iSharkFly-Docs
/
opensearch-docs-cn
mirror of https://github.com/iSharkFly-Docs/opensearch-docs-cn
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adds documentation for security demo configuration setup (#6058) 

* Adds documentation for security demo configuration setup

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Removes hardcoded version numbers

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Updates distributions for different documentations

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Renames placeholder

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Resolves some vale errors

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Resolves some more vale warnings

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Updates sample docker compose wordings

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Improves wordings

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Changes the demo config page title

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Address PR comments

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Renames admin password placeholder and updates another sentence

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Apply suggestions from code review

Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Nathan Bower <nbower@amazon.com>
Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>

---------

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
Co-authored-by: Nathan Bower <nbower@amazon.com>
This commit is contained in:
Darshit Chanpura 2024-02-01 13:00:23 -05:00 committed by GitHub
parent 8224d69c1b
commit 150101bce3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
11 changed files with 189 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
_install-and-configure/install-dashboards/debian.md
View File

@ -129,5 +129,5 @@ By default, OpenSearch Dashboards, like OpenSearch, binds to `localhost` when yo
sudo systemctl restart opensearch-dashboards
```
1. From a web browser, navigate to OpenSearch Dashboards. The default port is 5601.
1. Log in with the default username `admin` and the default password `admin`.
1. Log in with the default username `admin` and the default password `admin`. (For OpenSearch 2.12 and later, the password should be the custom admin password)
1. Visit [Getting started with OpenSearch Dashboards]({{site.url}}{{site.baseurl}}/dashboards/index/) to learn more.

2
_install-and-configure/install-dashboards/helm.md
View File

@ -34,7 +34,7 @@ Before you get started, you must first use [Helm to install OpenSearch]({{site.u
Make sure that you can send requests to your OpenSearch pod:
```json
$ curl -XGET https://localhost:9200 -u 'admin:admin' --insecure
$ curl -XGET https://localhost:9200 -u 'admin:<custom-admin-password>' --insecure
{
"name" : "opensearch-cluster-master-1",
"cluster_name" : "opensearch-cluster",

12
_install-and-configure/install-opensearch/debian.md
View File

@ -45,7 +45,15 @@ This guide assumes that you are comfortable working from the Linux command line
# arm64
sudo dpkg -i opensearch-{{site.opensearch_version}}-linux-arm64.deb
```
For OpenSearch 2.12 and greater, a custom admin password is required in order to set up a security demo configuration. To set a custom admin password, use one the following commands:
```bash
# x64
sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD=<custom-admin-password> dpkg -i opensearch-{{site.opensearch_version}}-linux-x64.deb
# arm64
sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD=<custom-admin-password> dpkg -i opensearch-{{site.opensearch_version}}-linux-arm64.deb
```
1. After the installation succeeds, enable OpenSearch as a service.
```bash
sudo systemctl enable opensearch
@ -175,7 +183,7 @@ An OpenSearch node in its default configuration (with demo certificates and user
1. Send requests to the server to verify that OpenSearch is running. Note the use of the `--insecure` flag, which is required because the TLS certificates are self-signed.
- Send a request to port 9200:
```bash
curl -X GET https://localhost:9200 -u 'admin:admin' --insecure
curl -X GET https://localhost:9200 -u 'admin:<custom-admin-password>' --insecure
```
{% include copy.html %}
@ -201,7 +209,7 @@ An OpenSearch node in its default configuration (with demo certificates and user
```
- Query the plugins endpoint:
```bash
curl -X GET https://localhost:9200/_cat/plugins?v -u 'admin:admin' --insecure
curl -X GET https://localhost:9200/_cat/plugins?v -u 'admin:<custom-admin-password>' --insecure
```
{% include copy.html %}

6
_install-and-configure/install-opensearch/docker.md
View File

@ -90,9 +90,13 @@ Before continuing, you should verify that Docker is working correctly by deployi
# This command maps ports 9200 and 9600, sets the discovery type to "single-node" and requests the newest image of OpenSearch
docker run -d -p 9200:9200 -p 9600:9600 -e "discovery.type=single-node" opensearchproject/opensearch:latest
```
For OpenSearch 2.12 or greater, set a new custom admin password before installation using the following command:
```bash
docker run -d -p 9200:9200 -p 9600:9600 -e "discovery.type=single-node" -e "OPENSEARCH_INITIAL_ADMIN_PASSWORD=<custom-admin-password>" opensearchproject/opensearch:latest
```
1. Send a request to port 9200. The default username and password are `admin`.
```bash
curl https://localhost:9200 -ku 'admin:admin'
curl https://localhost:9200 -ku 'admin:<custom-admin-password>'
```
{% include copy.html %}

8
_install-and-configure/install-opensearch/helm.md
View File

@ -98,6 +98,14 @@ You can also build the `opensearch-1.0.0.tgz` file manually:
```
{% include copy.html %}
For OpenSearch 2.12 or greater, customize the admin password in `values.yaml` under `extraEnvs`, as shown in the following example:
```yaml
extraEnvs:
- name: OPENSEARCH_INITIAL_ADMIN_PASSWORD
value: <custom-admin-password>
```
#### Sample output
```yaml

17
_install-and-configure/install-opensearch/rpm.md
View File

@ -57,6 +57,19 @@ This guide assumes that you are comfortable working from the Linux command line
# Install the arm64 package using rpm.
sudo rpm -ivh opensearch-{{site.opensearch_version}}-linux-x64.rpm
```
For OpenSearch 2.12 and greater, a custom admin password is required in order to set up a security demo configuration. To set a custom admin password, use one the following commands:
```bash
# Install the x64 package using yum.
sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD=<custom-admin-password> yum install opensearch-{{site.opensearch_version}}-linux-x64.rpm
# Install the x64 package using rpm.
sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD=<custom-admin-password> rpm -ivh opensearch-{{site.opensearch_version}}-linux-x64.rpm
# Install the arm64 package using yum.
sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD=<custom-admin-password> yum install opensearch-{{site.opensearch_version}}-linux-x64.rpm
# Install the arm64 package using rpm.
sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD=<custom-admin-password> rpm -ivh opensearch-{{site.opensearch_version}}-linux-x64.rpm
1. After the installation succeeds, enable OpenSearch as a service.
```bash
sudo systemctl enable opensearch
@ -147,7 +160,7 @@ An OpenSearch node in its default configuration (with demo certificates and user
1. Send requests to the server to verify that OpenSearch is running. Note the use of the `--insecure` flag, which is required because the TLS certificates are self-signed.
- Send a request to port 9200:
```bash
curl -X GET https://localhost:9200 -u 'admin:admin' --insecure
curl -X GET https://localhost:9200 -u 'admin:<custom-admin-password>' --insecure
```
{% include copy.html %}
@ -173,7 +186,7 @@ An OpenSearch node in its default configuration (with demo certificates and user
```
- Query the plugins endpoint:
```bash
curl -X GET https://localhost:9200/_cat/plugins?v -u 'admin:admin' --insecure
curl -X GET https://localhost:9200/_cat/plugins?v -u 'admin:<custom-admin-password>' --insecure
```
{% include copy.html %}

10
_install-and-configure/install-opensearch/tar.md
View File

@ -100,10 +100,16 @@ An OpenSearch node configured by the demo security script is not suitable for a
```
{% include copy.html %}
For OpenSearch 2.12 or greater, set a new custom admin password before installation using the following command:
```bash
$ export OPENSEARCH_INITIAL_ADMIN_PASSWORD=<custom-admin-password>
```
{% include copy.html %}
1. Open another terminal session and send requests to the server to verify that OpenSearch is running. Note the use of the `--insecure` flag, which is required because the TLS certificates are self-signed.
- Send a request to port 9200:
```bash
curl -X GET https://localhost:9200 -u 'admin:admin' --insecure
curl -X GET https://localhost:9200 -u 'admin:<custom-admin-password>' --insecure
```
{% include copy.html %}
@ -129,7 +135,7 @@ An OpenSearch node configured by the demo security script is not suitable for a
```
- Query the plugins endpoint:
```bash
curl -X GET https://localhost:9200/_cat/plugins?v -u 'admin:admin' --insecure
curl -X GET https://localhost:9200/_cat/plugins?v -u 'admin:<custom-admin-password>' --insecure
```
{% include copy.html %}

9
_install-and-configure/install-opensearch/windows.md
View File

@ -70,11 +70,16 @@ An OpenSearch node in its default configuration (with demo certificates and user
.\opensearch-windows-install.bat
```
{% include copy.html %}
For OpenSearch 2.12 or greater, set a new custom admin password before installation using the following command:
```bat
> set OPENSEARCH_INITIAL_ADMIN_PASSWORD=<custom-admin-password>
```
{% include copy.html %}
1. Open a new command prompt and send requests to the server to verify that OpenSearch is running. Note the use of the `--insecure` flag, which is required because the TLS certificates are self-signed.
- Send a request to port 9200:
```bat
curl.exe -X GET https://localhost:9200 -u "admin:admin" --insecure
curl.exe -X GET https://localhost:9200 -u "admin:<custom-admin-password>" --insecure
```
{% include copy.html %}
@ -100,7 +105,7 @@ An OpenSearch node in its default configuration (with demo certificates and user
```
- Query the plugins endpoint:
```bat
curl.exe -X GET https://localhost:9200/_cat/plugins?v -u "admin:admin" --insecure
curl.exe -X GET https://localhost:9200/_cat/plugins?v -u "admin:<custom-admin-password>" --insecure
```
{% include copy.html %}

34
_install-and-configure/upgrade-opensearch/appendix/rolling-upgrade-lab.md
View File

@ -125,7 +125,7 @@ After selecting a host, you can begin the lab:
1. Press `Ctrl+C` to stop following container logs and return to the command prompt.
1. Use cURL to query the OpenSearch REST API. In the following command, `os-node-01` is queried by sending the request to host port `9201`, which is mapped to port `9200` on the container:
```bash
curl -s "https://localhost:9201" -ku admin:admin
curl -s "https://localhost:9201" -ku admin:<custom-admin-password>
```
{% include copy.html %}
<p class="codeblock-label">Example response</p>
@ -177,7 +177,7 @@ This section can be broken down into two parts:
curl -H "Content-Type: application/x-ndjson" \
-X PUT "https://localhost:9201/ecommerce?pretty" \
--data-binary "@ecommerce-field_mappings.json" \
-ku admin:admin
-ku admin:<custom-admin-password>
```
{% include copy.html %}
<p class="codeblock-label">Example response</p>
@ -193,7 +193,7 @@ This section can be broken down into two parts:
curl -H "Content-Type: application/x-ndjson" \
-X PUT "https://localhost:9201/ecommerce/_bulk?pretty" \
--data-binary "@ecommerce.json" \
-ku admin:admin
-ku admin:<custom-admin-password>
```
{% include copy.html %}
<p class="codeblock-label">Example response (truncated)</p>
@ -226,7 +226,7 @@ This section can be broken down into two parts:
curl -H 'Content-Type: application/json' \
-X GET "https://localhost:9201/ecommerce/_search?pretty=true&filter_path=hits.total" \
-d'{"query":{"match":{"customer_first_name":"Sonya"}}}' \
-ku admin:admin
-ku admin:<custom-admin-password>
```
{% include copy.html %}
<p class="codeblock-label" id="query-validation">Example response</p>
@ -271,7 +271,7 @@ In this section you will be:
curl -H 'Content-Type: application/json' \
-X PUT "https://localhost:9201/_snapshot/snapshot-repo?pretty" \
-d '{"type":"fs","settings":{"location":"/usr/share/opensearch/snapshots"}}' \
-ku admin:admin
-ku admin:<custom-admin-password>
```
{% include copy.html %}
<p class="codeblock-label">Example response</p>
@ -284,7 +284,7 @@ In this section you will be:
```bash
curl -H 'Content-Type: application/json' \
-X POST "https://localhost:9201/_snapshot/snapshot-repo/_verify?timeout=0s&master_timeout=50s&pretty" \
-ku admin:admin
-ku admin:<custom-admin-password>
```
{% include copy.html %}
<p class="codeblock-label">Example response</p>
@ -315,7 +315,7 @@ Snapshots are backups of a clusters indexes and state. See [Snapshots]({{site
```bash
curl -H 'Content-Type: application/json' \
-X PUT "https://localhost:9201/_snapshot/snapshot-repo/cluster-snapshot-v137?wait_for_completion=true&pretty" \
-ku admin:admin
-ku admin:<custom-admin-password>
```
{% include copy.html %}
<p class="codeblock-label">Example response</p>
@ -448,7 +448,7 @@ Some steps included in this section, like disabling shard replication and flushi
curl -H 'Content-type: application/json' \
-X PUT "https://localhost:9201/_cluster/settings?pretty" \
-d'{"persistent":{"cluster.routing.allocation.enable":"primaries"}}' \
-ku admin:admin
-ku admin:<custom-admin-password>
```
{% include copy.html %}
<p class="codeblock-label">Example response</p>
@ -469,7 +469,7 @@ Some steps included in this section, like disabling shard replication and flushi
```
1. Perform a flush operation on the cluster to commit transaction log entries to the Lucene index:
```bash
curl -X POST "https://localhost:9201/_flush?pretty" -ku admin:admin
curl -X POST "https://localhost:9201/_flush?pretty" -ku admin:<custom-admin-password>
```
{% include copy.html %}
<p class="codeblock-label">Example response</p>
@ -514,7 +514,7 @@ Some steps included in this section, like disabling shard replication and flushi
1. **Optional**: Query the cluster to determine which node is acting as the cluster manager. You can run this command at any time during the process to see when a new cluster manager is elected:
```bash
curl -s "https://localhost:9201/_cat/nodes?v&h=name,version,node.role,master" \
-ku admin:admin | column -t
-ku admin:<custom-admin-password> | column -t
```
{% include copy.html %}
<p class="codeblock-label">Example response</p>
@ -528,7 +528,7 @@ Some steps included in this section, like disabling shard replication and flushi
1. **Optional**: Query the cluster to see how shard allocation changes as nodes are removed and replaced. You can run this command at any time during the process to see how shard statuses change:
```bash
curl -s "https://localhost:9201/_cat/shards" \
-ku admin:admin
-ku admin:<custom-admin-password>
```
{% include copy.html %}
<p class="codeblock-label">Example response</p>
@ -644,7 +644,7 @@ Some steps included in this section, like disabling shard replication and flushi
1. Confirm that your cluster is running the new version:
```bash
curl -s "https://localhost:9201/_cat/nodes?v&h=name,version,node.role,master" \
-ku admin:admin | column -t
-ku admin:<custom-admin-password> | column -t
```
{% include copy.html %}
<p class="codeblock-label">Example response</p>
@ -700,7 +700,7 @@ Some steps included in this section, like disabling shard replication and flushi
curl -H 'Content-type: application/json' \
-X PUT "https://localhost:9201/_cluster/settings?pretty" \
-d'{"persistent":{"cluster.routing.allocation.enable":"all"}}' \
-ku admin:admin
-ku admin:<custom-admin-password>
```
{% include copy.html %}
<p class="codeblock-label">Example response</p>
@ -735,7 +735,7 @@ For this cluster, post-upgrade validation steps can include verifying the follow
1. Verify the current running version of your OpenSearch nodes:
```bash
curl -s "https://localhost:9201/_cat/nodes?v&h=name,version,node.role,master" \
-ku admin:admin | column -t
-ku admin:<custom-admin-password> | column -t
```
{% include copy.html %}
<p class="codeblock-label">Example response</p>
@ -781,7 +781,7 @@ For this cluster, post-upgrade validation steps can include verifying the follow
1. Query the [Cluster health]({{site.url}}{{site.baseurl}}/api-reference/cluster-api/cluster-health/) API endpoint to see information about the health of your cluster. You should see a status of `green`, which indicates that all primary and replica shards are allocated:
```bash
curl -s "https://localhost:9201/_cluster/health?pretty" -ku admin:admin
curl -s "https://localhost:9201/_cluster/health?pretty" -ku admin:<custom-admin-password>
```
{% include copy.html %}
<p class="codeblock-label">Example response</p>
@ -808,7 +808,7 @@ For this cluster, post-upgrade validation steps can include verifying the follow
```
1. Query the [CAT shards]({{site.url}}{{site.baseurl}}/api-reference/cat/cat-shards/) API endpoint to see how shards are allocated after the cluster is upgrade:
```bash
curl -s "https://localhost:9201/_cat/shards" -ku admin:admin
curl -s "https://localhost:9201/_cat/shards" -ku admin:<custom-admin-password>
```
{% include copy.html %}
<p class="codeblock-label">Example response</p>
@ -860,7 +860,7 @@ You need to query the ecommerce index again in order to confirm that the sample
curl -H 'Content-Type: application/json' \
-X GET "https://localhost:9201/ecommerce/_search?pretty=true&filter_path=hits.total" \
-d'{"query":{"match":{"customer_first_name":"Sonya"}}}' \
-ku admin:admin
-ku admin:<custom-admin-password>
```
{% include copy.html %}
<p class="codeblock-label">Example response</p>

115
_security/configuration/demo-configuration.md Normal file
View File

@ -0,0 +1,115 @@
---
layout: default
title: Setting up a demo configuration
parent: Configuration
nav_order: 4
---
# Setting up a demo configuration
Welcome to the OpenSearch Security plugin demo configuration setup guide. This tool provides a quick and easy way to replicate a production environment for testing purposes. The demo configuration includes the setup of security-related components, such as internal users, roles, role mappings, audit configuration, basic authentication, tenants, and allow lists.
The demo configuration tool performs the following tasks:
1. Configures security settings, which are then loaded into the security index.
2. Generates demo certificates.
3. Adds security-related settings to the `opensearch.yml` file.
## Installing the demo configuration
The demo configuration is automatically called as part of the setup for each supported distribution of OpenSearch. The following are instructions for each distribution.
**Note**: Starting with OpenSearch 2.12, a custom admin password is required in order to install the demo configuration. If none is provided, the cluster will fail to start. Note that this change only affects new clusters. Existing clusters are not affected because they already have `opensearch.yml` configured, so the installation tool will not run.
### Docker
Use the following steps to set up the Security plugin using Docker:
1. Download [docker-compose.yml](https://opensearch.org/downloads.html).
2. In the `docker-compose.yml` file, set `DISABLE_SECURITY_PLUGIN` to `false`.
3. Run the following command:
```bash
$ docker-compose up
```
### Setting up a custom admin password
**Note**: For OpenSearch versions 2.12 and later, you must set the initial admin password before installation. To customize the admin password, you can take the following steps:
1. Download the following sample [docker-compose.yml](https://github.com/opensearch-project/documentation-website/blob/{{site.opensearch_major_minor_version}}/assets/examples/docker-compose.yml) file.
2. Create a `.env` file.
3. Add the variable `OPENSEARCH_INITIAL_ADMIN_PASSWORD` and set the variable with a strong string password.
4. Run `docker-compose up`.
### TAR (Linux)
For TAR distributions on Linux, download the Linux setup files from the OpenSearch [Download & Get Started](https://opensearch.org/downloads.html) page. Then use the following command to run the demo configuration:
```bash
$ ./opensearch-tar-install.sh
```
For OpenSearch 2.12 or later, set a new custom admin password before installation by using the following command:
```bash
$ export OPENSEARCH_INITIAL_ADMIN_PASSWORD=<custom-admin-password>
```
### Windows
For ZIP distributions on Windows, after downloading and extracting the setup files, run the following command:
```powershell
> .\opensearch-windows-install.bat
```
For OpenSearch 2.12 or later, set a new custom admin password before installation by running the following command:
```powershell
> set OPENSEARCH_INITIAL_ADMIN_PASSWORD=<custom-admin-password>
```
### Helm
For Helm charts, the demo configuration is automatically installed during the OpenSearch installation. For OpenSearch 2.12 or later, customize the admin password in `values.yaml` under `extraEnvs`:
```yaml
extraEnvs:
- name: OPENSEARCH_INITIAL_ADMIN_PASSWORD
value: <custom-admin-password>
```
### RPM
For RPM packages, install OpenSearch and set up the demo configuration by running the following command:
```bash
$ sudo yum install opensearch-{{site.opensearch_version}}-linux-x64.rpm
```
For OpenSearch 2.12 or later, set a new custom admin password before installation by using the following command:
```bash
$ sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD=<custom-admin-password> yum install opensearch-{{site.opensearch_version}}-linux-x64.rpm
```
### DEB
For DEB packages, install OpenSearch and set up the demo configuration by running the following command:
```bash
$ sudo dpkg -i opensearch-{{site.opensearch_version}}-linux-arm64.deb
```
For OpenSearch 2.12 or later, set a new custom admin password before installation by using the following command:
```bash
$ sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD=<custom-admin-password> dpkg -i opensearch-{{site.opensearch_version}}-linux-arm64.deb
```
### Local distribution
If you are building a local distribution, refer to [DEVELOPER_GUIDE.md](https://github.com/opensearch-project/security/blob/main/DEVELOPER_GUIDE.md) for instructions on building a local binary for the Security plugin.
For OpenSearch 2.12 or later, make sure that you set a strong password before installation.

2
assets/examples/docker-compose.yml
View File

@ -10,6 +10,7 @@ services:
- cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2 # Nodes eligibile to serve as cluster manager
- bootstrap.memory_lock=true # Disable JVM heap memory swapping
- "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" # Set min and max JVM heap sizes to at least 50% of system RAM
- OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD} # Sets the demo admin user password when using demo configuration (for OpenSearch 2.12 and later)
ulimits:
memlock:
soft: -1 # Set memlock to unlimited (no soft or hard limit)
@ -34,6 +35,7 @@ services:
- cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2
- bootstrap.memory_lock=true
- "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
- OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}
ulimits:
memlock:
soft: -1