opensearch-node1 | OpenSearch config dir: /usr/share/opensearch/config
opensearch-node1 | OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
opensearch-node1 | OpenSearch bin dir: /usr/share/opensearch/bin
opensearch-node1 | OpenSearch plugins dir: /usr/share/opensearch/plugins
opensearch-node1 | OpenSearch lib dir: /usr/share/opensearch/lib
opensearch-node1 | Detected OpenSearch Version: x-content-2.11.1
opensearch-node1 | Detected OpenSearch Security Version: 2.11.1.0
opensearch-node1 |
opensearch-node2 | ### Success
opensearch-node2 | ### Execute this script now on all your nodes and then start all nodes
opensearch-node2 | ### OpenSearch Security will be automatically initialized.
opensearch-node2 | ### If you like to change the runtime configuration
opensearch-node2 | ### change the files in ../../../config/opensearch-security and execute:
opensearch-node2 | "/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh" -cd "/usr/share/opensearch/config/opensearch-security" -icl -key "/usr/share/opensearch/config/kirk-key.pem" -cert "/usr/share/opensearch/config/kirk.pem" -cacert "/usr/share/opensearch/config/root-ca.pem" -nhnv
opensearch-node2 | ### or run ./securityadmin_demo.sh
opensearch-node2 | ### To use the Security Plugin ConfigurationGUI
opensearch-node2 | ### To access your secured cluster open https://<hostname>:<HTTP port> and log in with admin/admin.
opensearch-node2 | ### (Ignore the SSL certificate warning because we installed self-signed demo certificates)
opensearch-node2 | Disabling OpenSearch Security Plugin
opensearch-node2 | Enabling execution of OPENSEARCH_HOME/bin/opensearch-performance-analyzer/performance-analyzer-agent-cli for OpenSearch Performance Analyzer Plugin
opensearch-node1 | ### or run ./securityadmin_demo.sh
opensearch-node1 | ### To use the Security Plugin ConfigurationGUI
opensearch-node1 | ### To access your secured cluster open https://<hostname>:<HTTP port> and log in with admin/admin.
opensearch-node1 | ### (Ignore the SSL certificate warning because we installed self-signed demo certificates)
opensearch-node1 | Disabling OpenSearch Security Plugin
➜ 2.11.1 curl http://localhost:9200
{
"name" : "opensearch-node1",
"cluster_name" : "opensearch-cluster",
"cluster_uuid" : "14GfRQJ-Q4Gvagd1hH4evQ",
"version" : {
"distribution" : "opensearch",
"number" : "2.11.1",
"build_type" : "tar",
"build_hash" : "6b1986e964d440be9137eba1413015c31c5a7752",
"build_date" : "2023-11-29T21:45:35.524809067Z",
"build_snapshot" : false,
"lucene_version" : "9.7.0",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
2.12.0
2.12.0 test scenarios:
custom opensearch.yml (has setting plugins.security.disabled: true)
opensearch-node2 | Detected OpenSearch Version: 2.12.0
opensearch-node2 | Detected OpenSearch Security Version: 2.12.0.0
opensearch-node1 | /usr/share/opensearch/config/opensearch.yml seems to be already configured for Security. Quit.
opensearch-node2 | /usr/share/opensearch/config/opensearch.yml seems to be already configured for Security. Quit.
➜ curl http://localhost:9200
{
"name" : "opensearch-node1",
"cluster_name" : "opensearch-cluster",
"cluster_uuid" : "g_JelkxcTXafoQyC-AScww",
"version" : {
"distribution" : "opensearch",
"number" : "2.12.0",
"build_type" : "tar",
"build_hash" : "2c355ce1a427e4a528778d4054436b5c4b756221",
"build_date" : "2024-02-20T02:20:12.084014282Z",
"build_snapshot" : false,
"lucene_version" : "9.9.2",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
providing "plugins.security.disabled=true" as env variable in docker-compose
without providing OPENSEARCH_INITIAL_ADMIN_PASSWORD
Attaching to opensearch-node1, opensearch-node2
opensearch-node1 | Enabling OpenSearch Security Plugin
opensearch-node1 | Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin
opensearch-node1 | OpenSearch 2.12.0 onwards, the OpenSearch Security Plugin a change that requires an initial password for 'admin' user.
opensearch-node1 | Please define an environment variable 'OPENSEARCH_INITIAL_ADMIN_PASSWORD' with a strong password string.
opensearch-node1 | If a password is not provided, the setup will quit.
opensearch-node1 | For more details, please visit: https://opensearch.org/docs/latest/install-and-configure/install-opensearch/docker/
opensearch-node2 | Enabling OpenSearch Security Plugin
opensearch-node2 | Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin
opensearch-node2 | OpenSearch 2.12.0 onwards, the OpenSearch Security Plugin a change that requires an initial password for 'admin' user.
opensearch-node2 | Please define an environment variable 'OPENSEARCH_INITIAL_ADMIN_PASSWORD' with a strong password string.
opensearch-node2 | If a password is not provided, the setup will quit.
opensearch-node2 | For more details, please visit: https://opensearch.org/docs/latest/install-and-configure/install-opensearch/docker/
opensearch-node1 | ### OpenSearch Security Demo Installer
opensearch-node1 | ### ** Warning: Do not use on production or public reachable systems **
opensearch-node2 | ### OpenSearch Security Demo Installer
opensearch-node2 | ### ** Warning: Do not use on production or public reachable systems **
opensearch-node2 | OpenSearch install type: rpm/deb on Linux 6.6.12-linuxkit aarch64
opensearch-node1 | OpenSearch install type: rpm/deb on Linux 6.6.12-linuxkit aarch64
opensearch-node1 | OpenSearch config dir: /usr/share/opensearch/config/
opensearch-node1 | OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
opensearch-node1 | OpenSearch bin dir: /usr/share/opensearch/bin/
opensearch-node1 | OpenSearch plugins dir: /usr/share/opensearch/plugins/
opensearch-node1 | OpenSearch lib dir: /usr/share/opensearch/lib/
opensearch-node1 | Detected OpenSearch Version: 2.12.0
opensearch-node1 | Detected OpenSearch Security Version: 2.12.0.0
opensearch-node2 | OpenSearch config dir: /usr/share/opensearch/config/
opensearch-node2 | OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
opensearch-node2 | OpenSearch bin dir: /usr/share/opensearch/bin/
opensearch-node2 | OpenSearch plugins dir: /usr/share/opensearch/plugins/
opensearch-node2 | OpenSearch lib dir: /usr/share/opensearch/lib/
opensearch-node2 | Detected OpenSearch Version: 2.12.0
opensearch-node2 | Detected OpenSearch Security Version: 2.12.0.0
opensearch-node1 | No custom admin password found. Please provide a password via the environment variable OPENSEARCH_INITIAL_ADMIN_PASSWORD.
opensearch-node2 | No custom admin password found. Please provide a password via the environment variable OPENSEARCH_INITIAL_ADMIN_PASSWORD.
opensearch-node1 exited with code 1
opensearch-node2 exited with code 1
➜ 2.12.0 curl http://localhost:9200
{
"name" : "opensearch-node1",
"cluster_name" : "opensearch-cluster",
"cluster_uuid" : "mgQoDpTVS7i90tPJpQzRgw",
"version" : {
"distribution" : "opensearch",
"number" : "2.12.0",
"build_type" : "tar",
"build_hash" : "2c355ce1a427e4a528778d4054436b5c4b756221",
"build_date" : "2024-02-20T02:20:12.084014282Z",
"build_snapshot" : false,
"lucene_version" : "9.9.2",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
providing OPENSEARCH_INITIAL_ADMIN_PASSWORD
opensearch-node1 | Enabling OpenSearch Security Plugin
opensearch-node1 | Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin
opensearch-node1 | OpenSearch 2.12.0 onwards, the OpenSearch Security Plugin a change that requires an initial password for 'admin' user.
opensearch-node1 | Please define an environment variable 'OPENSEARCH_INITIAL_ADMIN_PASSWORD' with a strong password string.
opensearch-node1 | If a password is not provided, the setup will quit.
opensearch-node1 | For more details, please visit: https://opensearch.org/docs/latest/install-and-configure/install-opensearch/docker/
opensearch-node2 | Enabling OpenSearch Security Plugin
opensearch-node2 | Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin
opensearch-node2 | OpenSearch 2.12.0 onwards, the OpenSearch Security Plugin a change that requires an initial password for 'admin' user.
opensearch-node2 | Please define an environment variable 'OPENSEARCH_INITIAL_ADMIN_PASSWORD' with a strong password string.
opensearch-node2 | If a password is not provided, the setup will quit.
opensearch-node2 | For more details, please visit: https://opensearch.org/docs/latest/install-and-configure/install-opensearch/docker/
opensearch-node2 | ### OpenSearch Security Demo Installer
opensearch-node2 | ### ** Warning: Do not use on production or public reachable systems **
opensearch-node2 | OpenSearch install type: rpm/deb on Linux 6.6.12-linuxkit aarch64
opensearch-node2 | OpenSearch config dir: /usr/share/opensearch/config/
opensearch-node2 | OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
opensearch-node1 | ### OpenSearch Security Demo Installer
opensearch-node1 | ### ** Warning: Do not use on production or public reachable systems **
opensearch-node2 | OpenSearch bin dir: /usr/share/opensearch/bin/
opensearch-node2 | OpenSearch plugins dir: /usr/share/opensearch/plugins/
opensearch-node2 | OpenSearch lib dir: /usr/share/opensearch/lib/
opensearch-node2 | Detected OpenSearch Version: 2.12.0
opensearch-node2 | Detected OpenSearch Security Version: 2.12.0.0
opensearch-node1 | OpenSearch install type: rpm/deb on Linux 6.6.12-linuxkit aarch64
opensearch-node1 | OpenSearch config dir: /usr/share/opensearch/config/
opensearch-node1 | OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
opensearch-node1 | OpenSearch bin dir: /usr/share/opensearch/bin/
opensearch-node1 | OpenSearch plugins dir: /usr/share/opensearch/plugins/
opensearch-node1 | OpenSearch lib dir: /usr/share/opensearch/lib/
opensearch-node1 | Detected OpenSearch Version: 2.12.0
opensearch-node1 | Detected OpenSearch Security Version: 2.12.0.0
opensearch-node2 | Admin password set successfully.
opensearch-node1 | Admin password set successfully.
opensearch-node1 | ### Success
opensearch-node1 | ### Execute this script now on all your nodes and then start all nodes
opensearch-node1 | ### OpenSearch Security will be automatically initialized.
opensearch-node1 | ### If you like to change the runtime configuration
opensearch-node2 | ### Success
opensearch-node2 | ### Execute this script now on all your nodes and then start all nodes
opensearch-node1 | ### change the files in ../../../config/opensearch-security and execute:
opensearch-node1 | sudo "/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh" -cd "/usr/share/opensearch/config/opensearch-security" -icl -key "/usr/share/opensearch/config/kirk-key.pem" -cert "/usr/share/opensearch/config/kirk.pem" -cacert "/usr/share/opensearch/config/root-ca.pem" -nhnv
opensearch-node1 | ### or run ./securityadmin_demo.sh
opensearch-node1 | ### To use the Security Plugin ConfigurationGUI
opensearch-node1 | ### To access your secured cluster open https://<hostname>:<HTTP port> and log in with admin/<your-custom-admin-password>.
opensearch-node1 | ### (Ignore the SSL certificate warning because we installed self-signed demo certificates)
opensearch-node2 | ### OpenSearch Security will be automatically initialized.
opensearch-node2 | ### If you like to change the runtime configuration
opensearch-node2 | ### change the files in ../../../config/opensearch-security and execute:
opensearch-node2 | sudo "/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh" -cd "/usr/share/opensearch/config/opensearch-security" -icl -key "/usr/share/opensearch/config/kirk-key.pem" -cert "/usr/share/opensearch/config/kirk.pem" -cacert "/usr/share/opensearch/config/root-ca.pem" -nhnv
opensearch-node2 | ### or run ./securityadmin_demo.sh
opensearch-node2 | ### To use the Security Plugin ConfigurationGUI
opensearch-node2 | ### To access your secured cluster open https://<hostname>:<HTTP port> and log in with admin/<your-custom-admin-password>.
opensearch-node2 | ### (Ignore the SSL certificate warning because we installed self-signed demo certificates)
➜ 2.12.0 curl http://localhost:9200
{
"name" : "opensearch-node1",
"cluster_name" : "opensearch-cluster",
"cluster_uuid" : "c519SyZKRJOqbqF8gZsAgA",
"version" : {
"distribution" : "opensearch",
"number" : "2.12.0",
"build_type" : "tar",
"build_hash" : "2c355ce1a427e4a528778d4054436b5c4b756221",
"build_date" : "2024-02-20T02:20:12.084014282Z",
"build_snapshot" : false,
"lucene_version" : "9.9.2",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
➜ 2.12.0 curl -XGET "https://localhost:9200/_cat/nodes" -k -u 'admin:myStrongPassword123!'
curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
providing DISABLE_SECURITY_PLUGIN=true as env variable in docker-compose (no need for the OPENSEARCH_INITIAL_ADMIN_PASSWORD variable)
opensearch-node2 | Disabling OpenSearch Security Plugin
opensearch-node1 | Disabling OpenSearch Security Plugin
➜ 2.12.0 curl http://localhost:9200
{
"name" : "opensearch-node1",
"cluster_name" : "opensearch-cluster",
"cluster_uuid" : "mgQoDpTVS7i90tPJpQzRgw",
"version" : {
"distribution" : "opensearch",
"number" : "2.12.0",
"build_type" : "tar",
"build_hash" : "2c355ce1a427e4a528778d4054436b5c4b756221",
"build_date" : "2024-02-20T02:20:12.084014282Z",
"build_snapshot" : false,
"lucene_version" : "9.9.2",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
@gygitlab As you can see from the logs the behavior for plugins.security.disabled and DISABLE_SECURITY_PLUGIN is different. Providing the former always results in execution of demo configuration and then the security plugin is disabled later. While the later, disables the security plugin from start, thus preventing execution of demo install script completely.
The behavior you discovered actually has existed but didn't surface until 2.12.0 as a custom admin password was required. The documentation for disabling security states that adding the plugins.security.disabled should disable security. This also prevents demo configuration script from modifying opensearch.yml thereby not requiring the password. I believe the flag plugins.security.disabled was intended to be used by placing inside opensearch.yml and the flag DISABLE_SECURITY_PLUGIN is meant to be passed as env variable in the docker-compose file.
TLDR; not a bug. You can configure this in two ways:
- Mount custom opensearch.yml with
plugins.security.disabled: true - Add
DISABLE_SECURITY_PLUGIN=trueunderenvironment:in docker-compose
Hope this helps!
Ok thanks. It's a little confusing as some of the main settings can be passed verbatim as environment variables, e.g. cluster.initial_cluster_manager_nodes or discovery.seed_hosts.
Either way you may want to add this detail into the release notes so others don't get caught out with this indirect change.
@gygitlab Another piece of information that might help clarify. This block of code states that the environment variables passed to docker as in fact passed as env variables with -E when starting the opensearch process (./bin/opensearch) inside docker container. This invokes a slightly different behavior, than passing the same params inside opensearch.yml.
[Triage] this seems related to the default admin credential changes, and that the behavior is working as intended. @gygitlab can you provide any more details or what you want changed so we can turn this into a feature request? If not I think we will close this.
@gygitlab can you provide any more details or what you want changed so we can turn this into a feature request?
@derek-ho Looks like in this comment there's a request for more clear documentation of the change in the release notes, not a request for a change in functionality.
Yeah so the feedback I can give from my perspective is that this was effectively an undocumented breaking change for us and we had to pivot quickly to fix our scripts and environments. I understand that it was a "sleeping" issue but nonetheless the effects were the same and we were in the dark for a while there.
Assuming that the behaviour is now correct and that the intention is not to allow plugins.security.disabled to work as a docker env var, in terms of release notes and documentation it could be clearer. I was "disabling" the plugin with the documented setting but it was no longer working. Most of the normal settings documented work as environment variables for the Docker Image so it's a fair assumption that this would have been the same. Not until you go through the Install Docker documentation does the separate variable DISABLE_SECURITY_PLUGIN get mentioned.
TL;DR:
- The release notes should've called this out in full as a potential breaking change by proxy
- There should be clear documentation on what variables do work with the Docker image and what ones do not and have specific alternatives instead
- The disable security page should mention
DISABLE_SECURITY_PLUGINsetting specifically for Docker images
@gygitlab Would you mind opening an issue in the documentation-website repository detailing the gap in docs and the changes that should be addressed?
Just ran into this as well. Definitely a breaking change
I'm so grateful this ticket exists! Much appreciated @gygitlab
I am still confused. I am trying to setup the most simple environment in local docker compose, and this issue is blocking me. I have this docker compose
opensearch:
image: opensearchproject/opensearch:latest
environment:
- discovery.type=single-node
- DISABLE_SECURITY_PLUGIN=true
#- OPENSEARCH_INITIAL_ADMIN_PASSWORD=admin
ports:
- "9200:9200"
- "9600:9600"
volumes:
- opensearch-data:/usr/share/opensearch/data
networks:
- my-net
opensearch-dashboards:
image: opensearchproject/opensearch-dashboards:latest
ports:
- "5601:5601"
environment:
- OPENSEARCH_HOSTS=http://opensearch:9200
networks:
- my-net
but still I get {"type":"log","@timestamp":"2024-09-24T14:55:02Z","tags":["error","plugins","securityDashboards"],"pid":1,"message":"Failed authentication: Error: no handler found for uri [/_plugins/_security/authinfo] and method [GET]"} when I try login into the dashboard using admin:admin
@MahatmaFatalError I'm doing the same config as you and I am having problems as well. Have you had any luck logging into it?
nope, it is not working. Very frustrating that progress is stopped by such kind of problems
@MahatmaFatalError I figured it out! It has to do with some demo config thing?
Use "latest" of the containers
Environment vars for OpenSearch container:
DISABLE_INSTALL_DEMO_CONFIG=true
DISABLE_SECURITY_PLUGIN=true
Environment vars Dashboard container:
DISABLE_SECURITY_DASHBOARDS_PLUGIN=true