一、环境介绍

本篇内容讲述的 openSearch 基于 docker 部署，具体参数如下：

• centos 7
• docker
• openSearch 2.4

二、修改密码

1. 进入部署 opensearch 的虚拟机，尝试使用默认账密访问（端口按实际映射的修改）：

   curl -XGET https://localhost:9200 -u 'admin:admin' --insecure
   

   请求成功，返回结果例：

   {
     "name" : "c26f22648f82",
     "cluster_name" : "docker-cluster",
     "cluster_uuid" : "5j0Ca9N7QPWG7oO75Nbtdw",
     "version" : {
       "distribution" : "opensearch",
       "number" : "2.4.0",
       "build_type" : "tar",
       "build_hash" : "744ca260b892d119be8164f48d92b8810bd7801c",
       "build_date" : "2022-11-15T04:42:29.671309257Z",
       "build_snapshot" : false,
       "lucene_version" : "9.4.1",
       "minimum_wire_compatibility_version" : "7.10.0",
       "minimum_index_compatibility_version" : "7.0.0"
     },
     "tagline" : "The OpenSearch Project: https://opensearch.org/"
   }
   

2. 查看 openSearch 容器 ID

   docker ps -a
   

3. 进入容器（请将容器ID替换成你到）

   docker exec -it c26f22648f82 /bin/bash
   

4. 进入容器后，执行以下命令（不需要跳转目录）：
   ① 创建输出目录

   mkdir current-config
   

   ② 使用系统自带工具读取配置文件到 current-config 目录

   /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh \
     -cacert /usr/share/opensearch/config/root-ca.pem \
     -cert /usr/share/opensearch/config/kirk.pem \
     -key /usr/share/opensearch/config/kirk-key.pem \
     -r  \
     -cd current-config
   

5. 检查前缀为 internal_users 的 .yml 文件，并查看管理员配置部分，我这里为 internal_users_2023-Sep-13_10-47-58.yml

   cat ./current-config/internal_users_2023-Sep-13_10-47-58.yml
   

   部分打印内容如下：

   admin:
     hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"
     reserved: true
     backend_roles:
     - "admin"
     description: "Demo admin user"
   

6. 使用系统自带工具生成新密码哈希

   ./plugins/opensearch-security/tools/hash.sh
   

   例如输入：helloworld

   输出：$2y$12$jeBybG79iCu0y.A1NMqdI.8gA/d0Mrg6VRI3BrGD4VvTfeA1Z4tXu

7. 更新配置 ./current-config/internal_users_2023-Sep-13_10-47-58.yml

   vi ./current-config/internal_users_2023-Sep-13_10-47-58.yml
   

   admin:
     hash: "$2y$12$jeBybG79iCu0y.A1NMqdI.8gA/d0Mrg6VRI3BrGD4VvTfeA1Z4tXu"
     reserved: true
     backend_roles:
     - "admin"
     description: "Demo admin user"
   

8. 上传配置：使用自带的工具上传配置使配置更新

   $ /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh \
     -t internalusers \
     -f current-config/internal_users_2023-Sep-13_10-47-58.yml \
     -cacert /usr/share/opensearch/config/root-ca.pem \
     -cert /usr/share/opensearch/config/kirk.pem \
     -key /usr/share/opensearch/config/kirk-key.pem
   

   期望的输出例子：

   Security Admin v7
   Will connect to localhost:9200 ... done
   Connected as "CN=kirk,OU=client,O=client,L=test,C=de"
   OpenSearch Version: 2.9.0
   Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
   Clustername: docker-cluster
   Clusterstate: YELLOW
   Number of nodes: 1
   Number of data nodes: 1
   .opendistro_security index already exists, so we do not need to create one.
   Populate config from /usr/share/opensearch
   Force type: internalusers
   Will update '/internalusers' with current-config/internal_users_....yml 
      SUCC: Configuration for 'internalusers' created or updated
   

9. 校验：使用老密码访问被拒，新密码方法成功

   curl --insecure -u admin:admin https://localhost:9200
   
   Unauthorized
   

   curl --insecure -u admin:yourpassword https://localhost:9200
   
   {
     "name" : "b09419b98216",
     "cluster_name" : "docker-cluster",
     "cluster_uuid" : "SYUzvRvqT06ld8IdvE5okQ",
     "version" : {
       "distribution" : "opensearch",
       "number" : "2.9.0",
       "build_type" : "tar",
       "build_hash" : "1164221ee2b8ba3560f0ff492309867beea28433",
       "build_date" : "2023-07-18T21:22:48.164885046Z",
       "build_snapshot" : false,
       "lucene_version" : "9.7.0",
       "minimum_wire_compatibility_version" : "7.10.0",
       "minimum_index_compatibility_version" : "7.0.0"
     },
     "tagline" : "The OpenSearch Project: https://opensearch.org/"
   }