Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Starting v2.12 - plugins.security.ssl.http.enabled cannot be set to false #4348

Closed
c3-davidtran opened this issue May 16, 2024 · 5 comments
Closed

[BUG] Starting v2.12 - plugins.security.ssl.http.enabled cannot be set to false #4348

c3-davidtran opened this issue May 16, 2024 · 5 comments
Labels
bug Something isn't working Plugins untriaged Require the attention of the repository maintainers and may need to be prioritized

Comments

@c3-davidtran
Copy link

Describe the bug

Following upgrade to opensearch 2.12, the demo internal certificates are no longer created when plugins.security.ssl.http.enabled is set to false in opensearch.yml file.

This is a regression compared to previous versions where the demo certificates were created and used for transport layer.

Related component

Plugins

To Reproduce

Update the config opensearch.yml content with plugins.security.ssl.http.enabled: false.
Notice the security plugin will run with log :
/usr/share/opensearch/config/opensearch.yml seems to be already configured for Security. Quit.
Then no demo certificate is created.

Deployment will fail with error :

installation fails with error OpenSearchException[Unable to read /usr/share/opensearch/config/esnode.pem (/usr/share/opensearch/config/esnode.pem). Please make sure this files exists and is readable regarding to permissions. Property: plugins.security.ssl.transport.pemcert_filepath]

Expected behavior

Do not append additional plugins.security configuration if they have been provided by end users.
But still create the demo certificates unless DISABLE_INSTALL_DEMO_CONFIG is set to true

Additional Details

Plugins
Please list all plugins currently enabled.

Screenshots
If applicable, add screenshots to help explain your problem.

Host/Environment (please complete the following information):

  • OS: [e.g. iOS]
  • Version [e.g. 22]

Additional context
Add any other context about the problem here.
@c3-davidtran c3-davidtran added bug Something isn't working untriaged Require the attention of the repository maintainers and may need to be prioritized labels May 16, 2024
@dblock dblock transferred this issue from opensearch-project/OpenSearch May 16, 2024
@cwperks
Copy link
Member

cwperks commented May 16, 2024
edited

@c3-davidtran When using the install_demo_configuration.sh script there must be no plugins.security... settings in opensearch.yml or it will abort running the script.

If you wish to disable HTTPS, then I recommend to first run the the install_demo_configuration.sh script without any plugins.security... settings in opensearch.yml to install the demo configuration and then flip plugins.security.ssl.http.enabled to false.

@derek-ho
Copy link
Contributor

[Triage] @c3-davidtran can you make a post in the forums to get some more assistance there? Or please re-open this issue with additional concerns if you think this is a bug.

@c3-davidtran
Copy link
Author

@cwperks Thank you for clarifying.
May I ask what is your recommended process for cluster upgrade in this case ?
Should we delete the generated demo certs and rerun the install_demo_configuration.sh script or does the script automatically updates the existing certificates ?
My understanding is, as part of its upgrade process, Opensearch cluster automatically renews its certificates with the certificates it is provided.

@derek-ho I wouldn't say it's a bug, but for users who, like me, use the demo certs for transport TLS and disable REST TLS, that new behaviour breaks our opensearch upgrade flow because additional steps have to be done.
It could be beneficial to update the documentation and provide warning/information notice for this specific use case.

@cwperks
Copy link
Member

cwperks commented May 21, 2024

@c3-davidtran There is no renewal process for demo certificates. The demo certificates are static and widely known. They can change between minor versions, but are only meant to be used for demonstration purposes to show how to configure a cluster securely.

The process for generating self-signed certs from be found in the DEVELOPER_GUIDE: https://github.com/opensearch-project/security/blob/main/DEVELOPER_GUIDE.md#refreshing-demo-certificates

@c3-davidtran
Copy link
Author

c3-davidtran commented May 22, 2024
edited

@cwperks Got it. I was actually concerned of what would happen if they change between minor versions as you implied.
But by looking at the doc you've sent and my understanding of the script, I'm assuming even if the demo certs change between minor versions, they will be automatically updated on the cluster.

TLDR more context;
Until version < 2.12, the demo installation script is run regardless if opensearch.yaml contains any plugins.security config.
So new default certs are generated between minor versions following security plugin changes.
Because the behaviour has changed, now only at cluster initial creation, the certs are generated and plugins.security config are appended to opensearch.yaml.
But at next version upgrade, new certs won't be generated because the demo installation will be aborted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working Plugins untriaged Require the attention of the repository maintainers and may need to be prioritized
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cwperks @derek-ho @c3-davidtran