Updating default dashboards username and passwords #1014
Conversation
Signed-off-by: Anton Rubin <[email protected]>
AntonEliatra
requested review from
idanl21,
jochenkressin,
pchmielnik,
prudhvigodithi,
salyh and
swoehrl-mw
as code owners
| } else { | ||
| // Use default demo credentials | ||
| return "admin", "admin", nil | ||
| return "kibanaserver", "kibanaserver", nil |
There was a problem hiding this comment.
Not sure if using "kibana" here is very helpful. Might confuse a few folks. Maybe use opensearchdashboards for both username and password?
There was a problem hiding this comment.
@rootxrishabh kibanaserver is already a configured user in config that come out of the box, opensearchdashboards will not work with this.
There was a problem hiding this comment.
I have a fresh cluster, but i dont see the kibanaserve user, but I see the dashboarduser. PTAL
curl -X GET https://127.0.0.1:9200/_plugins/_security/api/internalusers -u admin:@lcDlBOZ9MNX -k
{"admin":{"hash":"","reserved":true,"hidden":false,"backend_roles":["admin"],"attributes":{},"description":"Demo admin user","opendistro_security_roles":[],"static":false},"dashboarduser":{"hash":"","reserved":true,"hidden":false,"backend_roles":[],"attributes":{},"description":"Demo OpenSearch Dashboards user","opendistro_security_roles":[],"static":false}}root@accusiem-vm:~# curl -X GET https://95.216.189.114:30920/_plugins/_security/api/internalusers -u admin:@lcDlBOZ9MNX -k | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 360 100 360 0 0 5884 0 --:--:-- --:--:-- --:--:-- 5806
{
"admin": {
"hash": "",
"reserved": true,
"hidden": false,
"backend_roles": [
"admin"
],
"attributes": {},
"description": "Demo admin user",
"opendistro_security_roles": [],
"static": false
},
"dashboarduser": {
"hash": "",
"reserved": true,
"hidden": false,
"backend_roles": [],
"attributes": {},
"description": "Demo OpenSearch Dashboards user",
"opendistro_security_roles": [],
"static": false
}
}There was a problem hiding this comment.
Also, could changing the user from 'admin' potentially result in a 403 Forbidden error during operator operations?
There was a problem hiding this comment.
@rootxrishabh Thank you for the review, I see now I updated the password for operator, not dashboards, I've pushed the change now.
Regarding the question on users, can you elaborate on this as a new cluster with default settings comes with a number of internal users, such as :
{
"logstash" : {
...
},
"snapshotrestore" : {
...
},
"admin" : {
...
},
"kibanaserver" : {
...
},
"kibanaro" : {
...
},
"readall" : {
...
},
"anomalyadmin" : {
...
}
}
There was a problem hiding this comment.
Actually my bad :(, the user list was from indeed a different cluster with custom config. I created a new cluster and I see the same users now. One last question, the goal of this PR is to bootstrap the dashboard using a less permissive user than the admin user. Correct?
There was a problem hiding this comment.
@rootxrishabh correct, any demo opensearch configuration has dashboards configured to use 'kibanaserver' as a user. So this change is to align it with this rule.
There was a problem hiding this comment.
Make sense to be, thanks @AntonEliatra @rootxrishabh
Signed-off-by: Anton Rubin <[email protected]>
github-project-automation
bot
moved this to 👀 In Review
in Engineering Effectiveness Board
github-project-automation
bot
moved this from 👀 In Review
to ✅ Done
in Engineering Effectiveness Board
…t#1014) ### Description Updating default dashboards username and passwords ### Check List - [x] Commits are signed per the DCO using --signoff Please refer to the [PR guidelines](https://github.com/opensearch-project/opensearch-k8s-operator/blob/main/docs/developing.md#submitting-a-pr) before submitting this pull request. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Anton Rubin <[email protected]>
…t#1014) ### Description Updating default dashboards username and passwords ### Check List - [x] Commits are signed per the DCO using --signoff Please refer to the [PR guidelines](https://github.com/opensearch-project/opensearch-k8s-operator/blob/main/docs/developing.md#submitting-a-pr) before submitting this pull request. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Anton Rubin <[email protected]>
3 participants
Description
Updating default dashboards username and passwords
Check List
Please refer to the PR guidelines before submitting this pull request.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.