feat: Add flag to skip OpenSearch security setup

[edwinjosechittilappilly]

Introduce OPENRAG_SKIP_OS_SECURITY_SETUP (env var, default false) in settings to allow deployments to opt out of OpenSearch security configuration when the platform manages roles/role-mappings externally. Use this flag in startup_orchestrator.startup_tasks and utils.opensearch_init.init_index to skip calling setup_opensearch_security and emit informative log lines; index creation still runs in init_index. Add unit tests to verify both the skipped and non-skipped behaviors and to ensure indices are still created when security setup is skipped.
#1602

Summary by CodeRabbit

• New Features

  • Added OPENRAG_SKIP_OS_SECURITY_SETUP configuration option to conditionally skip OpenSearch security setup during startup and initialization. Default behavior adapts based on deployment mode.

• Tests

  • Added comprehensive unit tests to verify security setup gating and configuration default resolution logic.

[coderabbitai]

Walkthrough

This PR introduces a new OPENRAG_SKIP_OS_SECURITY_SETUP configuration flag that conditionally disables OpenSearch security initialization. The flag defaults based on OPENRAG_RUN_MODE (enabled for saas/on_prem deployments, disabled otherwise) and is applied at two initialization points: startup orchestration and OpenSearch index creation. Tests verify both paths respect the flag and that index creation continues when security setup is skipped.

Changes

OpenSearch Security Skip Feature

Layer / File(s)	Summary
Configuration flag with default resolution logic src/config/settings.py	_resolve_skip_os_security_default() derives the boolean default from OPENRAG_RUN_MODE (true for saas/on_prem, false otherwise), then OPENRAG_SKIP_OS_SECURITY_SETUP is defined using environment override or the computed default, normalized to boolean.
Default resolution logic tests tests/unit/test_skip_os_security_default.py	Parametrized unit tests verify _resolve_skip_os_security_default() returns correct defaults for case-insensitive run modes (saas, on_prem, oss, unset, unknown) using monkeypatch.
Startup orchestrator conditional security skip src/services/startup_orchestrator.py	OPENRAG_SKIP_OS_SECURITY_SETUP is imported and used to conditionally invoke setup_opensearch_security(): when enabled, logs skip message; when disabled, calls setup with warning-on-failure behavior.
Startup integration tests tests/unit/services/test_skip_os_security_setup_startup.py	Async tests with mocked collaborators verify security setup is awaited when flag is false and skipped when true, including log message validation.
OpenSearch init_index conditional security skip src/utils/opensearch_init.py	OPENRAG_SKIP_OS_SECURITY_SETUP is imported and used to conditionally invoke setup_opensearch_security() in init_index(): when enabled, logs skip message; when disabled, calls setup as before while index creation continues.
Init_index integration tests tests/unit/test_skip_os_security_setup_init_index.py	Unit tests with mocked OpenSearch client verify security setup is called when flag is false, skipped when true with correct log message, and index creation (documents, knowledge_filters, api_keys) still runs regardless of flag state.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• Feat: move opensearch security context update under a feature flag in onboarding. #1602: Directly implements the same OPENRAG_SKIP_OS_SECURITY_SETUP feature with env var, default resolution logic, and security setup gating at startup and init_index.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 54.55% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: Add flag to skip OpenSearch security setup' clearly and directly describes the main change—introducing a new configuration flag to conditionally skip OpenSearch security initialization.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat-skip-os-security-setup

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds an OPENRAG_SKIP_OS_SECURITY_SETUP flag to allow deployments (e.g., SaaS/CPD) to opt out of OpenSearch security configuration while still creating indices.

Changes:

• New env-driven setting in config/settings.py with a default that varies based on OPENRAG_RUN_MODE (saas/on_prem -> true, otherwise false).
• startup_orchestrator.startup_tasks and utils.opensearch_init.init_index now branch on the flag and emit a skip log instead of calling setup_opensearch_security.
• New unit tests covering default resolution, startup behavior, and init_index behavior (including that index creation still runs).

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
src/config/settings.py	Adds OPENRAG_SKIP_OS_SECURITY_SETUP flag and _resolve_skip_os_security_default helper.
src/services/startup_orchestrator.py	Guards startup security setup behind the new flag.
src/utils/opensearch_init.py	Guards setup_opensearch_security call inside init_index behind the new flag.
tests/unit/test_skip_os_security_default.py	Tests for the run-mode-based default resolution.
tests/unit/test_skip_os_security_setup_init_index.py	Tests init_index flag behavior and index creation.
tests/unit/services/test_skip_os_security_setup_startup.py	Tests startup_tasks flag behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[edwinjosechittilappilly]

@coderabbitai please update the PR description

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
gh pr view 1603 --repo langflow-ai/openrag --json title,body

Length of output: 76

---

@edwinjosechittilappilly, I wasn't able to authenticate with the GitHub CLI in the sandbox environment (no GH_TOKEN), so I can't update the PR description programmatically. Here is the updated description based on the code changes — you can paste it directly into the PR:

---

Summary

Introduces OPENRAG_SKIP_OS_SECURITY_SETUP, a new configuration flag that controls whether OpenRAG performs its OpenSearch security context initialization (roles, role mappings, all_access admin pin) at startup and during index initialization.

Motivation

In SaaS and CPD (on_prem) deployments the security context is owned and managed externally (e.g. by Traefik in CPD or by the SaaS platform operator). Running the setup in those environments is redundant and can conflict with the platform's own security configuration.

Behavior

OPENRAG_RUN_MODE	Default for OPENRAG_SKIP_OS_SECURITY_SETUP
saas	true — security setup is skipped
on_prem (CPD)	true — security setup is skipped
anything else (oss, unset)	false — security setup runs as before

An explicit OPENRAG_SKIP_OS_SECURITY_SETUP environment variable always takes precedence over the run-mode default, so an operator can force-enable the setup in SaaS for a one-off bootstrap by setting OPENRAG_SKIP_OS_SECURITY_SETUP=false.

⚠️ Upgrade note for existing SaaS / CPD deployments: After this change, security setup will be skipped by default for OPENRAG_RUN_MODE=saas and OPENRAG_RUN_MODE=on_prem. If you rely on OpenRAG managing the OpenSearch security context in those modes today, set OPENRAG_SKIP_OS_SECURITY_SETUP=false explicitly before upgrading.

Changes

• src/config/settings.py — Adds _resolve_skip_os_security_default() and OPENRAG_SKIP_OS_SECURITY_SETUP.
• Startup orchestrator — conditionally skips security setup based on the flag.
• OpenSearch index initialization — conditionally skips security setup based on the flag.
• Tests — comprehensive coverage for both skip and non-skip paths.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/utils/opensearch_init.py`:
- Around line 108-112: The info log in the skip-path is exposing a user
identifier; update the logger call in the init_index flow (the logger.info call
that currently passes admin_username) to remove the admin_username keyword (or
replace it with a non-PII flag), so the message remains "Skipping OpenSearch
security setup during init_index (OPENRAG_SKIP_OS_SECURITY_SETUP=true)" without
logging any admin_username; locate the logger.info call in opensearch_init.py
and remove the admin_username argument from that call.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: baa64d3d-e47b-44a7-af47-69ba9036ea04

📥 Commits

Reviewing files that changed from the base of the PR and between bd4e7fc and 3935975.

📒 Files selected for processing (6)

• src/config/settings.py
• src/services/startup_orchestrator.py
• src/utils/opensearch_init.py
• tests/unit/services/test_skip_os_security_setup_startup.py
• tests/unit/test_skip_os_security_default.py
• tests/unit/test_skip_os_security_setup_init_index.py

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid logging admin_username in the skip-path info log.

Line 111 logs a user identifier without operational necessity, which increases PII exposure in centralized logs.

🔧 Proposed fix

         if OPENRAG_SKIP_OS_SECURITY_SETUP:
             logger.info(
                 "Skipping OpenSearch security setup during init_index "
-                "(OPENRAG_SKIP_OS_SECURITY_SETUP=true)",
-                admin_username=admin_username,
+                "(OPENRAG_SKIP_OS_SECURITY_SETUP=true)",
             )

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	logger.info(
	"Skipping OpenSearch security setup during init_index "
	"(OPENRAG_SKIP_OS_SECURITY_SETUP=true)",
	admin_username=admin_username,
	)
	logger.info(
	"Skipping OpenSearch security setup during init_index "
	"(OPENRAG_SKIP_OS_SECURITY_SETUP=true)",
	)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/utils/opensearch_init.py` around lines 108 - 112, The info log in the
skip-path is exposing a user identifier; update the logger call in the
init_index flow (the logger.info call that currently passes admin_username) to
remove the admin_username keyword (or replace it with a non-PII flag), so the
message remains "Skipping OpenSearch security setup during init_index
(OPENRAG_SKIP_OS_SECURITY_SETUP=true)" without logging any admin_username;
locate the logger.info call in opensearch_init.py and remove the admin_username
argument from that call.

[mfortman11]

LGTM