opensearch-project · peterzhuamazon · Sep 10, 2021 · Sep 9, 2021 · Sep 9, 2021 · Sep 10, 2021
@@ -14,7 +14,7 @@ docker pull opensearchproject/opensearch:latest
 docker pull opensearchproject/opensearch-dashboards:latest
 ```
 
-### Building docker images 
+### Building Docker Images
 We provide two scripts to build docker images.
 For single-arch image you need to install just the Docker Engine on your host machine.
 For multi-arch image (currently support x64/arm64) you need to install Docker Desktop.
@@ -60,3 +60,48 @@ For multi-arch image (currently support x64/arm64) you need to install Docker De
   ```
   ./build-image-multi-arch.sh -v 1.0.0 -f ./dockerfiles/opensearch-dashboards.al2.dockerfile -p opensearch-dashboards -a "x64,arm64" -r "<Docker Hub RepoName>/<Docker Image Name>:<Tag Name>" -t "opensearch-1.0.0.tar.gz,opensearch-dashboards-1.0.0.tar.gz"
   ```
+
+### Disable Security Plugin, Security Dashboards Plugin, Security Demo Configurations and Related Configurations
+(This change is added since OpenSearch/OpenSearch-Dashboards 1.1.0)
+There are 3 environment variables available for users to disable security related settings during docker container startup:
+
+* 2 for OpenSearch:
+  * `DISABLE_INSTALL_DEMO_CONFIG`: Default to `null`, set to `true` disables running of [install_demo_configuration.sh](https://github.com/opensearch-project/security/blame/main/tools/install_demo_configuration.sh) bundled with Security Plugin, which installs demo certificates and security configurations to OpenSearch.
+  * `DISABLE_SECURITY_PLUGIN`: Default to `null`, set to `true` disables Security Plugin entirely in OpenSearch by setting `plugins.security.disabled: true` in opensearch.yml.
+
+* 1 for Dashboards:
+  * `DISABLE_SECURITY_DASHBOARDS_PLUGIN`: Default to `null`, set to `true` disables Security Dashboards Plugin in OpenSearch-Dashboards by removing securityDashboards plugin folder, remove all related settings in opensearch_dashboards.yml, and set `opensearch.hosts` entry protocol from HTTPS to HTTP. This step is not reversible as the Security Dashboards Plugin is removed in the process. If you want to re-enable security for OpenSearch-Dashboards, you need to start a new container with `DISABLE_SECURITY_DASHBOARDS_PLUGIN` unset, or false.
+
+
+Here are three example scenarios of using above variables:
+
+* Scenario 1: Original behavior, install demo certs/configs + enable security on both OpenSearch and OpenSearch-Dashboards:
+  * OpenSearch:
+     ```
+     $ docker run -it -p 9200:9200 -p 9600:9600 -e "discovery.type=single-node" opensearchproject/opensearch:1.1.0
+     ```
+  * OpenSearch-Dashboards:
+     ```
+     $ docker run -it --network="host" opensearchproject/opensearch-dashboards:1.1.0
+     ```
+
+* Scenario 2: No demo certs/configs + disable security on both OpenSearch and OpenSearch-Dashboards:
+  * OpenSearch:
+     ```
+     $ docker run -it -p 9200:9200 -p 9600:9600 -e "discovery.type=single-node" -e "DISABLE_INSTALL_DEMO_CONFIG=true" -e "DISABLE_SECURITY_PLUGIN=true" opensearchproject/opensearch:1.1.0
+     ```
+  * OpenSearch-Dashboards:
+     ```
+     $ docker run -it --network="host" -e "DISABLE_SECURITY_DASHBOARDS_PLUGIN=true" opensearchproject/opensearch-dashboards:1.1.0
+     ```
+
+* Scenario 3: No demo certs/configs + enable security on both OpenSearch and OpenSearch-Dashboards (cluster exit with errors due to demo install script is not run. Therefore, no certs/configs are available for Security Plugin. Useful if you want to setup your own certs/configs):
+  * OpenSearch:
+     ```
+     $ docker run -it -p 9200:9200 -p 9600:9600 -e "discovery.type=single-node" -e "DISABLE_INSTALL_DEMO_CONFIG=true" opensearchproject/opensearch:1.1.0
+     ```
+  * Dashboards:
+     ```
+     $ docker run -it --network="host" -e opensearchproject/opensearch-dashboards:1.1.0
+     ```
+
@@ -25,6 +25,9 @@
 #
 #       --opensearch.startupTimeout=60
 
+# Setup Home Directory
+export OPENSEARCH_DASHBOARDS_HOME=/usr/share/opensearch-dashboards
+
 opensearch_dashboards_vars=(
     console.enabled
     console.proxyConfig
@@ -177,6 +180,19 @@ done
 # Files created at run-time should be group-writable, for Openshift's sake.
 umask 0002
 
+##Security Dashboards Plugin
+SECURITY_DASHBOARDS_PLUGIN="securityDashboards"
+if [ -d "$OPENSEARCH_DASHBOARDS_HOME/plugins/$SECURITY_DASHBOARDS_PLUGIN" ]; then
+
+    if [ "$DISABLE_SECURITY_DASHBOARDS_PLUGIN" = "true" ]; then
+        echo "Disable OpenSearch Security Dashboards Plugin"
+        ./bin/opensearch-dashboards-plugin remove securityDashboards
+        sed -i /^opensearch_security/d $OPENSEARCH_DASHBOARDS_HOME/config/opensearch_dashboards.yml
+        sed -i 's/https/http/' $OPENSEARCH_DASHBOARDS_HOME/config/opensearch_dashboards.yml
+    fi
+fi
+
+
 # TO DO:
 # Confirm with Mihir if this is necessary
 

@@ -28,6 +28,9 @@
 # If either process failed, the entire docker container will be removed
 # in favor of a newly started container
 
+# Export OpenSearch Home
+export OPENSEARCH_HOME=/usr/share/opensearch
+
 # Files created by OpenSearch should always be group writable too
 umask 0002
 
@@ -71,6 +74,25 @@ done < <(env)
 # will run in.
 export OPENSEARCH_JAVA_OPTS="-Dopensearch.cgroups.hierarchy.override=/ $OPENSEARCH_JAVA_OPTS"
 
+##Security Plugin
+SECURITY_PLUGIN="opensearch-security"
+if [ -d "$OPENSEARCH_HOME/plugins/$SECURITY_PLUGIN" ]; then
+    if [ "$DISABLE_INSTALL_DEMO_CONFIG" = "true" ]; then
+        echo "Disable Install Demo Config for OpenSearch Security Plugin"
+    else
+        echo "Enable Install Demo Config for OpenSearch Security Plugin"
+        bash $OPENSEARCH_HOME/plugins/$SECURITY_PLUGIN/tools/install_demo_configuration.sh -y -i -s
+    fi
+
+    if [ "$DISABLE_SECURITY_PLUGIN" = "true" ]; then
+        echo "Disable OpenSearch Security Plugin"
+        sed -i '/plugins.security.disabled/d' $OPENSEARCH_HOME/config/opensearch.yml
+        echo "plugins.security.disabled: true" >> $OPENSEARCH_HOME/config/opensearch.yml
+    else
+        echo "Enable OpenSearch Security Plugin"
+        sed -i '/plugins.security.disabled/d' $OPENSEARCH_HOME/config/opensearch.yml
+    fi
+fi
 
 # Start up the opensearch and performance analyzer agent processes.
 # When either of them halts, this script exits, or we receive a SIGTERM or SIGINT signal then we want to kill both these processes.
@@ -94,9 +116,6 @@ set -m
 # Make sure we terminate the child processes in the event of us received TERM (e.g. "docker container stop"), INT (e.g. ctrl-C), EXIT (this script terminates for an unexpected reason), or CHLD (one of the processes terminated unexpectedly)
 trap terminateProcesses TERM INT EXIT CHLD
 
-# Export OpenSearch Home
-export OPENSEARCH_HOME=/usr/share/opensearch
-
 # Start opensearch
 $OPENSEARCH_HOME/bin/opensearch "${opensearch_opts[@]}" &
 OPENSEARCH_PID=$!

@@ -88,6 +88,10 @@ RUN cp -v plugins/opensearch-knn/knnlib/libKNNIndex*.so /usr/lib
 USER $UID
 
 # Setup OpenSearch
+# Disable security demo installation during image build, and allow user to disable during startup of the container
+# Enable security plugin during image build, and allow user to disable during startup of the container
+ARG DISABLE_INSTALL_DEMO_CONFIG=true
+ARG DISABLE_SECURITY_PLUGIN=false
 RUN ./opensearch-onetime-setup.sh
 
 # Expose ports for the opensearch service (9200 for HTTP and 9300 for internal transport) and performance analyzer (9600 for the agent and 9650 for the root cause analysis component)

@@ -13,7 +13,23 @@ OPENSEARCH_HOME=`dirname $(realpath $0)`; cd $OPENSEARCH_HOME
 
 ##Security Plugin
 SECURITY_PLUGIN="opensearch-security"
-bash $OPENSEARCH_HOME/plugins/$SECURITY_PLUGIN/tools/install_demo_configuration.sh -y -i -s
+if [ -d "$OPENSEARCH_HOME/plugins/$SECURITY_PLUGIN" ]; then
+    if [ "$DISABLE_INSTALL_DEMO_CONFIG" = "true" ]; then
+        echo "Disable Install Demo Config for OpenSearch Security Plugin"
+    else
+        echo "Enable Install Demo Config for OpenSearch Security Plugin"
+        bash $OPENSEARCH_HOME/plugins/$SECURITY_PLUGIN/tools/install_demo_configuration.sh -y -i -s
+    fi
+
+    if [ "$DISABLE_SECURITY_PLUGIN" = "true" ]; then
+        echo "Disable OpenSearch Security Plugin"
+        sed -i '/plugins.security.disabled/d' $OPENSEARCH_HOME/config/opensearch.yml
+        echo "plugins.security.disabled: true" >> $OPENSEARCH_HOME/config/opensearch.yml
+    else
+        echo "Enable OpenSearch Security Plugin"
+        sed -i '/plugins.security.disabled/d' $OPENSEARCH_HOME/config/opensearch.yml
+    fi
+fi
 
 ##Perf Plugin
 PA_PLUGIN="opensearch-performance-analyzer"