-
Notifications
You must be signed in to change notification settings - Fork 278
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pass in strong password instead to fix integtest workflow #4302
Conversation
Signed-off-by: Derek Ho <dxho@amazon.com>
Am I correct in assuming that we also need to change any repo which has its own integtest.sh file to use default admin:myStrongPassword123! with this change? How do we handle cases in which integtest pass in its own credentials, or we don't need to worry about those? |
@@ -30,6 +30,10 @@ def install(self, bundle_name: str) -> None: | |||
logging.info("deb installation requires sudo, script will exit if current user does not have sudo access") | |||
deb_install_cmd = " ".join( | |||
[ | |||
'sudo' | |||
'env' | |||
'OPENSEARCH_INITIAL_ADMIN_PASSWORD=myStrongPassword123!' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will only set the env variable for the duration of the sudo env
command execution and will not persist. Recommend to use export
to set the environment variable.
@@ -30,6 +30,10 @@ def install(self, bundle_name: str) -> None: | |||
logging.info("rpm installation requires sudo, script will exit if current user does not have sudo access") | |||
rpm_install_cmd = " ".join( | |||
[ | |||
'sudo' | |||
'env' | |||
'OPENSEARCH_INITIAL_ADMIN_PASSWORD=myStrongPassword123!' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same as above.
@@ -33,7 +33,7 @@ def install(self, bundle_name: str) -> None: | |||
@property | |||
def start_cmd(self) -> str: | |||
start_cmd_map = { | |||
"opensearch": "./opensearch-tar-install.sh", | |||
"opensearch": "OPENSEARCH_INITIAL_ADMIN_PASSWORD=myStrongPassword123! ./opensearch-tar-install.sh", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe this should be export OPENSEARCH_INITIAL_ADMIN_PASSWORD=myStrongPassword123! && ./opensearch-tar-install.sh
Added a few comments, please address them. |
Signed-off-by: Derek Ho <dxho@amazon.com>
Signed-off-by: Derek Ho <dxho@amazon.com>
scripts/default/integtest.sh
Outdated
@@ -89,7 +89,7 @@ fi | |||
|
|||
if [ -z "$CREDENTIAL" ] | |||
then | |||
CREDENTIAL="admin:admin" | |||
CREDENTIAL="admin:myStrongPassword123!" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This wouldn't work for OS version lower than 2.12.
It may not make much sense to run integration tests for released 2.x versions but it will definitely break integ tests for 1.x line.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right! The code is generic for all versions as of today. Until we solve the branching problem.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To unblock this we can try adding if/else condition to differentiate with 1.x and above until we have this branching/versioning for the build repo solved. The script already has an argument OPENSEARCH_VERSION
so adding if/else should be straight forward.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think issue with that is what if patch version 2.0 < patch version < 2.12 come along? I was looking into bash script to compare semantic version, but it seems complex, not sure how do you folks feel about adding something like this: https://stackoverflow.com/questions/4023830/how-to-compare-two-strings-in-dot-separated-version-format-in-bash?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rishabh6788 @gaiksaya @prudhvigodithi I changed the logic in the script itself to set a strong password if the version is after 2.12.0. Let me know if that makes sense to keep. I also included this logic in the integtest.sh files of repo's which have their own versions of integtest.sh.
Signed-off-by: Derek Ho <dxho@amazon.com>
Signed-off-by: Derek Ho <dxho@amazon.com>
Signed-off-by: Derek Ho <dxho@amazon.com>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #4302 +/- ##
=======================================
Coverage 91.26% 91.27%
=======================================
Files 189 189
Lines 6124 6163 +39
=======================================
+ Hits 5589 5625 +36
- Misses 535 538 +3 ☔ View full report in Codecov by Sentry. |
Signed-off-by: Derek Ho <dxho@amazon.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is just the default integTest.sh, there are more in each plugin's repo.
I believe most plugins have removed their custom integTest.sh in favor of this default. There are two repos I found which need their own custom ones, we have open PRs in those, which should be merged prior to 2.12.0 release, correct me if my understanding is incorrect: |
Signed-off-by: Derek Ho <dxho@amazon.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Waiting for final decision based on this issue before approval, since it includes both deb and rpm.
opensearch-project/security#3916
Signed-off-by: Derek Ho <dxho@amazon.com>
You can either add docker or open a new PR for docker: |
Is this guy being used in docker integtest? Can you point me to where docker integtest is run, if at all? I would rather merge in this PR as is, since the main purpose is to sniff out if this will solve the autocuts that have been cut against a lot of repos, and close any false alarm that is being raised. |
@derek-ho Merging the PR to make sure 2.12.0 |
This is addressed in this PR: #4274 |
* Remove instances of hard admin credentials opensearch-project/opensearch-build#4302 Signed-off-by: Derek Ho <dxho@amazon.com>
* Remove instances of hard admin credentials opensearch-project/opensearch-build#4302 Signed-off-by: Derek Ho <dxho@amazon.com> (cherry picked from commit 8391566)
* Remove instances of hard admin credentials opensearch-project/opensearch-build#4302 Signed-off-by: Derek Ho <dxho@amazon.com> (cherry picked from commit 8391566) Co-authored-by: Derek Ho <dxho@amazon.com>
Description
With recent changes in security plugin requiring a strong initial admin password to be set, I've seen a few autocuts with integtest failures. This PR attempts to resolve those by passing in a strong password and using that to run the tests
Issues Resolved
List any issues this PR will resolve, e.g. Closes [...].
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.