Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Log more information about Password strength feature #4048

Closed
derek-ho opened this issue Feb 13, 2024 · 4 comments · Fixed by #4071
Closed

[FEATURE] Log more information about Password strength feature #4048

derek-ho opened this issue Feb 13, 2024 · 4 comments · Fixed by #4071
Labels
enhancement New feature or request triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@derek-ho
Copy link
Contributor

derek-ho commented Feb 13, 2024
edited
Loading

Is your feature request related to a problem?
It was brought up that we log out that a password is weak, with no steps as to how to determine the strength of a password. Maybe linking to this: https://lowe.github.io/tryzxcvbn/, or at least logging out that we are using zxcvbn could help.
@derek-ho derek-ho added enhancement New feature or request untriaged Require the attention of the repository maintainers and may need to be prioritized labels Feb 13, 2024
@DarshitChanpura DarshitChanpura changed the title [FEATURE] Log out more information about Password strength feature [FEATURE] Log more information about Password strength feature Feb 19, 2024
@DarshitChanpura
Copy link
Member

[Triage] Thanks for filing this. The exit criteria here is to log more information when a password strength validator is called and password is deemed weak.

Related: opensearch-project/security-dashboards-plugin#1523

@DarshitChanpura DarshitChanpura added triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels Feb 19, 2024
@peternied
Copy link
Member

It was brought up that we log out that a password is weak,

In what scenario? Please include how to get to this state, is this part of cluster startup/configuration, user setup, or something else?

@peternied peternied added untriaged Require the attention of the repository maintainers and may need to be prioritized and removed triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. labels Feb 19, 2024
@camerondurham
Copy link
Contributor

camerondurham commented Feb 23, 2024
edited
Loading

@peternied

From my understanding it's whenever you run (demo?) node and set the newly required OPENSEARCH_INITIAL_ADMIN_PASSWORD env var.

  1. Logged here: https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java#L148
  2. And behavior tested here:

    security/src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java

    Line 116 in 77ffba4

    public void testUpdateAdminPasswordWithWeakPassword() throws NoSuchFieldException, IllegalAccessException {

Here's an example taken directly from the OpenSearch "geting started" docs with a basic (and clearly bad) password because the docs or error do not call out password requirements.

finch run \
    -p 9200:9200 \
    -p 9600:9600 \
    -e "discovery.type=single-node" \
    -e "OPENSEARCH_INITIAL_ADMIN_PASSWORD=sample@1029"  \
    opensearchproject/opensearch:latest

Results:

Enabling OpenSearch Security Plugin
Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin
OpenSearch 2.12.0 onwards, the OpenSearch Security Plugin a change that requires an initial password for 'admin' user.
Please define an environment variable 'OPENSEARCH_INITIAL_ADMIN_PASSWORD' with a strong password string.
If a password is not provided, the setup will quit.
 For more details, please visit: https://opensearch.org/docs/latest/install-and-configure/install-opensearch/docker/
### OpenSearch Security Demo Installer
...
Detected OpenSearch Version: 2.12.0
Detected OpenSearch Security Version: 2.12.0.0
Password sample@1029 is weak. Please re-try with a stronger password.
FATA[0001] exit status 1

I'm happy to PR an update.

@peternied
Copy link
Member

@camerondurham A PR to improve this scenario would be great - thanks!

@peternied peternied removed the untriaged Require the attention of the repository maintainers and may need to be prioritized label Feb 23, 2024
This was referenced Feb 25, 2024
Merged
Merged
@derek-ho derek-ho added the triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. label Feb 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Log password requirement details in demo environment camerondurham/security
4 participants
@peternied @camerondurham @derek-ho @DarshitChanpura