-
Notifications
You must be signed in to change notification settings - Fork 24.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deprecate setup-passwords tool #76902
Deprecate setup-passwords tool #76902
Conversation
With Security ON by default project where the `elastic` user password is auto-generated, we have decided to deprecate the setup-passwords tool and consider removing it in a future version. Users will get a password for the `elastic` built-in user when the node starts for the first time and they can also use the newly introduced elastisearch-reset-elastic-password tool to set or reset that password. With credentials for the elastic user available, the password for the rest of the built-in users can be set using the Change Password API, or via Kibana.
Pinging @elastic/es-security (Team:Security) |
I am uncertain of the "in favor of " and "replaced by" wording as the new tool has a subset of the old functionality, happy to get suggestions! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Provided some suggested changes, but looks good overall.
...ty/src/main/java/org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordTool.java
Outdated
Show resolved
Hide resolved
...ty/src/main/java/org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordTool.java
Outdated
Show resolved
Hide resolved
...ty/src/main/java/org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordTool.java
Outdated
Show resolved
Hide resolved
Co-authored-by: Adam Locke <adam.locke@elastic.co>
@@ -3,6 +3,8 @@ | |||
[[setup-passwords]] | |||
== elasticsearch-setup-passwords | |||
|
|||
deprecated[7.16,"Replaced by <<reset-elastic-password,`elasticsearch-reset-elastic-password`>>."] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to deprecate in 7.16 now?
We haven't backported elasticsearch-reset-elastic-password
to 7.x yet have we?
It seems premature to indicate that it's deprecated as of 7.16 when we aren't ready to actually deprecate it in 7.x
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is the ideal terminology (though I don't have a better set of words).
There's 3 points:
- In 8.0 it's "replaced" mostly by security on by default so this utility isn't needed anymore.
- For some scenarios,
elasticsearch-reset-elastic-password
is a replacement, but not in most - For non-elastic users, the replacement is either automated setup (kibana and fleet) or manual use of the change password API
I don't know how we capture that, but I worry that simply pointing to elasticsearch-reset-elastic-password
will confuse some people.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tvernum, I appreciate your insights, as always. I'd like to avoid version-specific language in this message if possible to avoid pinning to a particular version if we need to change when we're deprecating the tool. Perhaps we can cover the two main scenarios that this tool was used for (changing passwords for built-in users and created users) and offer users the alternative options.
The
elasticsearch-setup-passwords
tool is deprecated and will be removed in a future release. To manually reset the password for theelastic
user, use the 'elasticsearch-reset-elastic-password' tool. To change passwords for other users, use either Kibana or the Elasticsearch change passwords API.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the suggestions both, I'll add Adam's text here and remove the version
@@ -134,6 +138,12 @@ protected void execute(Terminal terminal, OptionSet options, Environment env) th | |||
checkClusterHealth(terminal); | |||
|
|||
if (shouldPrompt) { | |||
terminal.println("******************************************************************************"); | |||
terminal.println("Note: The 'elasticsearch-setup-passwords' tool has been deprecated"); | |||
terminal.println(" and might be removed in a future release."); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't love "might". I think we should say "will be" or "is intended to be"
terminal.println("******************************************************************************"); | ||
terminal.println("Note: The 'elasticsearch-setup-passwords' tool has been deprecated"); | ||
terminal.println(" and might be removed in a future release."); | ||
terminal.println(" Use the 'elasticsearch-reset-elastic-password' tool instead. "); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See my comment above - not every use of setup-passwords can switch to "elasticsearch-reset-elastic-password" and I worry about confusion.
@elasticmachine run elasticsearch-ci/docs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One minor nit, but LGTM otherwise 👍
@@ -314,6 +328,11 @@ void checkElasticKeystorePasswordValid(Terminal terminal, Environment env) throw | |||
terminal.errorPrintln(" * Your elasticsearch node is running against a different keystore"); | |||
terminal.errorPrintln(" This tool used the keystore at " + KeyStoreWrapper.keystorePath(env.configFile())); | |||
terminal.errorPrintln(""); | |||
terminal.errorPrintln( | |||
"You can use `elasticsearch-reset-elastic-password` CLI tool to reset the password of the '" + elasticUser |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"You can use `elasticsearch-reset-elastic-password` CLI tool to reset the password of the '" + elasticUser | |
"You can use the `elasticsearch-reset-elastic-password` CLI tool to reset the password of the '" + elasticUser |
@elasticmachine update branch |
@@ -3,6 +3,8 @@ | |||
[[setup-passwords]] | |||
== elasticsearch-setup-passwords | |||
|
|||
deprecated[8.0, "The `elasticsearch-setup-passwords` tool is deprecated and will be removed in a future release. To manually reset the password for the `elastic` user, use the <<reset-elastic-password,`elasticsearch-reset-elastic-password` tool>>. To change passwords for other users, use either {kib} or the {es} change passwords API."] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Drive-by comment: We should also add a deprecation notice to the 8.0 breaking changes.
There isn't a deprecations section yet, but we can use the 7.15 one as a template.
@lockewritesdocs Do you mind assisting and ensuring this gets added?
We'll also want to remove the 7.16
label if the elasticsearch-reset-elastic-password
tool won't be in 7.x.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left a comment. We still need a deprecation notice in the 8.0 breaking changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM (with @lockewritesdocs's suggested change)
@jkakavas, should we remove the |
@elasticmachine update branch |
With Security ON by default project where the `elastic` user password is auto-generated, we have decided to deprecate the setup-passwords tool and consider removing it in a future version. Users will get a password for the `elastic` built-in user when the node starts for the first time and they can also use the newly introduced elastisearch-reset-elastic-password tool to set or reset that password. With credentials for the elastic user available, the password for the rest of the built-in users can be set using the Change Password API, or via Kibana.
With Security ON by default project where the
elastic
userpassword is auto-generated, we have decided to deprecate the
setup-passwords tool and consider removing it in a future version.
Users will get a password for the
elastic
built-in user when thenode starts for the first time and they can also use the newly
introduced elastisearch-reset-elastic-password tool to set or
reset that password. With credentials for the elastic user
available, the password for the rest of the built-in users can be
set using the Change Password API, or via Kibana.