Modify opensearch users with customized passwords (#141)

Signed-off-by: Sayali Gaikawad <[email protected]>

nightly-playground/lib/nightly-playground-stack.ts

@@ -26,10 +26,17 @@ export class NightlyPlaygroundStack {
     if (dashboardsUrl === 'undefined') {
       throw new Error('dashboardsUrl parameter cannot be empty! Please provide the OpenSearch-Dashboards distribution URL');
     }
+    const dashboardPassword = scope.node.tryGetContext('dashboardPassword');
+    if (dashboardPassword === 'undefined') {
+      throw new Error('dashboardPassword parameter cannot be empty! Please provide the OpenSearch-Dashboards customized password for kibanauser');
+    }
+
+    const additionalOsdConfigString = `{"opensearch_security.auth.anonymous_auth_enabled": "true", "opensearch.password": "${dashboardPassword}"}`;
 
     const securtityConfig = '{ "resources/security-config/config.yml" : "opensearch/config/opensearch-security/config.yml", '
     + '"resources/security-config/roles_mapping.yml" : "opensearch/config/opensearch-security/roles_mapping.yml", '
-    + '"resources/security-config/roles.yml" : "opensearch/config/opensearch-security/roles.yml"}';
+    + '"resources/security-config/roles.yml" : "opensearch/config/opensearch-security/roles.yml", '
+    + '"resources/security-config/internal_users.yml": "opensearch/config/opensearch-security/internal_users.yml"}';
 
     // @ts-ignore
     const networkStack = new NetworkStack(scope, `networkStack-${id}`, {
@@ -54,7 +61,7 @@ export class NightlyPlaygroundStack {
       singleNodeCluster: false,
       dashboardsUrl,
       customConfigFiles: securtityConfig,
-      additionalOsdConfig: '{"opensearch_security.auth.anonymous_auth_enabled": "true"}',
+      additionalOsdConfig: additionalOsdConfigString,
     });
     this.stacks.push(infraStack);
 

nightly-playground/package.json

@@ -22,7 +22,7 @@
     "typescript": "~3.9.7"
   },
   "dependencies": {
-    "@opensearch-project/opensearch-cluster-cdk": "1.0.1",
+    "@opensearch-project/opensearch-cluster-cdk": "1.1.0",
     "@types/babel__traverse": "^7.18.2",
     "@typescript-eslint/eslint-plugin": "^4.31.1",
     "@typescript-eslint/parser": "^4.31.1",

nightly-playground/resources/security-config/internal_users.yml

@@ -0,0 +1,40 @@
+---
+# This is the internal user database
+# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
+
+_meta:
+   type: 'internalusers'
+   config_version: 2
+
+# Define your internal users here
+
+admin:
+  hash: '\$2y\$12\$fkypbXL0jRI5T25GNBJB3uhPnixWJVPGhFGIQoIaoWuUAQzzOfe3G'
+  reserved: true
+  backend_roles:
+  - "admin"
+  description: "Admin user with customized password"
+
+kibanaserver:
+  hash: '\$2y\$12\$t17cD/p.ZlsR2jOav7fYfuzk0sWrq1GXZihq3eWsbqXheSJk8Nr2O'
+  reserved: true
+  description: "OpenSearch Dashboards user with customized password"
+
+kibanaro:
+  hash: '\$2a\$12\$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC'
+  reserved: false
+  backend_roles:
+  - "kibanauser"
+  - "readall"
+  attributes:
+    attribute1: "value1"
+    attribute2: "value2"
+    attribute3: "value3"
+  description: "Demo read-only user for OpenSearch dashboards"
+
+readall:
+  hash: '\$2a\$12\$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2'
+  reserved: false
+  backend_roles:
+  - "readall"
+  description: "Demo readall user"

nightly-playground/resources/security-config/roles_mapping.yml

@@ -24,11 +24,6 @@ own_index:
     - "*"
   description: "Allow full access to an index named like the username"
 
-logstash:
-  reserved: false
-  backend_roles:
-    - "logstash"
-
 kibana_user:
   reserved: false
   backend_roles:
@@ -40,11 +35,6 @@ readall:
   backend_roles:
     - "readall"
 
-manage_snapshots:
-  reserved: false
-  backend_roles:
-    - "snapshotrestore"
-
 kibana_server:
   reserved: true
   users: