feat: require initial passwords on new cluster-up [DET-10197] (#9314)

Co-authored-by: Danny Sauer <danny.sauer@hpe.com>
determined-ai · May 21, 2024 · 68b36c6 · 68b36c6
1 parent 0ef3e10
commit 68b36c6
Show file tree

Hide file tree

Showing 24 changed files with 117 additions and 17 deletions.
diff --git a/.circleci/devcluster/custom-agent-version.devcluster.yaml b/.circleci/devcluster/custom-agent-version.devcluster.yaml
@@ -6,6 +6,8 @@ stages:
       pre:
         - sh: make -C tools prep-root
       config_file:
+        security:
+          initial_user_password: $INITIAL_USER_PASSWORD
         db:
           host: localhost
           port: 5432

diff --git a/.circleci/devcluster/double-priority.devcluster.yaml b/.circleci/devcluster/double-priority.devcluster.yaml
@@ -23,6 +23,7 @@ stages:
           cache_dir: /tmp/determined-cache
         launch_error: false
         security:
+          initial_user_password: $INITIAL_USER_PASSWORD
           authz:
             rbac_ui_enabled: true
         resource_manager:

diff --git a/.circleci/devcluster/double-reattach.devcluster.yaml b/.circleci/devcluster/double-reattach.devcluster.yaml
@@ -6,6 +6,8 @@ stages:
       pre:
         - sh: make -C tools prep-root
       config_file:
+        security:
+          initial_user_password: $INITIAL_USER_PASSWORD
         db:
           host: localhost
           port: 5432

diff --git a/.circleci/devcluster/double.devcluster.yaml b/.circleci/devcluster/double.devcluster.yaml
@@ -23,6 +23,7 @@ stages:
           cache_dir: /tmp/determined-cache
         launch_error: false
         security:
+          initial_user_password: $INITIAL_USER_PASSWORD
           authz:
             rbac_ui_enabled: true
         resource_manager:

diff --git a/.circleci/devcluster/elastic.devcluster.yaml b/.circleci/devcluster/elastic.devcluster.yaml
@@ -9,6 +9,8 @@ stages:
       pre:
         - sh: make -C tools prep-root
       config_file:
+        security:
+          initial_user_password: $INITIAL_USER_PASSWORD
         db:
           host: localhost
           port: 5432

diff --git a/.circleci/devcluster/multi-k8s.devcluster.yaml b/.circleci/devcluster/multi-k8s.devcluster.yaml
@@ -9,6 +9,8 @@ stages:
         - sh: cp ~/.kube/config /tmp/defaultrm-kubeconf && kubectl config use-context defaultrm --kubeconfig=/tmp/defaultrm-kubeconf
         - sh: cp ~/.kube/config /tmp/additionalrm-kubeconf && kubectl config use-context additionalrm --kubeconfig=/tmp/additionalrm-kubeconf
       config_file:
+        security:
+          initial_user_password: $INITIAL_USER_PASSWORD
         db:
           host: localhost
           port: 5432

diff --git a/.circleci/devcluster/oauth.devcluster.yaml b/.circleci/devcluster/oauth.devcluster.yaml
@@ -26,6 +26,7 @@ stages:
         cache: 
           cache_dir: /tmp/determined-cache
         security:
+          initial_user_password: $INITIAL_USER_PASSWORD
           authz:
             rbac_ui_enabled: true
 

diff --git a/.circleci/devcluster/perftest.devcluster.yaml b/.circleci/devcluster/perftest.devcluster.yaml
@@ -21,6 +21,7 @@ stages:
           cache_dir: /tmp/determined-cache
         launch_error: false
         security:
+          initial_user_password: $INITIAL_USER_PASSWORD
           authz:
             rbac_ui_enabled: true
         resource_manager:

diff --git a/.circleci/devcluster/port-registry.devcluster.yaml b/.circleci/devcluster/port-registry.devcluster.yaml
@@ -6,6 +6,8 @@ stages:
       pre:
         - sh: make -C tools prep-root
       config_file:
+        security:
+          initial_user_password: $INITIAL_USER_PASSWORD
         db:
           host: localhost
           port: 5432

diff --git a/.circleci/devcluster/postgres-with-ssl.devcluster.yaml b/.circleci/devcluster/postgres-with-ssl.devcluster.yaml
@@ -51,6 +51,8 @@ stages:
       pre:
         - sh: make -C tools prep-root
       config_file:
+        security:
+          initial_user_password: $INITIAL_USER_PASSWORD
         db:
           host: localhost
           port: 5432

diff --git a/.circleci/devcluster/priority.devcluster.yaml b/.circleci/devcluster/priority.devcluster.yaml
@@ -15,6 +15,8 @@ stages:
       pre:
         - sh: make -C tools prep-root
       config_file:
+        security:
+          initial_user_password: $INITIAL_USER_PASSWORD
         port: 8082
         db:
           host: localhost

diff --git a/.circleci/devcluster/rbac-model-registry.yaml b/.circleci/devcluster/rbac-model-registry.yaml
@@ -22,6 +22,7 @@ stages:
         cache: 
           cache_dir: /tmp/determined-cache
         security:
+          initial_user_password: $INITIAL_USER_PASSWORD
           authz:
             rbac_ui_enabled: true
             type: rbac

diff --git a/.circleci/devcluster/react.devcluster.yaml b/.circleci/devcluster/react.devcluster.yaml
@@ -8,6 +8,8 @@ stages:
       pre:
         - sh: make -C tools prep-root
       config_file:
+        security:
+          initial_user_password: $INITIAL_USER_PASSWORD
         port: 8082
         db:
           host: localhost

diff --git a/.circleci/devcluster/saml.devcluster.yaml b/.circleci/devcluster/saml.devcluster.yaml
@@ -23,6 +23,7 @@ stages:
           cache_dir: /tmp/determined-cache
         launch_error: false
         security:
+          initial_user_password: $INITIAL_USER_PASSWORD
           authz:
             rbac_ui_enabled: true
         resource_manager:

diff --git a/.circleci/devcluster/single-rbac.devcluster.yaml b/.circleci/devcluster/single-rbac.devcluster.yaml
@@ -22,6 +22,7 @@ stages:
         cache: 
           cache_dir: /tmp/determined-cache
         security:
+          initial_user_password: $INITIAL_USER_PASSWORD
           authz:
             type: rbac
             rbac_ui_enabled: true

diff --git a/.circleci/real_config.yml b/.circleci/real_config.yml
@@ -2026,7 +2026,8 @@ jobs:
       - run:
           environment:
             PW_EE: << parameters.ee >>
-          command: npm run e2e --prefix webui/react -- << parameters.playwright-options >>
+          # setting PW_PASSWORD is temporary until DET-10197 is merged and we can set PW_PASSWORD in circleci
+          command: PW_PASSWORD=${INITIAL_USER_PASSWORD} npm run e2e --prefix webui/react -- << parameters.playwright-options >>
       - store_artifacts:
           path: webui/react/src/e2e/playwright-report
       - store_artifacts:
@@ -4107,6 +4108,7 @@ workflows:
           context:
             - playwright
             - github-read
+            - dev-ci-cluster-default-user-credentials
           filters: *any-upstream
       - build-docs:
           requires:
@@ -4195,6 +4197,7 @@ workflows:
           context:
             - playwright
             - github-read
+            - dev-ci-cluster-default-user-credentials
           filters: *any-upstream
       - build-docs:
           requires:
@@ -4439,6 +4442,8 @@ workflows:
 
       - test-e2e:
           name: test-e2e-rbac
+          context:
+            - dev-ci-cluster-default-user-credentials
           requires:
             - build-go-ee
           parallelism: 1
@@ -4447,6 +4452,8 @@ workflows:
 
       - test-e2e:
           name: test-e2e-cpu
+          context:
+            - dev-ci-cluster-default-user-credentials
           requires:
             - build-go-ee
           parallelism: 6
@@ -4456,6 +4463,8 @@ workflows:
 
       - test-e2e:
           name: test-e2e-cpu-double
+          context:
+            - dev-ci-cluster-default-user-credentials
           requires:
             - build-go-ee
           parallelism: 5
@@ -4467,6 +4476,8 @@ workflows:
 
       - test-e2e:
           name: test-e2e-cpu-oauth
+          context:
+            - dev-ci-cluster-default-user-credentials
           requires:
             - build-go-ee
           parallelism: 1
@@ -4476,6 +4487,8 @@ workflows:
 
       - test-e2e:
           name: test-e2e-cpu-model-registry-rbac
+          context:
+            - dev-ci-cluster-default-user-credentials
           requires:
             - build-go-ee
           parallelism: 1
@@ -4485,6 +4498,8 @@ workflows:
 
       - test-e2e:
           name: test-e2e-managed-devcluster
+          context:
+            - dev-ci-cluster-default-user-credentials
           requires:
             - build-go-ee
           parallelism: 4
@@ -4498,6 +4513,8 @@ workflows:
 
       - test-e2e:
           name: test-e2e-multi-k8s
+          context:
+            - dev-ci-cluster-default-user-credentials
           requires:
             - build-go-ee
           parallelism: 1
@@ -4509,6 +4526,8 @@ workflows:
 
       - test-e2e:
           name: test-e2e-port-registry
+          context:
+            - dev-ci-cluster-default-user-credentials
           requires:
             - build-go-ee
           parallelism: 1
@@ -4518,6 +4537,8 @@ workflows:
 
       - test-e2e:
           name: test-e2e-cpu-elastic
+          context:
+            - dev-ci-cluster-default-user-credentials
           requires:
             - build-go-ee
           parallelism: 1
@@ -4528,6 +4549,8 @@ workflows:
 
       - test-e2e:
           name: test-e2e-postgres10-with-ssl
+          context:
+            - dev-ci-cluster-default-user-credentials
           requires:
             - build-go-ee
           parallelism: 1
@@ -4538,6 +4561,8 @@ workflows:
 
       - test-e2e:
           name: test-e2e-postgres14-with-ssl
+          context:
+            - dev-ci-cluster-default-user-credentials
           requires:
             - build-go-ee
           parallelism: 1
@@ -4548,6 +4573,8 @@ workflows:
 
       - test-e2e:
           name: test-e2e-old-agent-versions
+          context:
+            - dev-ci-cluster-default-user-credentials
           requires:
             - build-go-ee
           parallelism: 1
@@ -4570,8 +4597,10 @@ workflows:
           extra-pytest-flags: "--no-compare-stats"
 
       - test-e2e:
-          context: okta
           name: test-e2e-saml
+          context:
+            - okta
+            - dev-ci-cluster-default-user-credentials
           requires:
             - build-go-ee
           parallelism: 1
@@ -5516,6 +5545,7 @@ workflows:
           context:
             - playwright
             - github-read
+            - dev-ci-cluster-default-user-credentials
 
   release:
     jobs:

diff --git a/docs/release-notes/cli-requires-initial-password.rst b/docs/release-notes/cli-requires-initial-password.rst
@@ -0,0 +1,9 @@
+:orphan:
+
+Breaking Changes
+
+-  Master: On new deployments, the service will log an error and abort startup if no
+   ``initialUserPassword`` is found in the configuration.
+
+To ensure users can still rely on reasonable default settings with CLI commands like ``det deploy
+local cluster-up``, an ``--initial-user-password`` flag is now provided.
diff --git a/e2e_tests/tests/cluster/test_users.py b/e2e_tests/tests/cluster/test_users.py
@@ -113,7 +113,7 @@ def test_create_user_sdk() -> None:
 @pytest.mark.e2e_cpu
 def test_logout() -> None:
     # Make sure that a logged out session cannot be reused.
-    sess = api_utils.make_session("determined", "")
+    sess = api_utils.make_session("determined", conf.USER_PASSWORD)
 
     bindings.post_Logout(sess)
     with pytest.raises(errors.UnauthenticatedException):

diff --git a/e2e_tests/tests/experiment/test_custom_searcher.py b/e2e_tests/tests/experiment/test_custom_searcher.py
@@ -33,6 +33,7 @@ def check_trial_state(
 @pytest.mark.e2e_cpu
 def test_run_custom_searcher_experiment(tmp_path: pathlib.Path) -> None:
     sess = api_utils.user_session()
+    client._determined = client.Determined._from_session(sess)
     # example searcher script
     config = conf.load_config(conf.fixtures_path("no_op/single.yaml"))
     config["searcher"] = {
@@ -44,7 +45,7 @@ def test_run_custom_searcher_experiment(tmp_path: pathlib.Path) -> None:
     config["name"] = "single"
     config["description"] = "custom searcher"
     search_method = searchers.SingleSearchMethod(config, 500)
-    search_runner = searcher.LocalSearchRunner(search_method, tmp_path)
+    search_runner = searcher.LocalSearchRunner(search_method, tmp_path, session=sess)
     experiment_id = search_runner.run(config, model_dir=conf.fixtures_path("no_op"))
 
     assert client._determined is not None
@@ -55,6 +56,7 @@ def test_run_custom_searcher_experiment(tmp_path: pathlib.Path) -> None:
 @pytest.mark.e2e_cpu_2a
 def test_run_random_searcher_exp() -> None:
     sess = api_utils.user_session()
+    client._determined = client.Determined._from_session(sess)
     config = conf.load_config(conf.fixtures_path("no_op/single.yaml"))
     config["searcher"] = {
         "name": "custom",
@@ -73,7 +75,9 @@ def test_run_random_searcher_exp() -> None:
         search_method = searchers.RandomSearchMethod(
             max_trials, max_concurrent_trials, max_length, test_type="noop"
         )
-        search_runner = searcher.LocalSearchRunner(search_method, pathlib.Path(searcher_dir))
+        search_runner = searcher.LocalSearchRunner(
+            search_method, pathlib.Path(searcher_dir), session=sess
+        )
         experiment_id = search_runner.run(config, model_dir=conf.fixtures_path("no_op"))
 
     response = bindings.get_GetExperiment(sess, experimentId=experiment_id)
@@ -291,7 +295,9 @@ def test_resume_random_searcher_exp(exceptions: List[str]) -> None:
         search_method = searchers.RandomSearchMethod(
             max_trials, max_concurrent_trials, max_length, test_type="noop"
         )
-        search_runner = searcher.LocalSearchRunner(search_method, pathlib.Path(searcher_dir))
+        search_runner = searcher.LocalSearchRunner(
+            search_method, pathlib.Path(searcher_dir), session=sess
+        )
         experiment_id = search_runner.run(config, model_dir=conf.fixtures_path("no_op"))
 
     assert search_runner.state.last_event_id == 41

diff --git a/e2e_tests/tests/experiment/test_unmanaged.py b/e2e_tests/tests/experiment/test_unmanaged.py
@@ -18,6 +18,8 @@ def _run_unmanaged_script(cmd: List, env_to_add: Optional[dict] = None) -> None:
     master_url = conf.make_master_url()
     env = os.environ.copy()
     env["DET_MASTER"] = master_url
+    env["DET_USER"] = "determined"
+    env["DET_PASS"] = conf.USER_PASSWORD
 
     if env_to_add is not None:
         env.update(env_to_add)

diff --git a/harness/determined/deploy/local/cli.py b/harness/determined/deploy/local/cli.py
@@ -20,6 +20,7 @@ def handle_cluster_up(args: argparse.Namespace) -> None:
     cluster_utils.cluster_up(
         num_agents=args.agents,
         port=args.master_port,
+        initial_user_password=args.initial_user_password,
         master_config_path=args.master_config_path,
         storage_host_path=args.storage_host_path,
         cluster_name=args.cluster_name,
@@ -49,6 +50,7 @@ def handle_master_up(args: argparse.Namespace) -> None:
 
     cluster_utils.master_up(
         port=args.master_port,
+        initial_user_password=args.initial_user_password,
         master_config_path=args.master_config_path,
         storage_host_path=args.storage_host_path,
         master_name=args.master_name,
@@ -133,6 +135,12 @@ def deploy_local(args: argparse.Namespace) -> None:
                         help="Storage location for cluster data (e.g. checkpoints)",
                     ),
                 ),
+                cli.Arg(
+                    "--initial-user-password",
+                    type=str,
+                    default=None,
+                    help="Initial password for admin/determined users",
+                ),
                 cli.Arg(
                     "--agents",
                     type=int,
@@ -230,6 +238,12 @@ def deploy_local(args: argparse.Namespace) -> None:
                         help="Storage location for cluster data (e.g. checkpoints)",
                     ),
                 ),
+                cli.Arg(
+                    "--initial-user-password",
+                    type=str,
+                    default=None,
+                    help="Initial password for admin/determined users",
+                ),
                 cli.Arg(
                     "--master-port",
                     type=int,