diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index ae570a9df8..92d923bb0d 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -44,14 +44,14 @@ jobs: run: | cat > setup.sh <<'EOF' chmod +x ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh - /bin/bash -c "yes | ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh" + /bin/bash -c "yes | ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh -t" EOF - name: Create Setup Script if: ${{ runner.os == 'Windows' }} run: | New-Item .\setup.bat -type file - Set-Content .\setup.bat -Value "powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y" + Set-Content .\setup.bat -Value "powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y -t" Get-Content .\setup.bat - name: Run Opensearch with A Single Plugin diff --git a/src/main/java/org/opensearch/security/tools/democonfig/CertificateGenerator.java b/src/main/java/org/opensearch/security/tools/democonfig/CertificateGenerator.java new file mode 100644 index 0000000000..a7b39c226e --- /dev/null +++ b/src/main/java/org/opensearch/security/tools/democonfig/CertificateGenerator.java @@ -0,0 +1,49 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + * + * Modifications Copyright OpenSearch Contributors. See + * GitHub history for details. + */ + +package org.opensearch.security.tools.democonfig; + +import java.io.File; +import java.io.FileWriter; +import java.io.IOException; +import java.nio.charset.StandardCharsets; + +/** + * This class creates demo certificate files + */ +public class CertificateGenerator extends Installer { + + /** + * Creates demo super-admin, node and root certificates by iterating through Certificates enum + */ + public void createDemoCertificates() { + for (Certificates cert : Certificates.values()) { + String filePath = OPENSEARCH_CONF_DIR + File.separator + cert.getFileName(); + writeCertificateToFile(filePath, cert.getContent()); + } + } + + /** + * Helper method to write the certificates to their own file + * @param filePath the file which needs to be written + * @param content the content which needs to be written to this file + */ + static void writeCertificateToFile(String filePath, String content) { + try { + FileWriter fileWriter = new FileWriter(filePath, StandardCharsets.UTF_8); + fileWriter.write(content); + fileWriter.close(); + } catch (IOException e) { + System.err.println("Error writing certificate file: " + filePath); + System.exit(-1); + } + } +} diff --git a/src/main/java/org/opensearch/security/tools/democonfig/Certificates.java b/src/main/java/org/opensearch/security/tools/democonfig/Certificates.java new file mode 100644 index 0000000000..6821147e8c --- /dev/null +++ b/src/main/java/org/opensearch/security/tools/democonfig/Certificates.java @@ -0,0 +1,174 @@ +package org.opensearch.security.tools.democonfig; + +/** + * Enum for demo certificates + */ +public enum Certificates { + ADMIN_CERT( + "kirk.pem", + "-----BEGIN CERTIFICATE-----\n" + + "MIIEmDCCA4CgAwIBAgIUZjrlDPP8azRDPZchA/XEsx0X2iYwDQYJKoZIhvcNAQEL\n" + + "BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt\n" + + "cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl\n" + + "IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v\n" + + "dCBDQTAeFw0yMzA4MjkyMDA2MzdaFw0zMzA4MjYyMDA2MzdaME0xCzAJBgNVBAYT\n" + + "AmRlMQ0wCwYDVQQHDAR0ZXN0MQ8wDQYDVQQKDAZjbGllbnQxDzANBgNVBAsMBmNs\n" + + "aWVudDENMAsGA1UEAwwEa2lyazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\n" + + "ggEBAJVcOAQlCiuB9emCljROAXnlsPbG7PE3kNz2sN+BbGuw686Wgyl3uToVHvVs\n" + + "paMmLUqm1KYz9wMSWTIBZgpJ9hYaIbGxD4RBb7qTAJ8Q4ddCV2f7T4lxao/6ixI+\n" + + "O0l/BG9E3mRGo/r0w+jtTQ3aR2p6eoxaOYbVyEMYtFI4QZTkcgGIPGxm05y8xonx\n" + + "vV5pbSW9L7qAVDzQC8EYGQMMI4ccu0NcHKWtmTYJA/wDPE2JwhngHwbcIbc4cDz6\n" + + "cG0S3FmgiKGuuSqUy35v/k3y7zMHQSdx7DSR2tzhH/bBL/9qGvpT71KKrxPtaxS0\n" + + "bAqPcEkKWDo7IMlGGW7LaAWfGg8CAwEAAaOCASswggEnMAwGA1UdEwEB/wQCMAAw\n" + + "DgYDVR0PAQH/BAQDAgXgMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMCMIHPBgNVHSME\n" + + "gccwgcSAFBeH36Ba62YSp9XQ+LoSRTy3KwCcoYGVpIGSMIGPMRMwEQYKCZImiZPy\n" + + "LGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQRXhh\n" + + "bXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290IENB\n" + + "MSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0GCFHfkrz782p+T9k0G\n" + + "xGeM4+BrehWKMB0GA1UdDgQWBBSjMS8tgguX/V7KSGLoGg7K6XMzIDANBgkqhkiG\n" + + "9w0BAQsFAAOCAQEANMwD1JYlwAh82yG1gU3WSdh/tb6gqaSzZK7R6I0L7slaXN9m\n" + + "y2ErUljpTyaHrdiBFmPhU/2Kj2r+fIUXtXdDXzizx/JdmueT0nG9hOixLqzfoC9p\n" + + "fAhZxM62RgtyZoaczQN82k1/geMSwRpEndFe3OH7arkS/HSbIFxQhAIy229eWe5d\n" + + "1bUzP59iu7f3r567I4ob8Vy7PP+Ov35p7Vv4oDHHwgsdRzX6pvL6mmwVrQ3BfVec\n" + + "h9Dqprr+ukYmjho76g6k5cQuRaB6MxqldzUg+2E7IHQP8MCF+co51uZq2nl33mtp\n" + + "RGr6JbdHXc96zsLTL3saJQ8AWEfu1gbTVrwyRA==\n" + + "-----END CERTIFICATE-----" + ), + ADMIN_CERT_KEY( + "kirk-key.pem", + "-----BEGIN PRIVATE KEY-----\n" + + "MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCVXDgEJQorgfXp\n" + + "gpY0TgF55bD2xuzxN5Dc9rDfgWxrsOvOloMpd7k6FR71bKWjJi1KptSmM/cDElky\n" + + "AWYKSfYWGiGxsQ+EQW+6kwCfEOHXQldn+0+JcWqP+osSPjtJfwRvRN5kRqP69MPo\n" + + "7U0N2kdqenqMWjmG1chDGLRSOEGU5HIBiDxsZtOcvMaJ8b1eaW0lvS+6gFQ80AvB\n" + + "GBkDDCOHHLtDXBylrZk2CQP8AzxNicIZ4B8G3CG3OHA8+nBtEtxZoIihrrkqlMt+\n" + + "b/5N8u8zB0Encew0kdrc4R/2wS//ahr6U+9Siq8T7WsUtGwKj3BJClg6OyDJRhlu\n" + + "y2gFnxoPAgMBAAECggEAP5TOycDkx+megAWVoHV2fmgvgZXkBrlzQwUG/VZQi7V4\n" + + "ZGzBMBVltdqI38wc5MtbK3TCgHANnnKgor9iq02Z4wXDwytPIiti/ycV9CDRKvv0\n" + + "TnD2hllQFjN/IUh5n4thHWbRTxmdM7cfcNgX3aZGkYbLBVVhOMtn4VwyYu/Mxy8j\n" + + "xClZT2xKOHkxqwmWPmdDTbAeZIbSv7RkIGfrKuQyUGUaWhrPslvYzFkYZ0umaDgQ\n" + + "OAthZew5Bz3OfUGOMPLH61SVPuJZh9zN1hTWOvT65WFWfsPd2yStI+WD/5PU1Doo\n" + + "1RyeHJO7s3ug8JPbtNJmaJwHe9nXBb/HXFdqb976yQKBgQDNYhpu+MYSYupaYqjs\n" + + "9YFmHQNKpNZqgZ4ceRFZ6cMJoqpI5dpEMqToFH7tpor72Lturct2U9nc2WR0HeEs\n" + + "/6tiptyMPTFEiMFb1opQlXF2ae7LeJllntDGN0Q6vxKnQV+7VMcXA0Y8F7tvGDy3\n" + + "qJu5lfvB1mNM2I6y/eMxjBuQhwKBgQC6K41DXMFro0UnoO879pOQYMydCErJRmjG\n" + + "/tZSy3Wj4KA/QJsDSViwGfvdPuHZRaG9WtxdL6kn0w1exM9Rb0bBKl36lvi7o7xv\n" + + "M+Lw9eyXMkww8/F5d7YYH77gIhGo+RITkKI3+5BxeBaUnrGvmHrpmpgRXWmINqr0\n" + + "0jsnN3u0OQKBgCf45vIgItSjQb8zonLz2SpZjTFy4XQ7I92gxnq8X0Q5z3B+o7tQ\n" + + "K/4rNwTju/sGFHyXAJlX+nfcK4vZ4OBUJjP+C8CTjEotX4yTNbo3S6zjMyGQqDI5\n" + + "9aIOUY4pb+TzeUFJX7If5gR+DfGyQubvvtcg1K3GHu9u2l8FwLj87sRzAoGAflQF\n" + + "RHuRiG+/AngTPnZAhc0Zq0kwLkpH2Rid6IrFZhGLy8AUL/O6aa0IGoaMDLpSWUJp\n" + + "nBY2S57MSM11/MVslrEgGmYNnI4r1K25xlaqV6K6ztEJv6n69327MS4NG8L/gCU5\n" + + "3pEm38hkUi8pVYU7in7rx4TCkrq94OkzWJYurAkCgYATQCL/rJLQAlJIGulp8s6h\n" + + "mQGwy8vIqMjAdHGLrCS35sVYBXG13knS52LJHvbVee39AbD5/LlWvjJGlQMzCLrw\n" + + "F7oILW5kXxhb8S73GWcuMbuQMFVHFONbZAZgn+C9FW4l7XyRdkrbR1MRZ2km8YMs\n" + + "/AHmo368d4PSNRMMzLHw8Q==\n" + + "-----END PRIVATE KEY-----" + ), + NODE_CERT( + "esnode.pem", + "-----BEGIN CERTIFICATE-----\n" + + "MIIEPDCCAySgAwIBAgIUZjrlDPP8azRDPZchA/XEsx0X2iIwDQYJKoZIhvcNAQEL\n" + + "BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt\n" + + "cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl\n" + + "IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v\n" + + "dCBDQTAeFw0yMzA4MjkwNDIzMTJaFw0zMzA4MjYwNDIzMTJaMFcxCzAJBgNVBAYT\n" + + "AmRlMQ0wCwYDVQQHDAR0ZXN0MQ0wCwYDVQQKDARub2RlMQ0wCwYDVQQLDARub2Rl\n" + + "MRswGQYDVQQDDBJub2RlLTAuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA\n" + + "A4IBDwAwggEKAoIBAQCm93kXteDQHMAvbUPNPW5pyRHKDD42XGWSgq0k1D29C/Ud\n" + + "yL21HLzTJa49ZU2ldIkSKs9JqbkHdyK0o8MO6L8dotLoYbxDWbJFW8bp1w6tDTU0\n" + + "HGkn47XVu3EwbfrTENg3jFu+Oem6a/501SzITzJWtS0cn2dIFOBimTVpT/4Zv5qr\n" + + "XA6Cp4biOmoTYWhi/qQl8d0IaADiqoZ1MvZbZ6x76qTrRAbg+UWkpTEXoH1xTc8n\n" + + "dibR7+HP6OTqCKvo1NhE8uP4pY+fWd6b6l+KLo3IKpfTbAIJXIO+M67FLtWKtttD\n" + + "ao94B069skzKk6FPgW/OZh6PRCD0oxOavV+ld2SjAgMBAAGjgcYwgcMwRwYDVR0R\n" + + "BEAwPogFKgMEBQWCEm5vZGUtMC5leGFtcGxlLmNvbYIJbG9jYWxob3N0hxAAAAAA\n" + + "AAAAAAAAAAAAAAABhwR/AAABMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEF\n" + + "BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU0/qDQaY10jIo\n" + + "wCjLUpz/HfQXyt8wHwYDVR0jBBgwFoAUF4ffoFrrZhKn1dD4uhJFPLcrAJwwDQYJ\n" + + "KoZIhvcNAQELBQADggEBAD2hkndVih6TWxoe/oOW0i2Bq7ScNO/n7/yHWL04HJmR\n" + + "MaHv/Xjc8zLFLgHuHaRvC02ikWIJyQf5xJt0Oqu2GVbqXH9PBGKuEP2kCsRRyU27\n" + + "zTclAzfQhqmKBTYQ/3lJ3GhRQvXIdYTe+t4aq78TCawp1nSN+vdH/1geG6QjMn5N\n" + + "1FU8tovDd4x8Ib/0dv8RJx+n9gytI8n/giIaDCEbfLLpe4EkV5e5UNpOnRgJjjuy\n" + + "vtZutc81TQnzBtkS9XuulovDE0qI+jQrKkKu8xgGLhgH0zxnPkKtUg2I3Aq6zl1L\n" + + "zYkEOUF8Y25J6WeY88Yfnc0iigI+Pnz5NK8R9GL7TYo=\n" + + "-----END CERTIFICATE-----" + ), + NODE_KEY( + "esnode-key.pem", + "-----BEGIN PRIVATE KEY-----\n" + + "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCm93kXteDQHMAv\n" + + "bUPNPW5pyRHKDD42XGWSgq0k1D29C/UdyL21HLzTJa49ZU2ldIkSKs9JqbkHdyK0\n" + + "o8MO6L8dotLoYbxDWbJFW8bp1w6tDTU0HGkn47XVu3EwbfrTENg3jFu+Oem6a/50\n" + + "1SzITzJWtS0cn2dIFOBimTVpT/4Zv5qrXA6Cp4biOmoTYWhi/qQl8d0IaADiqoZ1\n" + + "MvZbZ6x76qTrRAbg+UWkpTEXoH1xTc8ndibR7+HP6OTqCKvo1NhE8uP4pY+fWd6b\n" + + "6l+KLo3IKpfTbAIJXIO+M67FLtWKtttDao94B069skzKk6FPgW/OZh6PRCD0oxOa\n" + + "vV+ld2SjAgMBAAECggEAQK1+uAOZeaSZggW2jQut+MaN4JHLi61RH2cFgU3COLgo\n" + + "FIiNjFn8f2KKU3gpkt1It8PjlmprpYut4wHI7r6UQfuv7ZrmncRiPWHm9PB82+ZQ\n" + + "5MXYqj4YUxoQJ62Cyz4sM6BobZDrjG6HHGTzuwiKvHHkbsEE9jQ4E5m7yfbVvM0O\n" + + "zvwrSOM1tkZihKSTpR0j2+taji914tjBssbn12TMZQL5ItGnhR3luY8mEwT9MNkZ\n" + + "xg0VcREoAH+pu9FE0vPUgLVzhJ3be7qZTTSRqv08bmW+y1plu80GbppePcgYhEow\n" + + "dlW4l6XPJaHVSn1lSFHE6QAx6sqiAnBz0NoTPIaLyQKBgQDZqDOlhCRciMRicSXn\n" + + "7yid9rhEmdMkySJHTVFOidFWwlBcp0fGxxn8UNSBcXdSy7GLlUtH41W9PWl8tp9U\n" + + "hQiiXORxOJ7ZcB80uNKXF01hpPj2DpFPWyHFxpDkWiTAYpZl68rOlYujxZUjJIej\n" + + "VvcykBC2BlEOG9uZv2kxcqLyJwKBgQDEYULTxaTuLIa17wU3nAhaainKB3vHxw9B\n" + + "Ksy5p3ND43UNEKkQm7K/WENx0q47TA1mKD9i+BhaLod98mu0YZ+BCUNgWKcBHK8c\n" + + "uXpauvM/pLhFLXZ2jvEJVpFY3J79FSRK8bwE9RgKfVKMMgEk4zOyZowS8WScOqiy\n" + + "hnQn1vKTJQKBgElhYuAnl9a2qXcC7KOwRsJS3rcKIVxijzL4xzOyVShp5IwIPbOv\n" + + "hnxBiBOH/JGmaNpFYBcBdvORE9JfA4KMQ2fx53agfzWRjoPI1/7mdUk5RFI4gRb/\n" + + "A3jZRBoopgFSe6ArCbnyQxzYzToG48/Wzwp19ZxYrtUR4UyJct6f5n27AoGBAJDh\n" + + "KIpQQDOvCdtjcbfrF4aM2DPCfaGPzENJriwxy6oEPzDaX8Bu/dqI5Ykt43i/zQrX\n" + + "GpyLaHvv4+oZVTiI5UIvcVO9U8hQPyiz9f7F+fu0LHZs6f7hyhYXlbe3XFxeop3f\n" + + "5dTKdWgXuTTRF2L9dABkA2deS9mutRKwezWBMQk5AoGBALPtX0FrT1zIosibmlud\n" + + "tu49A/0KZu4PBjrFMYTSEWGNJez3Fb2VsJwylVl6HivwbP61FhlYfyksCzQQFU71\n" + + "+x7Nmybp7PmpEBECr3deoZKQ/acNHn0iwb0It+YqV5+TquQebqgwK6WCLsMuiYKT\n" + + "bg/ch9Rhxbq22yrVgWHh6epp\n" + + "-----END PRIVATE KEY-----" + ), + ROOT_CA( + "root-ca.pem", + "-----BEGIN CERTIFICATE-----\n" + + "MIIExjCCA66gAwIBAgIUd+SvPvzan5P2TQbEZ4zj4Gt6FYowDQYJKoZIhvcNAQEL\n" + + "BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt\n" + + "cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl\n" + + "IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v\n" + + "dCBDQTAeFw0yMzA4MjkwNDIwMDNaFw0yMzA5MjgwNDIwMDNaMIGPMRMwEQYKCZIm\n" + + "iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ\n" + + "RXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290\n" + + "IENBMSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwggEiMA0GCSqG\n" + + "SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEPyN7J9VGPyJcQmCBl5TGwfSzvVdWwoQU\n" + + "j9aEsdfFJ6pBCDQSsj8Lv4RqL0dZra7h7SpZLLX/YZcnjikrYC+rP5OwsI9xEE/4\n" + + "U98CsTBPhIMgqFK6SzNE5494BsAk4cL72dOOc8tX19oDS/PvBULbNkthQ0aAF1dg\n" + + "vbrHvu7hq7LisB5ZRGHVE1k/AbCs2PaaKkn2jCw/b+U0Ml9qPuuEgz2mAqJDGYoA\n" + + "WSR4YXrOcrmPuRqbws464YZbJW898/0Pn/U300ed+4YHiNYLLJp51AMkR4YEw969\n" + + "VRPbWIvLrd0PQBooC/eLrL6rvud/GpYhdQEUx8qcNCKd4bz3OaQ5AgMBAAGjggEW\n" + + "MIIBEjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQU\n" + + "F4ffoFrrZhKn1dD4uhJFPLcrAJwwgc8GA1UdIwSBxzCBxIAUF4ffoFrrZhKn1dD4\n" + + "uhJFPLcrAJyhgZWkgZIwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJ\n" + + "k/IsZAEZFgdleGFtcGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYD\n" + + "VQQLDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUg\n" + + "Q29tIEluYy4gUm9vdCBDQYIUd+SvPvzan5P2TQbEZ4zj4Gt6FYowDQYJKoZIhvcN\n" + + "AQELBQADggEBAIopqco/k9RSjouTeKP4z0EVUxdD4qnNh1GLSRqyAVe0aChyKF5f\n" + + "qt1Bd1XCY8D16RgekkKGHDpJhGCpel+vtIoXPBxUaGQNYxmJCf5OzLMODlcrZk5i\n" + + "jHIcv/FMeK02NBcz/WQ3mbWHVwXLhmwqa2zBsF4FmPCJAbFLchLhkAv1HJifHbnD\n" + + "jQzlKyl5jxam/wtjWxSm0iyso0z2TgyzY+MESqjEqB1hZkCFzD1xtUOCxbXgtKae\n" + + "dgfHVFuovr3fNLV3GvQk0s9okDwDUcqV7DSH61e5bUMfE84o3of8YA7+HUoPV5Du\n" + + "8sTOKRf7ncGXdDRA8aofW268pTCuIu3+g/Y=\n" + + "-----END CERTIFICATE-----" + ); + + private final String fileName; + private final String content; + + Certificates(String fileName, String content) { + this.fileName = fileName; + this.content = content; + } + + public String getFileName() { + return fileName; + } + + public String getContent() { + return content; + } +} diff --git a/src/main/java/org/opensearch/security/tools/democonfig/ExecutionEnvironment.java b/src/main/java/org/opensearch/security/tools/democonfig/ExecutionEnvironment.java new file mode 100644 index 0000000000..9f901c4487 --- /dev/null +++ b/src/main/java/org/opensearch/security/tools/democonfig/ExecutionEnvironment.java @@ -0,0 +1,9 @@ +package org.opensearch.security.tools.democonfig; + +/** + * The environment in which the demo config installation script is being executed + */ +public enum ExecutionEnvironment { + DEMO, // default value + TEST // to be used only for tests +} diff --git a/src/main/java/org/opensearch/security/tools/democonfig/Installer.java b/src/main/java/org/opensearch/security/tools/democonfig/Installer.java new file mode 100644 index 0000000000..0b166ad580 --- /dev/null +++ b/src/main/java/org/opensearch/security/tools/democonfig/Installer.java @@ -0,0 +1,366 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + * + * Modifications Copyright OpenSearch Contributors. See + * GitHub history for details. + */ + +package org.opensearch.security.tools.democonfig; + +import java.io.BufferedReader; +import java.io.File; +import java.io.FileReader; +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.nio.file.attribute.PosixFilePermission; +import java.util.HashSet; +import java.util.Scanner; +import java.util.Set; + +/** + * This class installs demo configuration for security plugin + */ +public class Installer { + + static boolean assumeyes = false; + static boolean initsecurity = false; + static boolean cluster_mode = false; + static int skip_updates = -1; + static String SCRIPT_DIR; + static String BASE_DIR; + static String OPENSEARCH_CONF_FILE; + static String OPENSEARCH_BIN_DIR; + static String OPENSEARCH_PLUGINS_DIR; + static String OPENSEARCH_LIB_PATH; + static String OPENSEARCH_INSTALL_TYPE; + static String OPENSEARCH_CONF_DIR; + static String OPENSEARCH_VERSION; + static String SECURITY_VERSION; + + static ExecutionEnvironment environment = ExecutionEnvironment.DEMO; + + static final String OS = System.getProperty("os.name") + " " + System.getProperty("os.version") + " " + System.getProperty("os.arch"); + + static final String FILE_EXTENSION = OS.toLowerCase().contains("win") ? ".bat" : ".sh"; + + static final String SYSTEM_INDICES = ".plugins-ml-config, .plugins-ml-connector, .plugins-ml-model-group, .plugins-ml-model, " + + ".plugins-ml-task, .plugins-ml-conversation-meta, .plugins-ml-conversation-interactions, .opendistro-alerting-config, .opendistro-alerting-alert*, " + + ".opendistro-anomaly-results*, .opendistro-anomaly-detector*, .opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state, " + + ".opendistro-reports-*, .opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability, .ql-datasources, " + + ".opendistro-asynchronous-search-response*, .replication-metadata-store, .opensearch-knn-models, .geospatial-ip2geo-data*"; + + static SecuritySettingsConfigurer securitySettingsConfigurer; + static CertificateGenerator certificateGenerator; + + public static void main(String[] options) { + securitySettingsConfigurer = new SecuritySettingsConfigurer(); + certificateGenerator = new CertificateGenerator(); + + printScriptHeaders(); + readOptions(options); + gatherUserInputs(); + initializeVariables(); + printVariables(); + securitySettingsConfigurer.configureSecuritySettings(); + certificateGenerator.createDemoCertificates(); + finishScriptExecution(); + } + + /** + * Prints headers that indicate the start of script execution + */ + static void printScriptHeaders() { + System.out.println("### OpenSearch Security Demo Installer"); + System.out.println("### ** Warning: Do not use on production or public reachable systems **"); + } + + /** + * Reads the options passed to the script + * @param options an array of strings containing options passed to the script + */ + static void readOptions(String[] options) { + // set script execution dir + SCRIPT_DIR = options[0]; + + for (int i = 1; i < options.length; i++) { + switch (options[i]) { + case "-y": + assumeyes = true; + break; + case "-i": + initsecurity = true; + break; + case "-c": + cluster_mode = true; + break; + case "-s": + skip_updates = 0; + break; + case "-t": + environment = ExecutionEnvironment.TEST; + break; + case "-h": + case "-?": + showHelp(); + return; + default: + System.out.println("Invalid option: " + options[i]); + } + } + } + + /** + * Prints the help menu when -h option is passed + */ + static void showHelp() { + System.out.println("install_demo_configuration.sh [-y] [-i] [-c]"); + System.out.println(" -h show help"); + System.out.println(" -y confirm all installation dialogues automatically"); + System.out.println(" -i initialize Security plugin with default configuration (default is to ask if -y is not given)"); + System.out.println(" -c enable cluster mode by binding to all network interfaces (default is to ask if -y is not given)"); + System.out.println(" -s skip updates if config is already applied to opensearch.yml"); + System.out.println( + " -t set the execution environment to `test` to skip password validation. Should be used only for testing. (default is set to `demo`)" + ); + System.exit(0); + } + + /** + * Prompt the user and collect user inputs + * Input collection will be skipped if -y option was passed + */ + static void gatherUserInputs() { + if (!assumeyes) { + try (Scanner scanner = new Scanner(System.in, StandardCharsets.UTF_8)) { + + if (!confirmAction(scanner, "Install demo certificates?")) { + System.exit(0); + } + + if (!initsecurity) { + initsecurity = confirmAction(scanner, "Initialize Security Modules?"); + } + + if (!cluster_mode) { + System.out.println("Cluster mode requires additional setup of:"); + System.out.println(" - Virtual memory (vm.max_map_count)\n"); + cluster_mode = confirmAction(scanner, "Enable cluster mode?"); + } + } + } else { + initsecurity = true; + cluster_mode = true; + } + } + + /** + * Helper method to scan user inputs. + * @param scanner object to be used for scanning user input + * @param message prompt question + * @return true or false based on user input + */ + static boolean confirmAction(Scanner scanner, String message) { + System.out.print(message + " [y/N] "); + String response = scanner.nextLine(); + return response.equalsIgnoreCase("yes") || response.equalsIgnoreCase("y"); + } + + /** + * Initialize all class level variables required + */ + static void initializeVariables() { + setBaseDir(); + setOpenSearchVariables(); + setSecurityVariables(); + } + + /** + * Sets the base directory to be used by the script + */ + static void setBaseDir() { + File baseDirFile = new File(SCRIPT_DIR).getParentFile().getParentFile().getParentFile(); + BASE_DIR = baseDirFile != null ? baseDirFile.getAbsolutePath() : null; + + if (BASE_DIR == null || !new File(BASE_DIR).isDirectory()) { + System.out.println("DEBUG: basedir does not exist"); + System.exit(-1); + } + + BASE_DIR += File.separator; + } + + /** + * Sets the variables for items at OpenSearch level + */ + static void setOpenSearchVariables() { + OPENSEARCH_CONF_FILE = BASE_DIR + "config" + File.separator + "opensearch.yml"; + OPENSEARCH_BIN_DIR = BASE_DIR + "bin" + File.separator; + OPENSEARCH_PLUGINS_DIR = BASE_DIR + "plugins" + File.separator; + OPENSEARCH_LIB_PATH = BASE_DIR + "lib" + File.separator; + OPENSEARCH_INSTALL_TYPE = determineInstallType(); + + if (!(new File(OPENSEARCH_CONF_FILE).exists())) { + System.out.println("Unable to determine OpenSearch config directory. Quit."); + System.exit(-1); + } + + if (!(new File(OPENSEARCH_BIN_DIR).exists())) { + System.out.println("Unable to determine OpenSearch bin directory. Quit."); + System.exit(-1); + } + + if (!(new File(OPENSEARCH_PLUGINS_DIR).exists())) { + System.out.println("Unable to determine OpenSearch plugins directory. Quit."); + System.exit(-1); + } + + if (!(new File(OPENSEARCH_LIB_PATH).exists())) { + System.out.println("Unable to determine OpenSearch lib directory. Quit."); + System.exit(-1); + } + + OPENSEARCH_CONF_DIR = new File(OPENSEARCH_CONF_FILE).getParent(); + OPENSEARCH_CONF_DIR = new File(OPENSEARCH_CONF_DIR).getAbsolutePath() + File.separator; + } + + /** + * Returns the installation type based on the underlying operating system + * @return will be one of `.zip`, `.tar.gz` or `rpm/deb` + */ + static String determineInstallType() { + // windows (.bat execution) + if (OS.toLowerCase().contains("win")) { + return ".zip"; + } + + // other OS (.sh execution) + if (new File("/usr/share/opensearch").equals(new File(BASE_DIR))) { + OPENSEARCH_CONF_FILE = "/usr/share/opensearch/config/opensearch.yml"; + if (!new File(OPENSEARCH_CONF_FILE).exists()) { + OPENSEARCH_CONF_FILE = "/etc/opensearch/opensearch.yml"; + } + return "rpm/deb"; + } + return ".tar.gz"; + } + + /** + * Sets the path variables for items at OpenSearch security plugin level + */ + static void setSecurityVariables() { + if (!(new File(OPENSEARCH_PLUGINS_DIR + "opensearch-security").exists())) { + System.out.println("OpenSearch Security plugin not installed. Quit."); + System.exit(-1); + } + + // Extract OpenSearch version and Security version + File[] opensearchLibFiles = new File(OPENSEARCH_LIB_PATH).listFiles( + pathname -> pathname.getName().startsWith("opensearch-") && pathname.getName().endsWith(".jar") + ); + + if (opensearchLibFiles != null && opensearchLibFiles.length > 0) { + OPENSEARCH_VERSION = opensearchLibFiles[0].getName().replaceAll("opensearch-(.*).jar", "$1"); + } + + File[] securityFiles = new File(OPENSEARCH_PLUGINS_DIR + "opensearch-security").listFiles( + pathname -> pathname.getName().startsWith("opensearch-security-") && pathname.getName().endsWith(".jar") + ); + + if (securityFiles != null && securityFiles.length > 0) { + SECURITY_VERSION = securityFiles[0].getName().replaceAll("opensearch-security-(.*).jar", "$1"); + } + } + + /** + * Prints the initialized variables + */ + static void printVariables() { + System.out.println("OpenSearch install type: " + OPENSEARCH_INSTALL_TYPE + " on " + OS); + System.out.println("OpenSearch config dir: " + OPENSEARCH_CONF_DIR); + System.out.println("OpenSearch config file: " + OPENSEARCH_CONF_FILE); + System.out.println("OpenSearch bin dir: " + OPENSEARCH_BIN_DIR); + System.out.println("OpenSearch plugins dir: " + OPENSEARCH_PLUGINS_DIR); + System.out.println("OpenSearch lib dir: " + OPENSEARCH_LIB_PATH); + System.out.println("Detected OpenSearch Version: " + OPENSEARCH_VERSION); + System.out.println("Detected OpenSearch Security Version: " + SECURITY_VERSION); + } + + /** + * Prints end of script execution message and creates security admin demo file. + */ + static void finishScriptExecution() { + System.out.println("### Success"); + System.out.println("### Execute this script now on all your nodes and then start all nodes"); + + try { + String securityAdminScriptPath = OPENSEARCH_PLUGINS_DIR + + "opensearch-security" + + File.separator + + "tools" + + File.separator + + "securityadmin" + + FILE_EXTENSION; + String securityAdminDemoScriptPath = OPENSEARCH_CONF_DIR + "securityadmin_demo" + FILE_EXTENSION; + + securitySettingsConfigurer.createSecurityAdminDemoScript(securityAdminScriptPath, securityAdminDemoScriptPath); + + // Make securityadmin_demo script executable + // not needed for windows + if (!OS.toLowerCase().contains("win")) { + Path file = Paths.get(securityAdminDemoScriptPath); + Set perms = new HashSet<>(); + // Add the execute permission for owner, group, and others + perms.add(PosixFilePermission.OWNER_READ); + perms.add(PosixFilePermission.OWNER_EXECUTE); + perms.add(PosixFilePermission.GROUP_EXECUTE); + perms.add(PosixFilePermission.OTHERS_EXECUTE); + Files.setPosixFilePermissions(file, perms); + } + + // Read the last line of the security-admin script + String lastLine = ""; + try (BufferedReader reader = new BufferedReader(new FileReader(securityAdminDemoScriptPath, StandardCharsets.UTF_8))) { + String currentLine; + while ((currentLine = reader.readLine()) != null) { + lastLine = currentLine; + } + } + + if (!initsecurity) { + System.out.println("### After the whole cluster is up execute: "); + System.out.println(lastLine); + System.out.println("### or run ." + File.separator + "securityadmin_demo" + FILE_EXTENSION); + System.out.println("### After that you can also use the Security Plugin ConfigurationGUI"); + } else { + System.out.println("### OpenSearch Security will be automatically initialized."); + System.out.println("### If you like to change the runtime configuration "); + System.out.println( + "### change the files in .." + + File.separator + + ".." + + File.separator + + ".." + + File.separator + + "config" + + File.separator + + "opensearch-security and execute: " + ); + System.out.println(lastLine); + System.out.println("### or run ." + File.separator + "securityadmin_demo" + FILE_EXTENSION); + System.out.println("### To use the Security Plugin ConfigurationGUI"); + } + + System.out.println("### To access your secured cluster open https://: and log in with admin/admin."); + System.out.println("### (Ignore the SSL certificate warning because we installed self-signed demo certificates)"); + + } catch (Exception e) { + System.out.println(e.getMessage()); + } + } +} diff --git a/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java b/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java new file mode 100644 index 0000000000..1e318c38b9 --- /dev/null +++ b/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java @@ -0,0 +1,319 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + * + * Modifications Copyright OpenSearch Contributors. See + * GitHub history for details. + */ + +package org.opensearch.security.tools.democonfig; + +import java.io.BufferedReader; +import java.io.BufferedWriter; +import java.io.File; +import java.io.FileReader; +import java.io.FileWriter; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; + +import org.opensearch.common.settings.Settings; +import org.opensearch.security.dlic.rest.validation.PasswordValidator; +import org.opensearch.security.dlic.rest.validation.RequestContentValidator; +import org.opensearch.security.tools.Hasher; + +import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_PASSWORD_MIN_LENGTH; +import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX; +import static org.opensearch.security.user.UserService.generatePassword; + +/** + * This class updates the security related configuration, as needed. + */ +public class SecuritySettingsConfigurer extends Installer { + + /** + * Configures security related changes to the opensearch configuration + * 1. Checks if plugins is already configuration. If yes, exit + * 2. Sets the custom admin password (Generates one if none is provided) + * 3. Write the security config to opensearch.yml + */ + public void configureSecuritySettings() { + checkIfSecurityPluginIsAlreadyConfigured(); + updateAdminPassword(); + writeSecurityConfigToOpenSearchYML(); + } + + /** + * Replaces the admin password in internal_users.yml with the custom or generated password + */ + static void updateAdminPassword() { + String ADMIN_PASSWORD = ""; + String initialAdminPassword = System.getenv("initialAdminPassword"); + String ADMIN_PASSWORD_FILE_PATH = OPENSEARCH_CONF_DIR + "initialAdminPassword.txt"; + String INTERNAL_USERS_FILE_PATH = OPENSEARCH_CONF_DIR + "opensearch-security" + File.separator + "internal_users.yml"; + boolean shouldValidatePassword = environment.equals(ExecutionEnvironment.DEMO); + try { + final PasswordValidator passwordValidator = PasswordValidator.of( + Settings.builder() + .put(SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, "(?=.*[A-Z])(?=.*[^a-zA-Z\\\\d])(?=.*[0-9])(?=.*[a-z]).{8,}") + .put(SECURITY_RESTAPI_PASSWORD_MIN_LENGTH, 8) + .build() + ); + + // Read custom password + if (initialAdminPassword != null && !initialAdminPassword.isEmpty()) { + ADMIN_PASSWORD = initialAdminPassword; + } else { + File adminPasswordFile = new File(ADMIN_PASSWORD_FILE_PATH); + if (adminPasswordFile.exists() && adminPasswordFile.length() > 0) { + try (BufferedReader br = new BufferedReader(new FileReader(ADMIN_PASSWORD_FILE_PATH, StandardCharsets.UTF_8))) { + ADMIN_PASSWORD = br.readLine(); + } catch (IOException e) { + System.out.println("Error reading admin password from initialAdminPassword.txt."); + System.exit(-1); + } + } + } + + // If script execution environment is set to demo, validate custom password, else if set to test, skip validation + if (shouldValidatePassword + && !ADMIN_PASSWORD.isEmpty() + && passwordValidator.validate("admin", ADMIN_PASSWORD) != RequestContentValidator.ValidationError.NONE) { + System.out.println("Password " + ADMIN_PASSWORD + " is weak. Please re-try with a stronger password."); + System.exit(-1); + } + + // if ADMIN_PASSWORD is still an empty string, it implies no custom password was provided. We proceed with generating a new one. + if (ADMIN_PASSWORD.isEmpty()) { + System.out.println("No custom admin password found. Generating a new password now."); + // generate a new random password + // We always validate a generated password + while (passwordValidator.validate("admin", ADMIN_PASSWORD) != RequestContentValidator.ValidationError.NONE) { + ADMIN_PASSWORD = generatePassword(); + } + } + + // print the password to the logs + System.out.println("\t***************************************************"); + System.out.println("\t\tADMIN PASSWORD SET TO: " + ADMIN_PASSWORD); + System.out.println("\t***************************************************"); + + writePasswordToInternalUsersFile(ADMIN_PASSWORD, INTERNAL_USERS_FILE_PATH); + + } catch (IOException e) { + System.out.println("Exception: " + e.getMessage()); + System.exit(-1); + } + } + + /** + * Generate password hash and update it in the internal_users.yml file + * @param adminPassword the password to be hashed and updated + * @param internalUsersFile the file path string to internal_users.yml file + * @throws IOException while reading, writing to files + */ + static void writePasswordToInternalUsersFile(String adminPassword, String internalUsersFile) throws IOException { + String hashedAdminPassword = Hasher.hash(adminPassword.toCharArray()); + + if (hashedAdminPassword.isEmpty()) { + System.out.println("Hash the admin password failure, see console for details"); + System.exit(-1); + } + + Path tempFilePath = Paths.get(internalUsersFile + ".tmp"); + Path internalUsersPath = Paths.get(internalUsersFile); + + try ( + BufferedReader reader = new BufferedReader(new FileReader(internalUsersFile, StandardCharsets.UTF_8)); + BufferedWriter writer = new BufferedWriter(new FileWriter(tempFilePath.toFile(), StandardCharsets.UTF_8)) + ) { + String line; + while ((line = reader.readLine()) != null) { + if (line.matches(" *hash: *\"\\$2a\\$12\\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG\"")) { + line = line.replace( + "\"$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG\"", + "\"" + hashedAdminPassword + "\"" + ); + } + writer.write(line + System.lineSeparator()); + } + } catch (IOException e) { + throw new IOException("Unable to update the internal users file with the hashed password."); + } + Files.move(tempFilePath, internalUsersPath, java.nio.file.StandardCopyOption.REPLACE_EXISTING); + } + + /** + * Checks if security plugin is already configured. If so, the script execution will not continue. + */ + static void checkIfSecurityPluginIsAlreadyConfigured() { + // Check if the configuration file contains the 'plugins.security' string + if (OPENSEARCH_CONF_FILE != null && new File(OPENSEARCH_CONF_FILE).exists()) { + try (BufferedReader br = new BufferedReader(new FileReader(OPENSEARCH_CONF_FILE, StandardCharsets.UTF_8))) { + String line; + while ((line = br.readLine()) != null) { + if (line.toLowerCase().contains("plugins.security")) { + System.out.println(OPENSEARCH_CONF_FILE + " seems to be already configured for Security. Quit."); + System.exit(skip_updates); + } + } + } catch (IOException e) { + System.err.println("Error reading configuration file."); + System.exit(-1); + } + } else { + System.err.println("OpenSearch configuration file does not exist. Quit."); + System.exit(-1); + } + } + + /** + * Update opensearch.yml with security configuration information + */ + static void writeSecurityConfigToOpenSearchYML() { + String securityConfig = buildSecurityConfigString(); + + try (FileWriter writer = new FileWriter(OPENSEARCH_CONF_FILE, StandardCharsets.UTF_8, true)) { + writer.write(securityConfig); + } catch (IOException e) { + System.err.println("Exception writing security configuration to opensearch.yml."); + System.exit(-1); + } + } + + /** + * Helper method to build security configuration to append to opensearch.yml + * @return the configuration string to be written to opensearch.yml + */ + static String buildSecurityConfigString() { + StringBuilder securityConfigLines = new StringBuilder(); + + securityConfigLines.append("\n") + .append("######## Start OpenSearch Security Demo Configuration ########\n") + .append("# WARNING: revise all the lines below before you go into production\n") + .append("plugins.security.ssl.transport.pemcert_filepath: esnode.pem\n") + .append("plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem\n") + .append("plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem\n") + .append("plugins.security.ssl.transport.enforce_hostname_verification: false\n") + .append("plugins.security.ssl.http.enabled: true\n") + .append("plugins.security.ssl.http.pemcert_filepath: esnode.pem\n") + .append("plugins.security.ssl.http.pemkey_filepath: esnode-key.pem\n") + .append("plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem\n") + .append("plugins.security.allow_unsafe_democertificates: true\n"); + + if (initsecurity) { + securityConfigLines.append("plugins.security.allow_default_init_securityindex: true\n"); + } + + securityConfigLines.append("plugins.security.authcz.admin_dn:\n - CN=kirk,OU=client,O=client,L=test, C=de\n\n"); + + securityConfigLines.append("plugins.security.system_indices.enabled: true\n" + "plugins.security.system_indices.indices: [") + .append(SYSTEM_INDICES) + .append("]\n"); + + if (!isNetworkHostAlreadyPresent(OPENSEARCH_CONF_FILE)) { + if (cluster_mode) { + securityConfigLines.append("network.host: 0.0.0.0\n"); + securityConfigLines.append("node.name: smoketestnode\n"); + securityConfigLines.append("cluster.initial_cluster_manager_nodes: smoketestnode\n"); + } + } + + if (!isNodeMaxLocalStorageNodesAlreadyPresent(OPENSEARCH_CONF_FILE)) { + securityConfigLines.append("node.max_local_storage_nodes: 3\n"); + } + + securityConfigLines.append("######## End OpenSearch Security Demo Configuration ########\n"); + + return securityConfigLines.toString(); + } + + /** + * Helper method to check if network.host config is present + * @param filePath path to opensearch.yml + * @return true is present, false otherwise + */ + static boolean isNetworkHostAlreadyPresent(String filePath) { + try { + String searchString = "^network.host"; + return isStringAlreadyPresentInFile(filePath, searchString); + } catch (IOException e) { + return false; + } + } + + /** + * Helper method to check if node.max_local_storage_nodes config is present + * @param filePath path to opensearch.yml + * @return true if present, false otherwise + */ + static boolean isNodeMaxLocalStorageNodesAlreadyPresent(String filePath) { + try { + String searchString = "^node.max_local_storage_nodes"; + return isStringAlreadyPresentInFile(filePath, searchString); + } catch (IOException e) { + return false; + } + } + + /** + * Checks if given string is already present in the file + * @param filePath path to file in which given string should be searched + * @param searchString the string to be searched for + * @return true if string is present, false otherwise + * @throws IOException if there was exception reading the file + */ + static boolean isStringAlreadyPresentInFile(String filePath, String searchString) throws IOException { + try (BufferedReader reader = new BufferedReader(new FileReader(filePath, StandardCharsets.UTF_8))) { + String line; + while ((line = reader.readLine()) != null) { + if (line.matches(searchString)) { + return true; + } + } + } + return false; + } + + /** + * Helper method to create security_admin_demo.(sh|bat) + * @param securityAdminScriptPath path to original script + * @param securityAdminDemoScriptPath path to security admin demo script + * @throws IOException if there was error reading/writing the file + */ + void createSecurityAdminDemoScript(String securityAdminScriptPath, String securityAdminDemoScriptPath) throws IOException { + String[] securityAdminCommands; + + String securityAdminExecutionPath = securityAdminScriptPath + + "\" -cd \"" + + OPENSEARCH_CONF_DIR + + "opensearch-security\" -icl -key \"" + + OPENSEARCH_CONF_DIR + + Certificates.ADMIN_CERT_KEY.getFileName() + + "\" -cert \"" + + OPENSEARCH_CONF_DIR + + Certificates.ADMIN_CERT.getFileName() + + "\" -cacert \"" + + OPENSEARCH_CONF_DIR + + Certificates.ROOT_CA.getFileName() + + "\" -nhnv"; + + if (OS.toLowerCase().contains("win")) { + securityAdminCommands = new String[] { "@echo off", "call \"" + securityAdminExecutionPath }; + } else { + securityAdminCommands = new String[] { "#!/bin/bash", "sudo" + " \"" + securityAdminExecutionPath }; + } + + // Write securityadmin_demo script + FileWriter writer = new FileWriter(securityAdminDemoScriptPath, StandardCharsets.UTF_8); + for (String command : securityAdminCommands) { + writer.write(command + "\n"); + } + writer.close(); + } +} diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index d9d30fea2b..5767166b26 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -1,414 +1,14 @@ @echo off -setlocal enableDelayedExpansion -set "SCRIPT_DIR=%~dp0" +set DIR=%~dp0 -echo ************************************************************************** -echo ** This tool will be deprecated in the next major release of OpenSearch ** -echo ** https://github.com/opensearch-project/security/issues/1755 ** -echo ************************************************************************** - -echo. -echo OpenSearch Security Demo Installer -echo ** Warning: Do not use on production or public reachable systems ** - -echo. - -set "assumeyes=0" -set "initsecurity=0" -set "cluster_mode=0" -set "skip_updates=-1" - -goto :GETOPTS - -:show_help -echo install_demo_configuration.bat [-y] [-i] [-c] -echo -h show help -echo -y confirm all installation dialogues automatically -echo -i initialize Security plugin with default configuration (default is to ask if -y is not given) -echo -c enable cluster mode by binding to all network interfaces (default is to ask if -y is not given) -echo -s skip updates if config is already applied to opensearch.yml -EXIT /B 0 - -:GETOPTS -if /I "%1" == "-h" call :show_help & exit /b 0 -if /I "%1" == "-y" set "assumeyes=1" -if /I "%1" == "-i" set "initsecurity=1" -if /I "%1" == "-c" set "cluster_mode=1" -if /I "%1" == "-s" set "skip_updates=0" -shift -if not "%1" == "" goto :GETOPTS - -if "%1" == "--" shift - -if %assumeyes% == 0 ( - set /p "response=Install demo certificates? [y/N] " - if /I "!response!" neq "Y" exit /b 0 -) - -if %initsecurity% == 0 ( - if %assumeyes% == 0 ( - set /p "response=Initialize Security Modules? [y/N] " - if /I "!response!" == "Y" (set "initsecurity=1") ELSE (set "initsecurity=0") - ) -) - -if %cluster_mode% == 0 ( - if %assumeyes% == 0 ( - echo Cluster mode requires maybe additional setup of: - echo - Virtual memory [vm.max_map_count] - echo. - set /p "response=Enable cluster mode? [y/N] " - if /I "!response!" == "Y" (set "cluster_mode=1") ELSE (set "cluster_mode=0") - ) -) - -set BASE_DIR=%SCRIPT_DIR%\..\..\..\ -if not exist %BASE_DIR% ( - echo "basedir does not exist" - exit /b 1 -) - -set "CUR=%cd%" -cd %BASE_DIR% -set "BASE_DIR=%cd%\" -cd %CUR% -echo Basedir: %BASE_DIR% - -set "OPENSEARCH_CONF_FILE=%BASE_DIR%config\opensearch.yml" -set "INTERNAL_USERS_FILE"=%BASE_DIR%config\opensearch-security\internal_users.yml" -set "OPENSEARCH_CONF_DIR=%BASE_DIR%config\" -set "OPENSEARCH_BIN_DIR=%BASE_DIR%bin\" -set "OPENSEARCH_PLUGINS_DIR=%BASE_DIR%plugins\" -set "OPENSEARCH_MODULES_DIR=%BASE_DIR%modules\" -set "OPENSEARCH_LIB_PATH=%BASE_DIR%lib\" -set "OPENSEARCH_INSTALL_TYPE=.zip" - -if not exist %OPENSEARCH_CONF_FILE% ( - echo Unable to determine OpenSearch config file. Quit. - exit /b 1 -) - -if not exist %OPENSEARCH_BIN_DIR% ( - echo Unable to determine OpenSearch bin directory. Quit. - exit /b 1 -) - -if not exist %OPENSEARCH_PLUGINS_DIR% ( - echo Unable to determine OpenSearch plugins directory. Quit. - exit /b 1 -) - -if not exist %OPENSEARCH_MODULES_DIR% ( - echo Unable to determine OpenSearch modules directory. Quit. - exit /b 1 -) - -if not exist %OPENSEARCH_LIB_PATH% ( - echo Unable to determine OpenSearch lib directory. Quit. - exit /b 1 -) - -if not exist %OPENSEARCH_PLUGINS_DIR%\opensearch-security\ ( - echo OpenSearch Security plugin not installed. Quit. - exit /b 1 -) - -set "OPENSEARCH_VERSION=" -for %%F in ("%OPENSEARCH_LIB_PATH%opensearch-*.jar") do set "OPENSEARCH_VERSION=%%~nxF" & goto :opensearch_version -:opensearch_version -set "OPENSEARCH_JAR_VERSION=" -for /f "tokens=2 delims=[-]" %%a in ("%OPENSEARCH_VERSION%") do set "OPENSEARCH_JAR_VERSION=%%a" - -set "SECURITY_VERSION=" -for %%F in ("%OPENSEARCH_PLUGINS_DIR%\opensearch-security\opensearch-security-*.jar") do set "SECURITY_VERSION=%%~nxF" -set "SECURITY_JAR_VERSION=" -for /f "tokens=3 delims=[-]" %%a in ("%SECURITY_VERSION%") do set "SECURITY_JAR_VERSION=%%a" - -for /f "tokens=4-7 delims=[.] " %%i in ('ver') do (if %%i==Version (set "OS=%%j.%%k") else (set v="%%i.%%j")) -echo OpenSearch install type: %OPENSEARCH_INSTALL_TYPE% on %OS% -echo OpenSearch config dir: %OPENSEARCH_CONF_DIR% -echo OpenSearch config file: %OPENSEARCH_CONF_FILE% -echo OpenSearch bin dir: %OPENSEARCH_BIN_DIR% -echo OpenSearch plugins dir: %OPENSEARCH_PLUGINS_DIR% -echo OpenSearch lib dir: %OPENSEARCH_LIB_PATH% -echo Detected OpenSearch Version: %OPENSEARCH_JAR_VERSION% -echo Detected OpenSearch Security Version: %SECURITY_JAR_VERSION% - ->nul findstr /c:"plugins.security" "%OPENSEARCH_CONF_FILE%" && ( - echo %OPENSEARCH_CONF_FILE% seems to be already configured for Security. Quit. - exit /b %skip_updates% -) - -set LF=^ - - -:: two empty line required after LF -set ADMIN_CERT=-----BEGIN CERTIFICATE-----!LF!^ -MIIEmDCCA4CgAwIBAgIUZjrlDPP8azRDPZchA/XEsx0X2iYwDQYJKoZIhvcNAQEL!LF!^ -BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt!LF!^ -cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl!LF!^ -IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v!LF!^ -dCBDQTAeFw0yMzA4MjkyMDA2MzdaFw0zMzA4MjYyMDA2MzdaME0xCzAJBgNVBAYT!LF!^ -AmRlMQ0wCwYDVQQHDAR0ZXN0MQ8wDQYDVQQKDAZjbGllbnQxDzANBgNVBAsMBmNs!LF!^ -aWVudDENMAsGA1UEAwwEa2lyazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC!LF!^ -ggEBAJVcOAQlCiuB9emCljROAXnlsPbG7PE3kNz2sN+BbGuw686Wgyl3uToVHvVs!LF!^ -paMmLUqm1KYz9wMSWTIBZgpJ9hYaIbGxD4RBb7qTAJ8Q4ddCV2f7T4lxao/6ixI+!LF!^ -O0l/BG9E3mRGo/r0w+jtTQ3aR2p6eoxaOYbVyEMYtFI4QZTkcgGIPGxm05y8xonx!LF!^ -vV5pbSW9L7qAVDzQC8EYGQMMI4ccu0NcHKWtmTYJA/wDPE2JwhngHwbcIbc4cDz6!LF!^ -cG0S3FmgiKGuuSqUy35v/k3y7zMHQSdx7DSR2tzhH/bBL/9qGvpT71KKrxPtaxS0!LF!^ -bAqPcEkKWDo7IMlGGW7LaAWfGg8CAwEAAaOCASswggEnMAwGA1UdEwEB/wQCMAAw!LF!^ -DgYDVR0PAQH/BAQDAgXgMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMCMIHPBgNVHSME!LF!^ -gccwgcSAFBeH36Ba62YSp9XQ+LoSRTy3KwCcoYGVpIGSMIGPMRMwEQYKCZImiZPy!LF!^ -LGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQRXhh!LF!^ -bXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290IENB!LF!^ -MSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0GCFHfkrz782p+T9k0G!LF!^ -xGeM4+BrehWKMB0GA1UdDgQWBBSjMS8tgguX/V7KSGLoGg7K6XMzIDANBgkqhkiG!LF!^ -9w0BAQsFAAOCAQEANMwD1JYlwAh82yG1gU3WSdh/tb6gqaSzZK7R6I0L7slaXN9m!LF!^ -y2ErUljpTyaHrdiBFmPhU/2Kj2r+fIUXtXdDXzizx/JdmueT0nG9hOixLqzfoC9p!LF!^ -fAhZxM62RgtyZoaczQN82k1/geMSwRpEndFe3OH7arkS/HSbIFxQhAIy229eWe5d!LF!^ -1bUzP59iu7f3r567I4ob8Vy7PP+Ov35p7Vv4oDHHwgsdRzX6pvL6mmwVrQ3BfVec!LF!^ -h9Dqprr+ukYmjho76g6k5cQuRaB6MxqldzUg+2E7IHQP8MCF+co51uZq2nl33mtp!LF!^ -RGr6JbdHXc96zsLTL3saJQ8AWEfu1gbTVrwyRA==!LF!^ ------END CERTIFICATE-----!LF! - - -set ADMIN_CERT_KEY=-----BEGIN PRIVATE KEY-----!LF!^ -MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCVXDgEJQorgfXp!LF!^ -gpY0TgF55bD2xuzxN5Dc9rDfgWxrsOvOloMpd7k6FR71bKWjJi1KptSmM/cDElky!LF!^ -AWYKSfYWGiGxsQ+EQW+6kwCfEOHXQldn+0+JcWqP+osSPjtJfwRvRN5kRqP69MPo!LF!^ -7U0N2kdqenqMWjmG1chDGLRSOEGU5HIBiDxsZtOcvMaJ8b1eaW0lvS+6gFQ80AvB!LF!^ -GBkDDCOHHLtDXBylrZk2CQP8AzxNicIZ4B8G3CG3OHA8+nBtEtxZoIihrrkqlMt+!LF!^ -b/5N8u8zB0Encew0kdrc4R/2wS//ahr6U+9Siq8T7WsUtGwKj3BJClg6OyDJRhlu!LF!^ -y2gFnxoPAgMBAAECggEAP5TOycDkx+megAWVoHV2fmgvgZXkBrlzQwUG/VZQi7V4!LF!^ -ZGzBMBVltdqI38wc5MtbK3TCgHANnnKgor9iq02Z4wXDwytPIiti/ycV9CDRKvv0!LF!^ -TnD2hllQFjN/IUh5n4thHWbRTxmdM7cfcNgX3aZGkYbLBVVhOMtn4VwyYu/Mxy8j!LF!^ -xClZT2xKOHkxqwmWPmdDTbAeZIbSv7RkIGfrKuQyUGUaWhrPslvYzFkYZ0umaDgQ!LF!^ -OAthZew5Bz3OfUGOMPLH61SVPuJZh9zN1hTWOvT65WFWfsPd2yStI+WD/5PU1Doo!LF!^ -1RyeHJO7s3ug8JPbtNJmaJwHe9nXBb/HXFdqb976yQKBgQDNYhpu+MYSYupaYqjs!LF!^ -9YFmHQNKpNZqgZ4ceRFZ6cMJoqpI5dpEMqToFH7tpor72Lturct2U9nc2WR0HeEs!LF!^ -/6tiptyMPTFEiMFb1opQlXF2ae7LeJllntDGN0Q6vxKnQV+7VMcXA0Y8F7tvGDy3!LF!^ -qJu5lfvB1mNM2I6y/eMxjBuQhwKBgQC6K41DXMFro0UnoO879pOQYMydCErJRmjG!LF!^ -/tZSy3Wj4KA/QJsDSViwGfvdPuHZRaG9WtxdL6kn0w1exM9Rb0bBKl36lvi7o7xv!LF!^ -M+Lw9eyXMkww8/F5d7YYH77gIhGo+RITkKI3+5BxeBaUnrGvmHrpmpgRXWmINqr0!LF!^ -0jsnN3u0OQKBgCf45vIgItSjQb8zonLz2SpZjTFy4XQ7I92gxnq8X0Q5z3B+o7tQ!LF!^ -K/4rNwTju/sGFHyXAJlX+nfcK4vZ4OBUJjP+C8CTjEotX4yTNbo3S6zjMyGQqDI5!LF!^ -9aIOUY4pb+TzeUFJX7If5gR+DfGyQubvvtcg1K3GHu9u2l8FwLj87sRzAoGAflQF!LF!^ -RHuRiG+/AngTPnZAhc0Zq0kwLkpH2Rid6IrFZhGLy8AUL/O6aa0IGoaMDLpSWUJp!LF!^ -nBY2S57MSM11/MVslrEgGmYNnI4r1K25xlaqV6K6ztEJv6n69327MS4NG8L/gCU5!LF!^ -3pEm38hkUi8pVYU7in7rx4TCkrq94OkzWJYurAkCgYATQCL/rJLQAlJIGulp8s6h!LF!^ -mQGwy8vIqMjAdHGLrCS35sVYBXG13knS52LJHvbVee39AbD5/LlWvjJGlQMzCLrw!LF!^ -F7oILW5kXxhb8S73GWcuMbuQMFVHFONbZAZgn+C9FW4l7XyRdkrbR1MRZ2km8YMs!LF!^ -/AHmo368d4PSNRMMzLHw8Q==!LF!^ ------END PRIVATE KEY-----!LF! - - -set NODE_CERT=-----BEGIN CERTIFICATE-----!LF!^ -MIIEPDCCAySgAwIBAgIUZjrlDPP8azRDPZchA/XEsx0X2iIwDQYJKoZIhvcNAQEL!LF!^ -BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt!LF!^ -cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl!LF!^ -IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v!LF!^ -dCBDQTAeFw0yMzA4MjkwNDIzMTJaFw0zMzA4MjYwNDIzMTJaMFcxCzAJBgNVBAYT!LF!^ -AmRlMQ0wCwYDVQQHDAR0ZXN0MQ0wCwYDVQQKDARub2RlMQ0wCwYDVQQLDARub2Rl!LF!^ -MRswGQYDVQQDDBJub2RlLTAuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA!LF!^ -A4IBDwAwggEKAoIBAQCm93kXteDQHMAvbUPNPW5pyRHKDD42XGWSgq0k1D29C/Ud!LF!^ -yL21HLzTJa49ZU2ldIkSKs9JqbkHdyK0o8MO6L8dotLoYbxDWbJFW8bp1w6tDTU0!LF!^ -HGkn47XVu3EwbfrTENg3jFu+Oem6a/501SzITzJWtS0cn2dIFOBimTVpT/4Zv5qr!LF!^ -XA6Cp4biOmoTYWhi/qQl8d0IaADiqoZ1MvZbZ6x76qTrRAbg+UWkpTEXoH1xTc8n!LF!^ -dibR7+HP6OTqCKvo1NhE8uP4pY+fWd6b6l+KLo3IKpfTbAIJXIO+M67FLtWKtttD!LF!^ -ao94B069skzKk6FPgW/OZh6PRCD0oxOavV+ld2SjAgMBAAGjgcYwgcMwRwYDVR0R!LF!^ -BEAwPogFKgMEBQWCEm5vZGUtMC5leGFtcGxlLmNvbYIJbG9jYWxob3N0hxAAAAAA!LF!^ -AAAAAAAAAAAAAAABhwR/AAABMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEF!LF!^ -BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU0/qDQaY10jIo!LF!^ -wCjLUpz/HfQXyt8wHwYDVR0jBBgwFoAUF4ffoFrrZhKn1dD4uhJFPLcrAJwwDQYJ!LF!^ -KoZIhvcNAQELBQADggEBAD2hkndVih6TWxoe/oOW0i2Bq7ScNO/n7/yHWL04HJmR!LF!^ -MaHv/Xjc8zLFLgHuHaRvC02ikWIJyQf5xJt0Oqu2GVbqXH9PBGKuEP2kCsRRyU27!LF!^ -zTclAzfQhqmKBTYQ/3lJ3GhRQvXIdYTe+t4aq78TCawp1nSN+vdH/1geG6QjMn5N!LF!^ -1FU8tovDd4x8Ib/0dv8RJx+n9gytI8n/giIaDCEbfLLpe4EkV5e5UNpOnRgJjjuy!LF!^ -vtZutc81TQnzBtkS9XuulovDE0qI+jQrKkKu8xgGLhgH0zxnPkKtUg2I3Aq6zl1L!LF!^ -zYkEOUF8Y25J6WeY88Yfnc0iigI+Pnz5NK8R9GL7TYo=!LF!^ ------END CERTIFICATE-----!LF! - - -set NODE_KEY=-----BEGIN PRIVATE KEY-----!LF!^ -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCm93kXteDQHMAv!LF!^ -bUPNPW5pyRHKDD42XGWSgq0k1D29C/UdyL21HLzTJa49ZU2ldIkSKs9JqbkHdyK0!LF!^ -o8MO6L8dotLoYbxDWbJFW8bp1w6tDTU0HGkn47XVu3EwbfrTENg3jFu+Oem6a/50!LF!^ -1SzITzJWtS0cn2dIFOBimTVpT/4Zv5qrXA6Cp4biOmoTYWhi/qQl8d0IaADiqoZ1!LF!^ -MvZbZ6x76qTrRAbg+UWkpTEXoH1xTc8ndibR7+HP6OTqCKvo1NhE8uP4pY+fWd6b!LF!^ -6l+KLo3IKpfTbAIJXIO+M67FLtWKtttDao94B069skzKk6FPgW/OZh6PRCD0oxOa!LF!^ -vV+ld2SjAgMBAAECggEAQK1+uAOZeaSZggW2jQut+MaN4JHLi61RH2cFgU3COLgo!LF!^ -FIiNjFn8f2KKU3gpkt1It8PjlmprpYut4wHI7r6UQfuv7ZrmncRiPWHm9PB82+ZQ!LF!^ -5MXYqj4YUxoQJ62Cyz4sM6BobZDrjG6HHGTzuwiKvHHkbsEE9jQ4E5m7yfbVvM0O!LF!^ -zvwrSOM1tkZihKSTpR0j2+taji914tjBssbn12TMZQL5ItGnhR3luY8mEwT9MNkZ!LF!^ -xg0VcREoAH+pu9FE0vPUgLVzhJ3be7qZTTSRqv08bmW+y1plu80GbppePcgYhEow!LF!^ -dlW4l6XPJaHVSn1lSFHE6QAx6sqiAnBz0NoTPIaLyQKBgQDZqDOlhCRciMRicSXn!LF!^ -7yid9rhEmdMkySJHTVFOidFWwlBcp0fGxxn8UNSBcXdSy7GLlUtH41W9PWl8tp9U!LF!^ -hQiiXORxOJ7ZcB80uNKXF01hpPj2DpFPWyHFxpDkWiTAYpZl68rOlYujxZUjJIej!LF!^ -VvcykBC2BlEOG9uZv2kxcqLyJwKBgQDEYULTxaTuLIa17wU3nAhaainKB3vHxw9B!LF!^ -Ksy5p3ND43UNEKkQm7K/WENx0q47TA1mKD9i+BhaLod98mu0YZ+BCUNgWKcBHK8c!LF!^ -uXpauvM/pLhFLXZ2jvEJVpFY3J79FSRK8bwE9RgKfVKMMgEk4zOyZowS8WScOqiy!LF!^ -hnQn1vKTJQKBgElhYuAnl9a2qXcC7KOwRsJS3rcKIVxijzL4xzOyVShp5IwIPbOv!LF!^ -hnxBiBOH/JGmaNpFYBcBdvORE9JfA4KMQ2fx53agfzWRjoPI1/7mdUk5RFI4gRb/!LF!^ -A3jZRBoopgFSe6ArCbnyQxzYzToG48/Wzwp19ZxYrtUR4UyJct6f5n27AoGBAJDh!LF!^ -KIpQQDOvCdtjcbfrF4aM2DPCfaGPzENJriwxy6oEPzDaX8Bu/dqI5Ykt43i/zQrX!LF!^ -GpyLaHvv4+oZVTiI5UIvcVO9U8hQPyiz9f7F+fu0LHZs6f7hyhYXlbe3XFxeop3f!LF!^ -5dTKdWgXuTTRF2L9dABkA2deS9mutRKwezWBMQk5AoGBALPtX0FrT1zIosibmlud!LF!^ -tu49A/0KZu4PBjrFMYTSEWGNJez3Fb2VsJwylVl6HivwbP61FhlYfyksCzQQFU71!LF!^ -+x7Nmybp7PmpEBECr3deoZKQ/acNHn0iwb0It+YqV5+TquQebqgwK6WCLsMuiYKT!LF!^ -bg/ch9Rhxbq22yrVgWHh6epp!LF!^ ------END PRIVATE KEY-----!LF! - - -set ROOT_CA=-----BEGIN CERTIFICATE-----!LF!^ -MIIExjCCA66gAwIBAgIUd+SvPvzan5P2TQbEZ4zj4Gt6FYowDQYJKoZIhvcNAQEL!LF!^ -BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt!LF!^ -cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl!LF!^ -IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v!LF!^ -dCBDQTAeFw0yMzA4MjkwNDIwMDNaFw0yMzA5MjgwNDIwMDNaMIGPMRMwEQYKCZIm!LF!^ -iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ!LF!^ -RXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290!LF!^ -IENBMSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwggEiMA0GCSqG!LF!^ -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEPyN7J9VGPyJcQmCBl5TGwfSzvVdWwoQU!LF!^ -j9aEsdfFJ6pBCDQSsj8Lv4RqL0dZra7h7SpZLLX/YZcnjikrYC+rP5OwsI9xEE/4!LF!^ -U98CsTBPhIMgqFK6SzNE5494BsAk4cL72dOOc8tX19oDS/PvBULbNkthQ0aAF1dg!LF!^ -vbrHvu7hq7LisB5ZRGHVE1k/AbCs2PaaKkn2jCw/b+U0Ml9qPuuEgz2mAqJDGYoA!LF!^ -WSR4YXrOcrmPuRqbws464YZbJW898/0Pn/U300ed+4YHiNYLLJp51AMkR4YEw969!LF!^ -VRPbWIvLrd0PQBooC/eLrL6rvud/GpYhdQEUx8qcNCKd4bz3OaQ5AgMBAAGjggEW!LF!^ -MIIBEjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQU!LF!^ -F4ffoFrrZhKn1dD4uhJFPLcrAJwwgc8GA1UdIwSBxzCBxIAUF4ffoFrrZhKn1dD4!LF!^ -uhJFPLcrAJyhgZWkgZIwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJ!LF!^ -k/IsZAEZFgdleGFtcGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYD!LF!^ -VQQLDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUg!LF!^ -Q29tIEluYy4gUm9vdCBDQYIUd+SvPvzan5P2TQbEZ4zj4Gt6FYowDQYJKoZIhvcN!LF!^ -AQELBQADggEBAIopqco/k9RSjouTeKP4z0EVUxdD4qnNh1GLSRqyAVe0aChyKF5f!LF!^ -qt1Bd1XCY8D16RgekkKGHDpJhGCpel+vtIoXPBxUaGQNYxmJCf5OzLMODlcrZk5i!LF!^ -jHIcv/FMeK02NBcz/WQ3mbWHVwXLhmwqa2zBsF4FmPCJAbFLchLhkAv1HJifHbnD!LF!^ -jQzlKyl5jxam/wtjWxSm0iyso0z2TgyzY+MESqjEqB1hZkCFzD1xtUOCxbXgtKae!LF!^ -dgfHVFuovr3fNLV3GvQk0s9okDwDUcqV7DSH61e5bUMfE84o3of8YA7+HUoPV5Du!LF!^ -8sTOKRf7ncGXdDRA8aofW268pTCuIu3+g/Y=!LF!^ ------END CERTIFICATE-----!LF! - - -echo !ADMIN_CERT! > "%OPENSEARCH_CONF_DIR%kirk.pem" -echo !NODE_CERT! > "%OPENSEARCH_CONF_DIR%esnode.pem" -echo !ROOT_CA! > "%OPENSEARCH_CONF_DIR%root-ca.pem" -echo !NODE_KEY! > "%OPENSEARCH_CONF_DIR%esnode-key.pem" -echo !ADMIN_CERT_KEY! > "%OPENSEARCH_CONF_DIR%kirk-key.pem" - -echo. >> "%OPENSEARCH_CONF_FILE%" -echo ######## Start OpenSearch Security Demo Configuration ######## >> "%OPENSEARCH_CONF_FILE%" -echo # WARNING: revise all the lines below before you go into production >> "%OPENSEARCH_CONF_FILE%" -echo plugins.security.ssl.transport.pemcert_filepath: esnode.pem >> "%OPENSEARCH_CONF_FILE%" -echo plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem >> "%OPENSEARCH_CONF_FILE%" -echo plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem >> "%OPENSEARCH_CONF_FILE%" -echo plugins.security.ssl.transport.enforce_hostname_verification: false >> "%OPENSEARCH_CONF_FILE%" -echo plugins.security.ssl.http.enabled: true >> "%OPENSEARCH_CONF_FILE%" -echo plugins.security.ssl.http.pemcert_filepath: esnode.pem >> "%OPENSEARCH_CONF_FILE%" -echo plugins.security.ssl.http.pemkey_filepath: esnode-key.pem >> "%OPENSEARCH_CONF_FILE%" -echo plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem >> "%OPENSEARCH_CONF_FILE%" -echo plugins.security.allow_unsafe_democertificates: true >> "%OPENSEARCH_CONF_FILE%" -if %initsecurity% == 1 ( - echo plugins.security.allow_default_init_securityindex: true >> "%OPENSEARCH_CONF_FILE%" -) -echo plugins.security.authcz.admin_dn: >> "%OPENSEARCH_CONF_FILE%" -echo - CN=kirk,OU=client,O=client,L=test, C=de >> "%OPENSEARCH_CONF_FILE%" -echo. >> "%OPENSEARCH_CONF_FILE%" -echo plugins.security.audit.type: internal_opensearch >> "%OPENSEARCH_CONF_FILE%" -echo plugins.security.enable_snapshot_restore_privilege: true >> "%OPENSEARCH_CONF_FILE%" -echo plugins.security.check_snapshot_restore_write_privileges: true >> "%OPENSEARCH_CONF_FILE%" -echo plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] >> "%OPENSEARCH_CONF_FILE%" -echo plugins.security.system_indices.enabled: true >> "%OPENSEARCH_CONF_FILE%" -echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*"] >> "%OPENSEARCH_CONF_FILE%" - -setlocal enabledelayedexpansion - -set "ADMIN_PASSWORD_FILE=%OPENSEARCH_CONF_DIR%initialAdminPassword.txt" -set "INTERNAL_USERS_FILE=%OPENSEARCH_CONF_DIR%opensearch-security\internal_users.yml" - -echo "what is in the config directory" -dir %OPENSEARCH_CONF_DIR% - -echo "what is in the password file" -type "%ADMIN_PASSWORD_FILE%" - - -if "%initialAdminPassword%" NEQ "" ( - set "ADMIN_PASSWORD=!initialAdminPassword!" +if defined OPENSEARCH_JAVA_HOME ( + set BIN_PATH="%OPENSEARCH_JAVA_HOME%\bin\java.exe" +) else if defined JAVA_HOME ( + set BIN_PATH="%JAVA_HOME%\bin\java.exe" ) else ( - for /f %%a in ('type "%ADMIN_PASSWORD_FILE%"') do set "ADMIN_PASSWORD=%%a" -) - -if not defined ADMIN_PASSWORD ( - echo Unable to find the admin password for the cluster. Please set initialAdminPassword or create a file %ADMIN_PASSWORD_FILE% with a single line that contains the password. + echo Unable to find java runtime + echo OPENSEARCH_JAVA_HOME or JAVA_HOME must be defined exit /b 1 ) -echo " ***************************************************" -echo " *** ADMIN PASSWORD SET TO: %ADMIN_PASSWORD% ***" -echo " ***************************************************" - -set "HASH_SCRIPT=%OPENSEARCH_PLUGINS_DIR%\opensearch-security\tools\hash.bat" - -REM Run the command and capture its output -for /f %%a in ('%HASH_SCRIPT% -p !ADMIN_PASSWORD!') do ( - set "HASHED_ADMIN_PASSWORD=%%a" -) - -if errorlevel 1 ( - echo Failed to hash the admin password - exit /b 1 -) - -set "default_line= hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"" -set "search=%default_line%" -set "replace= hash: "%HASHED_ADMIN_PASSWORD%"" - -setlocal enableextensions -for /f "delims=" %%i in ('type "%INTERNAL_USERS_FILE%" ^& break ^> "%INTERNAL_USERS_FILE%" ') do ( - set "line=%%i" - setlocal enabledelayedexpansion - >>"%INTERNAL_USERS_FILE%" echo(!line:%search%=%replace%! - endlocal -) - -:: network.host ->nul findstr /b /c:"network.host" "%OPENSEARCH_CONF_FILE%" && ( - echo network.host already present -) || ( - if %cluster_mode% == 1 ( - echo network.host: 0.0.0.0 >> "%OPENSEARCH_CONF_FILE%" - echo node.name: smoketestnode >> "%OPENSEARCH_CONF_FILE%" - echo cluster.initial_cluster_manager_nodes: smoketestnode >> "%OPENSEARCH_CONF_FILE%" - ) -) - ->nul findstr /b /c:"node.max_local_storage_nodes" "%OPENSEARCH_CONF_FILE%" && ( - echo node.max_local_storage_nodes already present -) || ( - echo node.max_local_storage_nodes: 3 >> "%OPENSEARCH_CONF_FILE%" -) - -echo ######## End OpenSearch Security Demo Configuration ######## >> "%OPENSEARCH_CONF_FILE%" - -echo ### Success -echo ### Execute this script now on all your nodes and then start all nodes -:: Generate securityadmin_demo.bat -echo. > securityadmin_demo.bat -echo %OPENSEARCH_PLUGINS_DIR%opensearch-security\tools\securityadmin.bat -cd %OPENSEARCH_CONF_DIR%opensearch-security -icl -key %OPENSEARCH_CONF_DIR%kirk-key.pem -cert %OPENSEARCH_CONF_DIR%kirk.pem -cacert %OPENSEARCH_CONF_DIR%root-ca.pem -nhnv >> securityadmin_demo.bat - -if %initsecurity% == 0 ( - echo ### After the whole cluster is up execute: - type securityadmin_demo.bat - echo ### or run ./securityadmin_demo.bat - echo ### After that you can also use the Security Plugin ConfigurationGUI -) else ( - echo ### OpenSearch Security will be automatically initialized. - echo ### If you like to change the runtime configuration - echo ### change the files in ../../../config/opensearch-security and execute: - type securityadmin_demo.bat - echo ### or run ./securityadmin_demo.bat - echo ### To use the Security Plugin ConfigurationGUI -) - -echo ### To access your secured cluster open https://: and log in with admin/admin. -echo ### [Ignore the SSL certificate warning because we installed self-signed demo certificates] +%BIN_PATH% -Dorg.apache.logging.log4j.simplelog.StatusLogger.level=OFF -cp "%DIR%\..\*;%DIR%\..\..\..\lib\*;%DIR%\..\deps\*" org.opensearch.security.tools.democonfig.Installer %DIR% %* 2> nul \ No newline at end of file diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index 01bc1bfed1..7835f7c675 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -1,11 +1,6 @@ #!/bin/bash #install_demo_configuration.sh [-y] -echo "**************************************************************************" -echo "** This tool will be deprecated in the next major release of OpenSearch **" -echo "** https://github.com/opensearch-project/security/issues/1755 **" -echo "**************************************************************************" - SCRIPT_PATH="${BASH_SOURCE[0]}" if ! [ -x "$(command -v realpath)" ]; then if [ -L "$SCRIPT_PATH" ]; then @@ -21,455 +16,17 @@ else DIR="$( cd "$( dirname "$(realpath "$SCRIPT_PATH")" )" && pwd -P)" fi -echo "OpenSearch Security Demo Installer" -echo " ** Warning: Do not use on production or public reachable systems **" - -OPTIND=1 -assumeyes=0 -initsecurity=0 -cluster_mode=0 -skip_updates=-1 - -function show_help() { - echo "install_demo_configuration.sh [-y] [-i] [-c]" - echo " -h show help" - echo " -y confirm all installation dialogues automatically" - echo " -i initialize Security plugin with default configuration (default is to ask if -y is not given)" - echo " -c enable cluster mode by binding to all network interfaces (default is to ask if -y is not given)" - echo " -s skip updates if config is already applied to opensearch.yml" -} - -while getopts "h?yics" opt; do - case "$opt" in - h|\?) - show_help - exit 0 - ;; - y) assumeyes=1 - ;; - i) initsecurity=1 - ;; - c) cluster_mode=1 - ;; - s) skip_updates=0 - esac -done - -shift $((OPTIND-1)) - -[ "$1" = "--" ] && shift - -if [ "$assumeyes" == 0 ]; then - read -r -p "Install demo certificates? [y/N] " response - case "$response" in - [yY][eE][sS]|[yY]) - ;; - *) - exit 0 - ;; - esac -fi - -if [ "$initsecurity" == 0 ] && [ "$assumeyes" == 0 ]; then - read -r -p "Initialize Security Modules? [y/N] " response - case "$response" in - [yY][eE][sS]|[yY]) - initsecurity=1 - ;; - *) - initsecurity=0 - ;; - esac -fi - -if [ "$cluster_mode" == 0 ] && [ "$assumeyes" == 0 ]; then - echo "Cluster mode requires maybe additional setup of:" - echo " - Virtual memory (vm.max_map_count)" - echo "" - read -r -p "Enable cluster mode? [y/N] " response - case "$response" in - [yY][eE][sS]|[yY]) - cluster_mode=1 - ;; - *) - cluster_mode=0 - ;; - esac -fi - -set -e -BASE_DIR="$DIR/../../.." -if [ -d "$BASE_DIR" ]; then - CUR="$(pwd)" - cd "$BASE_DIR" - BASE_DIR="$(pwd)" - cd "$CUR" - echo "Basedir: $BASE_DIR" -else - echo "DEBUG: basedir does not exist" -fi - -OPENSEARCH_CONF_FILE="$BASE_DIR/config/opensearch.yml" -OPENSEARCH_BIN_DIR="$BASE_DIR/bin" -OPENSEARCH_PLUGINS_DIR="$BASE_DIR/plugins" -OPENSEARCH_MODULES_DIR="$BASE_DIR/modules" -OPENSEARCH_LIB_PATH="$BASE_DIR/lib" -SUDO_CMD="" -OPENSEARCH_INSTALL_TYPE=".tar.gz" - -#Check if its a rpm/deb install -if [ "/usr/share/opensearch" -ef "$BASE_DIR" ]; then - OPENSEARCH_CONF_FILE="/usr/share/opensearch/config/opensearch.yml" - - if [ ! -f "$OPENSEARCH_CONF_FILE" ]; then - OPENSEARCH_CONF_FILE="/etc/opensearch/opensearch.yml" - fi - - if [ -x "$(command -v sudo)" ]; then - SUDO_CMD="sudo" - echo "This script maybe require your root password for 'sudo' privileges" - fi - - OPENSEARCH_INSTALL_TYPE="rpm/deb" -fi - -if [ $SUDO_CMD ]; then - if ! [ -x "$(command -v $SUDO_CMD)" ]; then - echo "Unable to locate 'sudo' command. Quit." - exit 1 - fi -fi - -if $SUDO_CMD test -f "$OPENSEARCH_CONF_FILE"; then - : -else - echo "Unable to determine OpenSearch config directory. Quit." - exit -1 -fi - -if [ ! -d "$OPENSEARCH_BIN_DIR" ]; then - echo "Unable to determine OpenSearch bin directory. Quit." - exit -1 -fi - -if [ ! -d "$OPENSEARCH_PLUGINS_DIR" ]; then - echo "Unable to determine OpenSearch plugins directory. Quit." - exit -1 -fi - -if [ ! -d "$OPENSEARCH_MODULES_DIR" ]; then - echo "Unable to determine OpenSearch modules directory. Quit." - #exit -1 -fi - -if [ ! -d "$OPENSEARCH_LIB_PATH" ]; then - echo "Unable to determine OpenSearch lib directory. Quit." - exit -1 -fi - -OPENSEARCH_CONF_DIR=$(dirname "${OPENSEARCH_CONF_FILE}") -OPENSEARCH_CONF_DIR=`cd "$OPENSEARCH_CONF_DIR" ; pwd` - -if [ ! -d "$OPENSEARCH_PLUGINS_DIR/opensearch-security" ]; then - echo "OpenSearch Security plugin not installed. Quit." - exit -1 -fi - -OPENSEARCH_VERSION=("$OPENSEARCH_LIB_PATH/opensearch-*.jar") -OPENSEARCH_VERSION=$(echo $OPENSEARCH_VERSION | sed 's/.*opensearch-\(.*\)\.jar/\1/') - -SECURITY_VERSION=("$OPENSEARCH_PLUGINS_DIR/opensearch-security/opensearch-security-*.jar") -SECURITY_VERSION=$(echo $SECURITY_VERSION | sed 's/.*opensearch-security-\(.*\)\.jar/\1/') - -OS=$(sb_release -ds 2>/dev/null || cat /etc/*release 2>/dev/null | head -n1 || uname -om) -echo "OpenSearch install type: $OPENSEARCH_INSTALL_TYPE on $OS" -echo "OpenSearch config dir: $OPENSEARCH_CONF_DIR" -echo "OpenSearch config file: $OPENSEARCH_CONF_FILE" -echo "OpenSearch bin dir: $OPENSEARCH_BIN_DIR" -echo "OpenSearch plugins dir: $OPENSEARCH_PLUGINS_DIR" -echo "OpenSearch lib dir: $OPENSEARCH_LIB_PATH" -echo "Detected OpenSearch Version: $OPENSEARCH_VERSION" -echo "Detected OpenSearch Security Version: $SECURITY_VERSION" - -if $SUDO_CMD grep --quiet -i plugins.security "$OPENSEARCH_CONF_FILE"; then - echo "$OPENSEARCH_CONF_FILE seems to be already configured for Security. Quit." - exit $skip_updates -fi - -set +e - -read -r -d '' ADMIN_CERT << EOM ------BEGIN CERTIFICATE----- -MIIEmDCCA4CgAwIBAgIUZjrlDPP8azRDPZchA/XEsx0X2iYwDQYJKoZIhvcNAQEL -BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt -cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl -IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v -dCBDQTAeFw0yMzA4MjkyMDA2MzdaFw0zMzA4MjYyMDA2MzdaME0xCzAJBgNVBAYT -AmRlMQ0wCwYDVQQHDAR0ZXN0MQ8wDQYDVQQKDAZjbGllbnQxDzANBgNVBAsMBmNs -aWVudDENMAsGA1UEAwwEa2lyazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBAJVcOAQlCiuB9emCljROAXnlsPbG7PE3kNz2sN+BbGuw686Wgyl3uToVHvVs -paMmLUqm1KYz9wMSWTIBZgpJ9hYaIbGxD4RBb7qTAJ8Q4ddCV2f7T4lxao/6ixI+ -O0l/BG9E3mRGo/r0w+jtTQ3aR2p6eoxaOYbVyEMYtFI4QZTkcgGIPGxm05y8xonx -vV5pbSW9L7qAVDzQC8EYGQMMI4ccu0NcHKWtmTYJA/wDPE2JwhngHwbcIbc4cDz6 -cG0S3FmgiKGuuSqUy35v/k3y7zMHQSdx7DSR2tzhH/bBL/9qGvpT71KKrxPtaxS0 -bAqPcEkKWDo7IMlGGW7LaAWfGg8CAwEAAaOCASswggEnMAwGA1UdEwEB/wQCMAAw -DgYDVR0PAQH/BAQDAgXgMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMCMIHPBgNVHSME -gccwgcSAFBeH36Ba62YSp9XQ+LoSRTy3KwCcoYGVpIGSMIGPMRMwEQYKCZImiZPy -LGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQRXhh -bXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290IENB -MSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0GCFHfkrz782p+T9k0G -xGeM4+BrehWKMB0GA1UdDgQWBBSjMS8tgguX/V7KSGLoGg7K6XMzIDANBgkqhkiG -9w0BAQsFAAOCAQEANMwD1JYlwAh82yG1gU3WSdh/tb6gqaSzZK7R6I0L7slaXN9m -y2ErUljpTyaHrdiBFmPhU/2Kj2r+fIUXtXdDXzizx/JdmueT0nG9hOixLqzfoC9p -fAhZxM62RgtyZoaczQN82k1/geMSwRpEndFe3OH7arkS/HSbIFxQhAIy229eWe5d -1bUzP59iu7f3r567I4ob8Vy7PP+Ov35p7Vv4oDHHwgsdRzX6pvL6mmwVrQ3BfVec -h9Dqprr+ukYmjho76g6k5cQuRaB6MxqldzUg+2E7IHQP8MCF+co51uZq2nl33mtp -RGr6JbdHXc96zsLTL3saJQ8AWEfu1gbTVrwyRA== ------END CERTIFICATE----- -EOM - -read -r -d '' ADMIN_CERT_KEY << EOM ------BEGIN PRIVATE KEY----- -MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCVXDgEJQorgfXp -gpY0TgF55bD2xuzxN5Dc9rDfgWxrsOvOloMpd7k6FR71bKWjJi1KptSmM/cDElky -AWYKSfYWGiGxsQ+EQW+6kwCfEOHXQldn+0+JcWqP+osSPjtJfwRvRN5kRqP69MPo -7U0N2kdqenqMWjmG1chDGLRSOEGU5HIBiDxsZtOcvMaJ8b1eaW0lvS+6gFQ80AvB -GBkDDCOHHLtDXBylrZk2CQP8AzxNicIZ4B8G3CG3OHA8+nBtEtxZoIihrrkqlMt+ -b/5N8u8zB0Encew0kdrc4R/2wS//ahr6U+9Siq8T7WsUtGwKj3BJClg6OyDJRhlu -y2gFnxoPAgMBAAECggEAP5TOycDkx+megAWVoHV2fmgvgZXkBrlzQwUG/VZQi7V4 -ZGzBMBVltdqI38wc5MtbK3TCgHANnnKgor9iq02Z4wXDwytPIiti/ycV9CDRKvv0 -TnD2hllQFjN/IUh5n4thHWbRTxmdM7cfcNgX3aZGkYbLBVVhOMtn4VwyYu/Mxy8j -xClZT2xKOHkxqwmWPmdDTbAeZIbSv7RkIGfrKuQyUGUaWhrPslvYzFkYZ0umaDgQ -OAthZew5Bz3OfUGOMPLH61SVPuJZh9zN1hTWOvT65WFWfsPd2yStI+WD/5PU1Doo -1RyeHJO7s3ug8JPbtNJmaJwHe9nXBb/HXFdqb976yQKBgQDNYhpu+MYSYupaYqjs -9YFmHQNKpNZqgZ4ceRFZ6cMJoqpI5dpEMqToFH7tpor72Lturct2U9nc2WR0HeEs -/6tiptyMPTFEiMFb1opQlXF2ae7LeJllntDGN0Q6vxKnQV+7VMcXA0Y8F7tvGDy3 -qJu5lfvB1mNM2I6y/eMxjBuQhwKBgQC6K41DXMFro0UnoO879pOQYMydCErJRmjG -/tZSy3Wj4KA/QJsDSViwGfvdPuHZRaG9WtxdL6kn0w1exM9Rb0bBKl36lvi7o7xv -M+Lw9eyXMkww8/F5d7YYH77gIhGo+RITkKI3+5BxeBaUnrGvmHrpmpgRXWmINqr0 -0jsnN3u0OQKBgCf45vIgItSjQb8zonLz2SpZjTFy4XQ7I92gxnq8X0Q5z3B+o7tQ -K/4rNwTju/sGFHyXAJlX+nfcK4vZ4OBUJjP+C8CTjEotX4yTNbo3S6zjMyGQqDI5 -9aIOUY4pb+TzeUFJX7If5gR+DfGyQubvvtcg1K3GHu9u2l8FwLj87sRzAoGAflQF -RHuRiG+/AngTPnZAhc0Zq0kwLkpH2Rid6IrFZhGLy8AUL/O6aa0IGoaMDLpSWUJp -nBY2S57MSM11/MVslrEgGmYNnI4r1K25xlaqV6K6ztEJv6n69327MS4NG8L/gCU5 -3pEm38hkUi8pVYU7in7rx4TCkrq94OkzWJYurAkCgYATQCL/rJLQAlJIGulp8s6h -mQGwy8vIqMjAdHGLrCS35sVYBXG13knS52LJHvbVee39AbD5/LlWvjJGlQMzCLrw -F7oILW5kXxhb8S73GWcuMbuQMFVHFONbZAZgn+C9FW4l7XyRdkrbR1MRZ2km8YMs -/AHmo368d4PSNRMMzLHw8Q== ------END PRIVATE KEY----- -EOM - -read -r -d '' NODE_CERT << EOM ------BEGIN CERTIFICATE----- -MIIEPDCCAySgAwIBAgIUZjrlDPP8azRDPZchA/XEsx0X2iIwDQYJKoZIhvcNAQEL -BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt -cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl -IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v -dCBDQTAeFw0yMzA4MjkwNDIzMTJaFw0zMzA4MjYwNDIzMTJaMFcxCzAJBgNVBAYT -AmRlMQ0wCwYDVQQHDAR0ZXN0MQ0wCwYDVQQKDARub2RlMQ0wCwYDVQQLDARub2Rl -MRswGQYDVQQDDBJub2RlLTAuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA -A4IBDwAwggEKAoIBAQCm93kXteDQHMAvbUPNPW5pyRHKDD42XGWSgq0k1D29C/Ud -yL21HLzTJa49ZU2ldIkSKs9JqbkHdyK0o8MO6L8dotLoYbxDWbJFW8bp1w6tDTU0 -HGkn47XVu3EwbfrTENg3jFu+Oem6a/501SzITzJWtS0cn2dIFOBimTVpT/4Zv5qr -XA6Cp4biOmoTYWhi/qQl8d0IaADiqoZ1MvZbZ6x76qTrRAbg+UWkpTEXoH1xTc8n -dibR7+HP6OTqCKvo1NhE8uP4pY+fWd6b6l+KLo3IKpfTbAIJXIO+M67FLtWKtttD -ao94B069skzKk6FPgW/OZh6PRCD0oxOavV+ld2SjAgMBAAGjgcYwgcMwRwYDVR0R -BEAwPogFKgMEBQWCEm5vZGUtMC5leGFtcGxlLmNvbYIJbG9jYWxob3N0hxAAAAAA -AAAAAAAAAAAAAAABhwR/AAABMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEF -BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU0/qDQaY10jIo -wCjLUpz/HfQXyt8wHwYDVR0jBBgwFoAUF4ffoFrrZhKn1dD4uhJFPLcrAJwwDQYJ -KoZIhvcNAQELBQADggEBAD2hkndVih6TWxoe/oOW0i2Bq7ScNO/n7/yHWL04HJmR -MaHv/Xjc8zLFLgHuHaRvC02ikWIJyQf5xJt0Oqu2GVbqXH9PBGKuEP2kCsRRyU27 -zTclAzfQhqmKBTYQ/3lJ3GhRQvXIdYTe+t4aq78TCawp1nSN+vdH/1geG6QjMn5N -1FU8tovDd4x8Ib/0dv8RJx+n9gytI8n/giIaDCEbfLLpe4EkV5e5UNpOnRgJjjuy -vtZutc81TQnzBtkS9XuulovDE0qI+jQrKkKu8xgGLhgH0zxnPkKtUg2I3Aq6zl1L -zYkEOUF8Y25J6WeY88Yfnc0iigI+Pnz5NK8R9GL7TYo= ------END CERTIFICATE----- -EOM - -read -r -d '' NODE_KEY << EOM ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCm93kXteDQHMAv -bUPNPW5pyRHKDD42XGWSgq0k1D29C/UdyL21HLzTJa49ZU2ldIkSKs9JqbkHdyK0 -o8MO6L8dotLoYbxDWbJFW8bp1w6tDTU0HGkn47XVu3EwbfrTENg3jFu+Oem6a/50 -1SzITzJWtS0cn2dIFOBimTVpT/4Zv5qrXA6Cp4biOmoTYWhi/qQl8d0IaADiqoZ1 -MvZbZ6x76qTrRAbg+UWkpTEXoH1xTc8ndibR7+HP6OTqCKvo1NhE8uP4pY+fWd6b -6l+KLo3IKpfTbAIJXIO+M67FLtWKtttDao94B069skzKk6FPgW/OZh6PRCD0oxOa -vV+ld2SjAgMBAAECggEAQK1+uAOZeaSZggW2jQut+MaN4JHLi61RH2cFgU3COLgo -FIiNjFn8f2KKU3gpkt1It8PjlmprpYut4wHI7r6UQfuv7ZrmncRiPWHm9PB82+ZQ -5MXYqj4YUxoQJ62Cyz4sM6BobZDrjG6HHGTzuwiKvHHkbsEE9jQ4E5m7yfbVvM0O -zvwrSOM1tkZihKSTpR0j2+taji914tjBssbn12TMZQL5ItGnhR3luY8mEwT9MNkZ -xg0VcREoAH+pu9FE0vPUgLVzhJ3be7qZTTSRqv08bmW+y1plu80GbppePcgYhEow -dlW4l6XPJaHVSn1lSFHE6QAx6sqiAnBz0NoTPIaLyQKBgQDZqDOlhCRciMRicSXn -7yid9rhEmdMkySJHTVFOidFWwlBcp0fGxxn8UNSBcXdSy7GLlUtH41W9PWl8tp9U -hQiiXORxOJ7ZcB80uNKXF01hpPj2DpFPWyHFxpDkWiTAYpZl68rOlYujxZUjJIej -VvcykBC2BlEOG9uZv2kxcqLyJwKBgQDEYULTxaTuLIa17wU3nAhaainKB3vHxw9B -Ksy5p3ND43UNEKkQm7K/WENx0q47TA1mKD9i+BhaLod98mu0YZ+BCUNgWKcBHK8c -uXpauvM/pLhFLXZ2jvEJVpFY3J79FSRK8bwE9RgKfVKMMgEk4zOyZowS8WScOqiy -hnQn1vKTJQKBgElhYuAnl9a2qXcC7KOwRsJS3rcKIVxijzL4xzOyVShp5IwIPbOv -hnxBiBOH/JGmaNpFYBcBdvORE9JfA4KMQ2fx53agfzWRjoPI1/7mdUk5RFI4gRb/ -A3jZRBoopgFSe6ArCbnyQxzYzToG48/Wzwp19ZxYrtUR4UyJct6f5n27AoGBAJDh -KIpQQDOvCdtjcbfrF4aM2DPCfaGPzENJriwxy6oEPzDaX8Bu/dqI5Ykt43i/zQrX -GpyLaHvv4+oZVTiI5UIvcVO9U8hQPyiz9f7F+fu0LHZs6f7hyhYXlbe3XFxeop3f -5dTKdWgXuTTRF2L9dABkA2deS9mutRKwezWBMQk5AoGBALPtX0FrT1zIosibmlud -tu49A/0KZu4PBjrFMYTSEWGNJez3Fb2VsJwylVl6HivwbP61FhlYfyksCzQQFU71 -+x7Nmybp7PmpEBECr3deoZKQ/acNHn0iwb0It+YqV5+TquQebqgwK6WCLsMuiYKT -bg/ch9Rhxbq22yrVgWHh6epp ------END PRIVATE KEY----- -EOM - -read -r -d '' ROOT_CA << EOM ------BEGIN CERTIFICATE----- -MIIExjCCA66gAwIBAgIUd+SvPvzan5P2TQbEZ4zj4Gt6FYowDQYJKoZIhvcNAQEL -BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt -cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl -IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v -dCBDQTAeFw0yMzA4MjkwNDIwMDNaFw0yMzA5MjgwNDIwMDNaMIGPMRMwEQYKCZIm -iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ -RXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290 -IENBMSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEPyN7J9VGPyJcQmCBl5TGwfSzvVdWwoQU -j9aEsdfFJ6pBCDQSsj8Lv4RqL0dZra7h7SpZLLX/YZcnjikrYC+rP5OwsI9xEE/4 -U98CsTBPhIMgqFK6SzNE5494BsAk4cL72dOOc8tX19oDS/PvBULbNkthQ0aAF1dg -vbrHvu7hq7LisB5ZRGHVE1k/AbCs2PaaKkn2jCw/b+U0Ml9qPuuEgz2mAqJDGYoA -WSR4YXrOcrmPuRqbws464YZbJW898/0Pn/U300ed+4YHiNYLLJp51AMkR4YEw969 -VRPbWIvLrd0PQBooC/eLrL6rvud/GpYhdQEUx8qcNCKd4bz3OaQ5AgMBAAGjggEW -MIIBEjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQU -F4ffoFrrZhKn1dD4uhJFPLcrAJwwgc8GA1UdIwSBxzCBxIAUF4ffoFrrZhKn1dD4 -uhJFPLcrAJyhgZWkgZIwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJ -k/IsZAEZFgdleGFtcGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYD -VQQLDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUg -Q29tIEluYy4gUm9vdCBDQYIUd+SvPvzan5P2TQbEZ4zj4Gt6FYowDQYJKoZIhvcN -AQELBQADggEBAIopqco/k9RSjouTeKP4z0EVUxdD4qnNh1GLSRqyAVe0aChyKF5f -qt1Bd1XCY8D16RgekkKGHDpJhGCpel+vtIoXPBxUaGQNYxmJCf5OzLMODlcrZk5i -jHIcv/FMeK02NBcz/WQ3mbWHVwXLhmwqa2zBsF4FmPCJAbFLchLhkAv1HJifHbnD -jQzlKyl5jxam/wtjWxSm0iyso0z2TgyzY+MESqjEqB1hZkCFzD1xtUOCxbXgtKae -dgfHVFuovr3fNLV3GvQk0s9okDwDUcqV7DSH61e5bUMfE84o3of8YA7+HUoPV5Du -8sTOKRf7ncGXdDRA8aofW268pTCuIu3+g/Y= ------END CERTIFICATE----- -EOM - -set -e - -echo "$ADMIN_CERT" | $SUDO_CMD tee "$OPENSEARCH_CONF_DIR/kirk.pem" > /dev/null -echo "$NODE_CERT" | $SUDO_CMD tee "$OPENSEARCH_CONF_DIR/esnode.pem" > /dev/null -echo "$ROOT_CA" | $SUDO_CMD tee "$OPENSEARCH_CONF_DIR/root-ca.pem" > /dev/null -echo "$NODE_KEY" | $SUDO_CMD tee "$OPENSEARCH_CONF_DIR/esnode-key.pem" > /dev/null -echo "$ADMIN_CERT_KEY" | $SUDO_CMD tee "$OPENSEARCH_CONF_DIR/kirk-key.pem" > /dev/null - -chmod 0600 "$OPENSEARCH_CONF_DIR/kirk.pem" -chmod 0600 "$OPENSEARCH_CONF_DIR/esnode.pem" -chmod 0600 "$OPENSEARCH_CONF_DIR/root-ca.pem" -chmod 0600 "$OPENSEARCH_CONF_DIR/esnode-key.pem" -chmod 0600 "$OPENSEARCH_CONF_DIR/kirk-key.pem" - -echo "" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" -echo "######## Start OpenSearch Security Demo Configuration ########" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null -echo "# WARNING: revise all the lines below before you go into production" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null -echo "plugins.security.ssl.transport.pemcert_filepath: esnode.pem" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null -echo "plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null -echo "plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null -echo "plugins.security.ssl.transport.enforce_hostname_verification: false" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null -echo "plugins.security.ssl.http.enabled: true" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null -echo "plugins.security.ssl.http.pemcert_filepath: esnode.pem" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null -echo "plugins.security.ssl.http.pemkey_filepath: esnode-key.pem" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null -echo "plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null -echo "plugins.security.allow_unsafe_democertificates: true" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null -if [ "$initsecurity" == 1 ]; then - echo "plugins.security.allow_default_init_securityindex: true" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null -fi -echo "plugins.security.authcz.admin_dn:" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null -echo " - CN=kirk,OU=client,O=client,L=test, C=de" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null -echo "" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null -echo "plugins.security.audit.type: internal_opensearch" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null -echo "plugins.security.enable_snapshot_restore_privilege: true" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null -echo "plugins.security.check_snapshot_restore_write_privileges: true" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null -echo 'plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null -echo 'plugins.security.system_indices.enabled: true' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null -echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null - -## Read the admin password from the file or use the initialAdminPassword if set -ADMIN_PASSWORD_FILE="$OPENSEARCH_CONF_DIR/initialAdminPassword.txt" -INTERNAL_USERS_FILE="$OPENSEARCH_CONF_DIR/opensearch-security/internal_users.yml" - -if [[ -n "$initialAdminPassword" ]]; then - ADMIN_PASSWORD="$initialAdminPassword" -elif [[ -f "$ADMIN_PASSWORD_FILE" && -s "$ADMIN_PASSWORD_FILE" ]]; then - ADMIN_PASSWORD=$(head -n 1 "$ADMIN_PASSWORD_FILE") -else - echo "Unable to find the admin password for the cluster. Please run 'export initialAdminPassword=' or create a file $ADMIN_PASSWORD_FILE with a single line that contains the password." - exit 1 -fi - -echo " ***************************************************" -echo " *** ADMIN PASSWORD SET TO: $ADMIN_PASSWORD ***" -echo " ***************************************************" - -$SUDO_CMD chmod +x "$OPENSEARCH_PLUGINS_DIR/opensearch-security/tools/hash.sh" - -# Use the Hasher script to hash the admin password -HASHED_ADMIN_PASSWORD=$($OPENSEARCH_PLUGINS_DIR/opensearch-security/tools/hash.sh -p "$ADMIN_PASSWORD" | tail -n 1) - -if [ $? -ne 0 ]; then - echo "Hash the admin password failure, see console for details" - exit 1 -fi - -# Find the line number containing 'admin:' in the internal_users.yml file -ADMIN_HASH_LINE=$(grep -n 'admin:' "$INTERNAL_USERS_FILE" | cut -f1 -d:) - -awk -v hashed_admin_password="$HASHED_ADMIN_PASSWORD" ' - /^ *hash: *"\$2a\$12\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR\/YFJcgHp0UGns5JDymv..TOG"/ { - sub(/"\$2a\$12\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR\/YFJcgHp0UGns5JDymv..TOG"/, "\"" hashed_admin_password "\""); - } - { print } -' "$INTERNAL_USERS_FILE" > temp_file && mv temp_file "$INTERNAL_USERS_FILE" - -#network.host -if $SUDO_CMD grep --quiet -i "^network.host" "$OPENSEARCH_CONF_FILE"; then - : #already present -else - if [ "$cluster_mode" == 1 ]; then - echo "network.host: 0.0.0.0" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null - echo "node.name: smoketestnode" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null - echo "cluster.initial_cluster_manager_nodes: smoketestnode" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null - fi -fi - -if $SUDO_CMD grep --quiet -i "^node.max_local_storage_nodes" "$OPENSEARCH_CONF_FILE"; then - : #already present -else - echo 'node.max_local_storage_nodes: 3' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null -fi - - - -echo "######## End OpenSearch Security Demo Configuration ########" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null - -$SUDO_CMD chmod +x "$OPENSEARCH_PLUGINS_DIR/opensearch-security/tools/securityadmin.sh" - -OPENSEARCH_PLUGINS_DIR=`cd "$OPENSEARCH_PLUGINS_DIR" ; pwd` - -echo "### Success" -echo "### Execute this script now on all your nodes and then start all nodes" -#Generate securityadmin_demo.sh -echo "#!/bin/bash" | $SUDO_CMD tee securityadmin_demo.sh > /dev/null -echo $SUDO_CMD \""$OPENSEARCH_PLUGINS_DIR/opensearch-security/tools/securityadmin.sh"\" -cd \""$OPENSEARCH_CONF_DIR/opensearch-security"\" -icl -key \""$OPENSEARCH_CONF_DIR/kirk-key.pem"\" -cert \""$OPENSEARCH_CONF_DIR/kirk.pem"\" -cacert \""$OPENSEARCH_CONF_DIR/root-ca.pem"\" -nhnv | $SUDO_CMD tee -a securityadmin_demo.sh > /dev/null -$SUDO_CMD chmod +x securityadmin_demo.sh +BIN_PATH="java" -if [ "$initsecurity" == 0 ]; then - echo "### After the whole cluster is up execute: " - $SUDO_CMD cat securityadmin_demo.sh | tail -1 - echo "### or run ./securityadmin_demo.sh" - echo "### After that you can also use the Security Plugin ConfigurationGUI" +# now set the path to java: first OPENSEARCH_JAVA_HOME, then JAVA_HOME +if [ -n "$OPENSEARCH_JAVA_HOME" ]; then + BIN_PATH="$OPENSEARCH_JAVA_HOME/bin/java" +elif [ -n "$JAVA_HOME" ]; then + BIN_PATH="$JAVA_HOME/bin/java" else - echo "### OpenSearch Security will be automatically initialized." - echo "### If you like to change the runtime configuration " - echo "### change the files in ../../../config/opensearch-security and execute: " - $SUDO_CMD cat securityadmin_demo.sh | tail -1 - echo "### or run ./securityadmin_demo.sh" - echo "### To use the Security Plugin ConfigurationGUI" + echo "Unable to find java runtime" + echo "OPENSEARCH_JAVA_HOME or JAVA_HOME must be defined" + exit 1 fi -echo "### To access your secured cluster open https://: and log in with admin/admin." -echo "### (Ignore the SSL certificate warning because we installed self-signed demo certificates)" +"$BIN_PATH" $JAVA_OPTS -Dorg.apache.logging.log4j.simplelog.StatusLogger.level=OFF -cp "$DIR/../*:$DIR/../../../lib/*:$DIR/../deps/*" org.opensearch.security.tools.democonfig.Installer "$DIR" "$@" 2>/dev/null