Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Addresses a bug with plugins.security.allow_unsafe_democertificates setting #4600

Merged
merged 2 commits into from
Jul 26, 2024
Merged

Addresses a bug with plugins.security.allow_unsafe_democertificates setting #4600

merged 2 commits into from
Jul 26, 2024

Conversation

DarshitChanpura
Copy link
Member

Description

This PR addresses a bug where mismatching demo certificate hashes caused the setting plugins.security.allow_unsafe_democertificates to not work as expected.

  • Category : Bug fix

  • Why these changes are required?
    Without this PR, the setting plugins.security.allow_unsafe_democertificates will not work.

  • What is the old behavior before changes and new behavior after changes?

  • Before: Cluster fails to not boot up when setting is set to true

  • After: Cluster fails to boot up

Issues Resolved

Testing

Unit testing, Manual Testing

Check List

  • New functionality includes testing
  • New functionality has been documented
  • New Roles/Permissions have a corresponding security dashboards plugin PR
  • API changes companion pull request created
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@DarshitChanpura DarshitChanpura added the backport 2.x backport to 2.x branch label Jul 25, 2024
@DarshitChanpura
Copy link
Member Author

DarshitChanpura commented Jul 25, 2024
edited
Loading

Expand to see the expected error log: 
[2024-07-25T17:36:47,509][ERROR][o.o.s.OpenSearchSecurityPlugin] [80a9970ace0f] Demo certificates found but plugins.security.allow_unsafe_democertificates is set to false.
[2024-07-25T17:36:47,513][ERROR][o.o.b.OpenSearchUncaughtExceptionHandler] [80a9970ace0f] uncaught exception in thread [main]
org.opensearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin]
	at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:185) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:172) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) ~[opensearch-cli-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.cli.Command.main(Command.java:101) ~[opensearch-cli-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:138) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:104) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
Caused by: java.lang.IllegalStateException: failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin]
	at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:805) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:744) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:545) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.plugins.PluginsService.<init>(PluginsService.java:197) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.node.Node.<init>(Node.java:507) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.node.Node.<init>(Node.java:434) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:242) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	... 6 more
Caused by: java.lang.reflect.InvocationTargetException
	at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:74) ~[?:?]
	at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502) ~[?:?]
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486) ~[?:?]
	at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:796) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:744) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:545) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.plugins.PluginsService.<init>(PluginsService.java:197) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.node.Node.<init>(Node.java:507) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.node.Node.<init>(Node.java:434) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:242) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	... 6 more
Caused by: java.lang.RuntimeException: Demo certificates found [25e34a9a5d4f1dceed1666eb624397bf3fe5787a7133cd32838ace0381bce1f7, ba9c5a61065f7f6115188128ffbdaa18fca34562b78b811f082439e2bef1d282, a3556d6bb61f7bd63cb19b1c8d0078d30c12739dedb0455c5792ac8627782042, a2ce3f577a5031398c1b4f58761444d837b031d0aff7614f8b9b5e4a9d59dbd1, a3556d6bb61f7bd63cb19b1c8d0078d30c12739dedb0455c5792ac8627782042, 25e34a9a5d4f1dceed1666eb624397bf3fe5787a7133cd32838ace0381bce1f7, a2ce3f577a5031398c1b4f58761444d837b031d0aff7614f8b9b5e4a9d59dbd1, ba9c5a61065f7f6115188128ffbdaa18fca34562b78b811f082439e2bef1d282, bcd708e8dc707ae065f7ad8582979764b497f062e273d478054ab2f49c5469c6]
	at org.opensearch.security.OpenSearchSecurityPlugin.<init>(OpenSearchSecurityPlugin.java:485) ~[?:?]
	at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62) ~[?:?]
	at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502) ~[?:?]
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486) ~[?:?]
	at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:796) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:744) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:545) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.plugins.PluginsService.<init>(PluginsService.java:197) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.node.Node.<init>(Node.java:507) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.node.Node.<init>(Node.java:434) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:242) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
	... 6 more
uncaught exception in thread [main]
java.lang.IllegalStateException: failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin]
Likely root cause: java.lang.RuntimeException: Demo certificates found [25e34a9a5d4f1dceed1666eb624397bf3fe5787a7133cd32838ace0381bce1f7, ba9c5a61065f7f6115188128ffbdaa18fca34562b78b811f082439e2bef1d282, a3556d6bb61f7bd63cb19b1c8d0078d30c12739dedb0455c5792ac8627782042, a2ce3f577a5031398c1b4f58761444d837b031d0aff7614f8b9b5e4a9d59dbd1, a3556d6bb61f7bd63cb19b1c8d0078d30c12739dedb0455c5792ac8627782042, 25e34a9a5d4f1dceed1666eb624397bf3fe5787a7133cd32838ace0381bce1f7, a2ce3f577a5031398c1b4f58761444d837b031d0aff7614f8b9b5e4a9d59dbd1, ba9c5a61065f7f6115188128ffbdaa18fca34562b78b811f082439e2bef1d282, bcd708e8dc707ae065f7ad8582979764b497f062e273d478054ab2f49c5469c6]
	at org.opensearch.security.OpenSearchSecurityPlugin.<init>(OpenSearchSecurityPlugin.java:485)
	at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62)
	at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502)
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486)
	at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:796)
	at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:744)
	at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:545)
	at org.opensearch.plugins.PluginsService.<init>(PluginsService.java:197)
	at org.opensearch.node.Node.<init>(Node.java:507)
	at org.opensearch.node.Node.<init>(Node.java:434)
	at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:242)
	at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242)
	at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404)
	at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181)
	at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:172)
	at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)
	at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
	at org.opensearch.cli.Command.main(Command.java:101)
	at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:138)
	at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:104)
For complete error details, refer to the log at XXX/opensearch-3.0.0-SNAPSHOT/logs/opensearch.log

@codecov Codecov
Copy link

codecov bot commented Jul 25, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 65.29%. Comparing base (77ea464) to head (4d69808).

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #4600      +/-   ##
==========================================
+ Coverage   65.25%   65.29%   +0.03%     
==========================================
  Files         317      317              
  Lines       22272    22277       +5     
  Branches     3582     3582              
==========================================
+ Hits        14534    14545      +11     
+ Misses       5946     5941       -5     
+ Partials     1792     1791       -1
Files Coverage Δ
.../opensearch/security/OpenSearchSecurityPlugin.java 84.70% <100.00%> (+0.10%) ⬆️
...search/security/tools/democonfig/Certificates.java 100.00% <ø> (ø)

... and 3 files with indirect coverage changes

@DarshitChanpura DarshitChanpura merged commit 004d07b into opensearch-project:main Jul 26, 2024
43 checks passed
opensearch-trigger-bot bot pushed a commit that referenced this pull request Jul 26, 2024
@github-actions
Addresses a bug with plugins.security.allow_unsafe_democertificates
aa2d93c 
… setting (#4600)

Signed-off-by: Darshit Chanpura <[email protected]>
(cherry picked from commit 004d07b)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Jul 26, 2024
Merged
@DarshitChanpura DarshitChanpura self-assigned this Jul 26, 2024
terryquigleysas pushed a commit to terryquigleysas/security that referenced this pull request Jul 27, 2024
@DarshitChanpura @terryquigleysas
Addresses a bug with plugins.security.allow_unsafe_democertificates
66fe664 
… setting (opensearch-project#4600)

Signed-off-by: Darshit Chanpura <[email protected]>
Signed-off-by: Terry Quigley <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stephen-crawford stephen-crawford stephen-crawford approved these changes

@cwperks cwperks cwperks approved these changes

@shikharj05 shikharj05 shikharj05 approved these changes

@cliu123 cliu123 Awaiting requested review from cliu123

@peternied peternied Awaiting requested review from peternied peternied is a code owner

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 is a code owner

@reta reta Awaiting requested review from reta reta is a code owner

@willyborankin willyborankin Awaiting requested review from willyborankin willyborankin is a code owner

Assignees

@DarshitChanpura DarshitChanpura

Labels
backport 2.x backport to 2.x branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] plugins.security.allow_unsafe_democertificates setting is not working as expected
4 participants
@DarshitChanpura @shikharj05 @cwperks @stephen-crawford