[BUG] No admin password available/settable for Docker

[nealrauhauser]

Describe the bug

The initial admin password procedure for Docker appears to be utterly broken.

This is from my compose.yml

services:
  opensearch:
    image: opensearchproject/opensearch:latest
    container_name: opensearch
    environment:
      - opensearch_host=opensearch1
      - opensearch_user=admin
      - opensearch_pass=DoesNotWork2024@
      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=DoesNotWork2024@

Things I have tried:

1. admin:admin
2. admin and OPENSEARCH_INITIAL_ADMIN_PASSWORD in compose.yml
3. admin and OPENSEARCH_INITIAL_ADMIN_PASSWORD in .env
4. admin and export OPENSEARCH_INITIAL_ADMIN_PASSWORD=
5. not using opensearch_pass= in config
6. not using OPENSEARCH_INITIAL_ADMIN_PASSWORD anywhere

Strong8@ meets the stated requirement. It doesn't work, nor does doubling it. If you use a $ in the password it complains about interpolation and fails to start.

Password Strong8@Strong8@ failed validation: "Weak password". Please re-try with a minimum 8 character password and must contain at least one uppercase letter, one lowercase letter, one digit, and one special character that is strong.

This is an invocation using DoesNotWork2024@, reports success. Can't log in with admin or Admin. Commands with curl work fine with kibanaserver:kibanaserver.

opensearch | Enabling OpenSearch Security Plugin
opensearch | Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin
opensearch | OpenSearch 2.12.0 onwards, the OpenSearch Security Plugin a change that requires an initial password for 'admin' user.
opensearch | Please define an environment variable 'OPENSEARCH_INITIAL_ADMIN_PASSWORD' with a strong password string.
opensearch | If a password is not provided, the setup will quit.
opensearch | For more details, please visit: https://opensearch.org/docs/latest/install-and-configure/install-opensearch/docker/
opensearch | ### OpenSearch Security Demo Installer
opensearch | ### ** Warning: Do not use on production or public reachable systems **
opensearch | OpenSearch install type: rpm/deb on Linux 6.2.0-39-generic amd64
opensearch | OpenSearch config dir: /usr/share/opensearch/config/
opensearch | OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
opensearch | OpenSearch bin dir: /usr/share/opensearch/bin/
opensearch | OpenSearch plugins dir: /usr/share/opensearch/plugins/
opensearch | OpenSearch lib dir: /usr/share/opensearch/lib/
opensearch | Detected OpenSearch Version: 2.14.0
opensearch | Detected OpenSearch Security Version: 2.14.0.0
opensearch | Admin password set successfully.

Related component

Other

To Reproduce

Create a compose.yml and try to set the admin password.

Expected behavior

I would expect this to return some information about the cluster.

curl -ku 'admin:whatever' https://localhost:9200/_cluster/health

Additional Details

No response

[gaiksaya]

Hi @nealrauhauser

Thank you for opening an issue. We did test it using below password in our test runs "OPENSEARCH_INITIAL_ADMIN_PASSWORD=myStrongPassword123@456" See docker-compose file in the drop down here. Can you try once with that.

Also moving this issue to security repo to debug the error

Password Strong8@Strong8@ failed validation: "Weak password". Please re-try with a minimum 8 character password and must contain at least one uppercase letter, one lowercase letter, one digit, and one special character that is strong.

[DarshitChanpura]

@nealrauhauser Did you happen to have an already existing cluster (< 2.12 ) via docker before installing 2.14 ?

[stephen-crawford]

[Triage] Hi @nealrauhauser thank you for filing this issue. It looks like this may be an issue with the docker setup. Could you confirm whether @DarshitChanpura's question helped resolve your problem? Going to close this issue in 1 week if we don't hear back.

[nealrauhauser]

@nealrauhauser Did you happen to have an already existing cluster (< 2.12 ) via docker before installing 2.14 ?

No, I am a brand new user, but familiar with Elasticsearch 5.x - 7.x

[nealrauhauser]

This Docker config came from the link mentioned above and it works. Thanks.

https://gist.github.com/nealrauhauser/9498fd066e00252cb332dd442427850b

[benrebak]

Hi,

I've also run into this issue. I believe the difference between the working docker compose linked to by @nealrauhauser and the non-functional one available in the Getting Started documentation is the presence of quotation marks around the admin password environment variable:

Working:

      - "OPENSEARCH_INITIAL_ADMIN_PASSWORD=myStrongPassword123@456"

Not working:

      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD} # Sets the demo admin user password when using demo configuration (for OpenSearch 2.12 and later)

Stack Overflow seems to agree. So the problem is not in recent releases of OpenSearch itself, but rather in the docker-compose.yml available in the quickstart guide.