Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DEPRECATION] Security Plugin Tools will be replaced #1755

Open
peternied opened this issue Apr 8, 2022 · 13 comments
Open

[DEPRECATION] Security Plugin Tools will be replaced #1755

peternied opened this issue Apr 8, 2022 · 13 comments
Labels
triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. v3.0.0

Comments

@peternied
Copy link
Member

peternied commented Apr 8, 2022

Security Plugin tools will be replaced

This list of tools that will be replaced

.\tools\audit_config_migrater.bat
.\tools\audit_config_migrater.sh
.\tools\hash.bat
.\tools\hash.sh
.\tools\install_demo_configuration.sh
.\tools\securityadmin.bat
.\tools\securityadmin.sh

This issue will be updated with the recommended replacement.

Semantic Versioning Aside

OpenSearch will never remove functionality without a major version change to OpenSearch (e.g. v3.0.0+) so while these tools are marked deprecated, it is signal that they will be replaced at some point in the future major version update. I suspect that even after we have a replacement we will keep these tools through a major version to give time for migration.

@ComBin
Copy link

ComBin commented Sep 14, 2022

Can I know will replaced for what?

@davidlago davidlago added the triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. label Oct 10, 2022
@realulli
Copy link

Several questions:

  • Any pointers as to what hash.sh will be replaced with?
  • Any pointers to the greater plan for security?

Right now, I can have my internal userbase under version control and just update the hashes. Since they're bcrypt, I consider them secure enough. The script could be simplified, yes, but other than that? Also, with the userbase there in the file, I can set up new systems rather quickly and efficiently.

@peternied
Copy link
Member Author

peternied commented Jan 4, 2023

@realulli Great questions. We are rethinking the shape of the security ecosystem and these utilities (hash.sh, securityadmin.sh) are useful, they should be secondary to well-authored and documented APIs. Updating a user password should be possible via an API call that could be called from a tool, but the tool shouldn't be the starting point.

We are still in the design / prototype phases of many areas, the following issue is tracking the larger support. Additional we will need a clear migration story "if you used hash.sh, instead you can do...".

This issue is tracking some of these high level goals and we will be publishing more communications as we have a clear roadmap - expect blog posts and community meeting spotlights.

Semantic Versioning Aside; we will never remove functionality without a major version change to OpenSearch (e.g. v3.0.0+) so while these tools are marked deprecated, it is signal that they will be replaced at some point in the future major version update. I suspect that even after we have a replacement we will keep these tools through a major version to give time for migration.

Finally if there are still aspects you'd like to follow up on please feel free to join our public triage meeting if that is a better forum for discussion.

@sultanovich
Copy link

hi @peternied , Thank you very much for the detail in your comment. Is there a specific place where we can see the progress on this topic in general or at least of these tools? Or, should we follow this issue to see the definitions?
At this point really tools like hash.sh or securityadmin.sh have become critical in our environment.

@peternied
Copy link
Member Author

This issue is a great place to watch for updates, we will use this issue to call out the details of the removal/replacement of these tools when we have concrete details.

@sultanovich
Copy link

Excellent, we will follow the topic here. Thank's @peternied

@matthid
Copy link

matthid commented Feb 12, 2023

I feel like the warning to users is a bit early, if there is not even a replacement or any actionable thing users can do?
Users now learn to ignore the warning and will be surprised once it is removed, no?

@stephen-crawford
Copy link
Contributor

HI @matthid, I understand your concern that the deprecation label could lose its impact on users. Currently, we are in the process of redesigning many of the security features as part of the Identity project. This project takes much of the existing security functionality and moves it directly into core. As part of this, the legacy security plugin tools are being phased out likely maintaining operation through 3.x and being fully deprecated at 4.0.

Right now there is nothing users can do to upgrade because the Identity release is not launched. However, this issue is made to be associated with that progress and will include helpful links for migrating as soon as the alternative approaches are live.

@smortex
Copy link
Contributor

smortex commented Sep 13, 2023

I'm currently trying to track down an issue with complaints about insecure file paths in opensearch but I have the feeling that the installer from opensearch itself does this, need to track it down though, so no definite answer until now.

@artificial-intelligence I tried to improve this in two PR (opensearch-build#3898, opensearch-build#3952), but i don't recall seeing an explicit warning / error. Can you show at which step you see these "complaints" so that I can reproduce the issue and see if the changes helped.

@artificial-intelligence
Copy link

@smortex sorry for replying late, afaik my mentioned issues got fixed in opensearch-project/opensearch-build#3898

@smortex
Copy link
Contributor

smortex commented Oct 6, 2023

@artificial-intelligence unfortunately these changes where rolled back in opensearch-project/opensearch-build#4041 😭

opensearch-project/opensearch-build#4043 was opened to redo this (not in the upcoming 2.11.0 unfortunately, maybe 2.12.0), and I also created a meta-issue opensearch-project/opensearch-build#4087 to track the various package improvements progress. Feel free to comment in this issue so that we can have a place for all these packaging issues.

@CarterPape
Copy link

CarterPape commented Sep 1, 2024

Is there any update on what is going to replace the security plugin tools? I don't see anything about it in the roadmap.

Edit: The roadmap for this is here, as part of the security plugin.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. v3.0.0
Projects
None yet
Development

No branches or pull requests

10 participants