Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pass in strong password instead to fix integtest workflow #4302

Merged
merged 9 commits into from
Jan 9, 2024

Conversation

derek-ho
Copy link
Contributor

Description

With recent changes in security plugin requiring a strong initial admin password to be set, I've seen a few autocuts with integtest failures. This PR attempts to resolve those by passing in a strong password and using that to run the tests

Issues Resolved

List any issues this PR will resolve, e.g. Closes [...].

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Signed-off-by: Derek Ho <dxho@amazon.com>
@derek-ho
Copy link
Contributor Author

Am I correct in assuming that we also need to change any repo which has its own integtest.sh file to use default admin:myStrongPassword123! with this change? How do we handle cases in which integtest pass in its own credentials, or we don't need to worry about those?

@@ -30,6 +30,10 @@ def install(self, bundle_name: str) -> None:
logging.info("deb installation requires sudo, script will exit if current user does not have sudo access")
deb_install_cmd = " ".join(
[
'sudo'
'env'
'OPENSEARCH_INITIAL_ADMIN_PASSWORD=myStrongPassword123!'
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will only set the env variable for the duration of the sudo env command execution and will not persist. Recommend to use export to set the environment variable.

@@ -30,6 +30,10 @@ def install(self, bundle_name: str) -> None:
logging.info("rpm installation requires sudo, script will exit if current user does not have sudo access")
rpm_install_cmd = " ".join(
[
'sudo'
'env'
'OPENSEARCH_INITIAL_ADMIN_PASSWORD=myStrongPassword123!'
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as above.

@@ -33,7 +33,7 @@ def install(self, bundle_name: str) -> None:
@property
def start_cmd(self) -> str:
start_cmd_map = {
"opensearch": "./opensearch-tar-install.sh",
"opensearch": "OPENSEARCH_INITIAL_ADMIN_PASSWORD=myStrongPassword123! ./opensearch-tar-install.sh",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this should be export OPENSEARCH_INITIAL_ADMIN_PASSWORD=myStrongPassword123! && ./opensearch-tar-install.sh

@rishabh6788
Copy link
Collaborator

Added a few comments, please address them.
Also please fix the failing tests.

Signed-off-by: Derek Ho <dxho@amazon.com>
Signed-off-by: Derek Ho <dxho@amazon.com>
@@ -89,7 +89,7 @@ fi

if [ -z "$CREDENTIAL" ]
then
CREDENTIAL="admin:admin"
CREDENTIAL="admin:myStrongPassword123!"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This wouldn't work for OS version lower than 2.12.
It may not make much sense to run integration tests for released 2.x versions but it will definitely break integ tests for 1.x line.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right! The code is generic for all versions as of today. Until we solve the branching problem.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To unblock this we can try adding if/else condition to differentiate with 1.x and above until we have this branching/versioning for the build repo solved. The script already has an argument OPENSEARCH_VERSION so adding if/else should be straight forward.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think issue with that is what if patch version 2.0 < patch version < 2.12 come along? I was looking into bash script to compare semantic version, but it seems complex, not sure how do you folks feel about adding something like this: https://stackoverflow.com/questions/4023830/how-to-compare-two-strings-in-dot-separated-version-format-in-bash?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rishabh6788 @gaiksaya @prudhvigodithi I changed the logic in the script itself to set a strong password if the version is after 2.12.0. Let me know if that makes sense to keep. I also included this logic in the integtest.sh files of repo's which have their own versions of integtest.sh.

Signed-off-by: Derek Ho <dxho@amazon.com>
Signed-off-by: Derek Ho <dxho@amazon.com>
Signed-off-by: Derek Ho <dxho@amazon.com>
Copy link

codecov bot commented Dec 28, 2023

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (f92f571) 91.26% compared to head (00fa11f) 91.27%.
Report is 11 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #4302   +/-   ##
=======================================
  Coverage   91.26%   91.27%           
=======================================
  Files         189      189           
  Lines        6124     6163   +39     
=======================================
+ Hits         5589     5625   +36     
- Misses        535      538    +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Signed-off-by: Derek Ho <dxho@amazon.com>
Copy link
Member

@peterzhuamazon peterzhuamazon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is just the default integTest.sh, there are more in each plugin's repo.

scripts/default/integtest.sh Outdated Show resolved Hide resolved
@derek-ho
Copy link
Contributor Author

derek-ho commented Jan 4, 2024

This is just the default integTest.sh, there are more in each plugin's repo.

I believe most plugins have removed their custom integTest.sh in favor of this default. There are two repos I found which need their own custom ones, we have open PRs in those, which should be merged prior to 2.12.0 release, correct me if my understanding is incorrect:
opensearch-project/cross-cluster-replication#1298
opensearch-project/opensearch-dashboards-functional-test#981
If you can take a look at these, that would also be awesome! I do not know if their repo's branching strategy is honored. @kavilla suggested we don't need logic in these repos to determine version since those repo's integtest.sh is run against their own branch.

Signed-off-by: Derek Ho <dxho@amazon.com>
Copy link
Member

@peterzhuamazon peterzhuamazon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Waiting for final decision based on this issue before approval, since it includes both deb and rpm.
opensearch-project/security#3916

Signed-off-by: Derek Ho <dxho@amazon.com>
@peterzhuamazon
Copy link
Member

@derek-ho
Copy link
Contributor Author

derek-ho commented Jan 9, 2024

You can either add docker or open a new PR for docker: https://github.com/opensearch-project/opensearch-build/blob/main/docker/release/config/opensearch/opensearch-docker-entrypoint.sh#L33-L39

Is this guy being used in docker integtest? Can you point me to where docker integtest is run, if at all? I would rather merge in this PR as is, since the main purpose is to sniff out if this will solve the autocuts that have been cut against a lot of repos, and close any false alarm that is being raised.

@prudhvigodithi prudhvigodithi merged commit 8897650 into opensearch-project:main Jan 9, 2024
13 checks passed
@prudhvigodithi
Copy link
Member

@derek-ho Merging the PR to make sure 2.12.0 with-security integ tests pass, please keep an eye on failures if there is anything breaking with this change.

@DarshitChanpura
Copy link
Member

You can either add docker or open a new PR for docker:
https://github.com/opensearch-project/opensearch-build/blob/main/docker/release/config/opensearch/opensearch-docker-entrypoint.sh#L33-L39

This is addressed in this PR: #4274

kavilla pushed a commit to opensearch-project/opensearch-dashboards-functional-test that referenced this pull request Jan 10, 2024
* Remove instances of hard admin credentials

opensearch-project/opensearch-build#4302

Signed-off-by: Derek Ho <dxho@amazon.com>
opensearch-trigger-bot bot pushed a commit to opensearch-project/opensearch-dashboards-functional-test that referenced this pull request Jan 10, 2024
* Remove instances of hard admin credentials

opensearch-project/opensearch-build#4302

Signed-off-by: Derek Ho <dxho@amazon.com>
(cherry picked from commit 8391566)
ruanyl pushed a commit to opensearch-project/opensearch-dashboards-functional-test that referenced this pull request Jan 11, 2024
* Remove instances of hard admin credentials

opensearch-project/opensearch-build#4302

Signed-off-by: Derek Ho <dxho@amazon.com>
(cherry picked from commit 8391566)

Co-authored-by: Derek Ho <dxho@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants