Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecate setup-passwords tool #76902

Merged
merged 10 commits into from
Oct 21, 2021
Merged

Deprecate setup-passwords tool #76902

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
6e9a196
Deprecate setup-passwords tool
jkakavas Aug 24, 2021
6c05202
Apply suggestions from code review
jkakavas Aug 27, 2021
d72c5f6
feedback
jkakavas Sep 1, 2021
0ab6b41
Merge remote-tracking branch 'origin/master' into deprecate-setup-pas…
jkakavas Sep 1, 2021
3e950b9
Fix formatting for deprecation notice
Oct 4, 2021
b038bce
Merge branch 'master' into deprecate-setup-passwords-tool
elasticmachine Oct 4, 2021
176c86a
Merge branch 'master' into deprecate-setup-passwords-tool
elasticmachine Oct 21, 2021
5e688c8
fix compilation
jkakavas Oct 21, 2021
8e7fd2f
rename reference
jkakavas Oct 21, 2021
0d6fe9d
fix wording
jkakavas Oct 21, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions docs/reference/commands/setup-passwords.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@
[[setup-passwords]]
== elasticsearch-setup-passwords

deprecated[7.16,"Replaced by <<reset-elastic-password,`elasticsearch-reset-elastic-password`>>."]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to deprecate in 7.16 now?
We haven't backported elasticsearch-reset-elastic-password to 7.x yet have we?

It seems premature to indicate that it's deprecated as of 7.16 when we aren't ready to actually deprecate it in 7.x

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is the ideal terminology (though I don't have a better set of words).

There's 3 points:

  1. In 8.0 it's "replaced" mostly by security on by default so this utility isn't needed anymore.
  2. For some scenarios, elasticsearch-reset-elastic-password is a replacement, but not in most
  3. For non-elastic users, the replacement is either automated setup (kibana and fleet) or manual use of the change password API

I don't know how we capture that, but I worry that simply pointing to elasticsearch-reset-elastic-password will confuse some people.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tvernum, I appreciate your insights, as always. I'd like to avoid version-specific language in this message if possible to avoid pinning to a particular version if we need to change when we're deprecating the tool. Perhaps we can cover the two main scenarios that this tool was used for (changing passwords for built-in users and created users) and offer users the alternative options.

The elasticsearch-setup-passwords tool is deprecated and will be removed in a future release. To manually reset the password for the elastic user, use the 'elasticsearch-reset-elastic-password' tool. To change passwords for other users, use either Kibana or the Elasticsearch change passwords API.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the suggestions both, I'll add Adam's text here and remove the version


The `elasticsearch-setup-passwords` command sets the passwords for the
<<built-in-users,built-in users>>.

Expand Down
21 changes: 21 additions & 0 deletions ...src/main/java/org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordTool.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,11 @@
* mode prompts for each individual user's password. This tool only runs once,
* if successful. After the elastic user password is set you have to use the
* `security` API to manipulate passwords.
*
* @deprecated Use {@link ResetElasticPasswordTool} for setting the password of the elastic user and the ChangePassword API
* for setting the password of the rest of the built-in users when needed.
*/
@Deprecated
public class SetupPasswordTool extends LoggingAwareMultiCommand {

private static final char[] CHARS = ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789").toCharArray();
Expand Down Expand Up @@ -134,6 +138,12 @@ protected void execute(Terminal terminal, OptionSet options, Environment env) th
checkClusterHealth(terminal);

if (shouldPrompt) {
terminal.println("******************************************************************************");
terminal.println("Note: The 'elasticsearch-setup-passwords' tool has been deprecated in favour");
terminal.println(" of the 'elasticsearch-reset-elastic-password' tool. This command will");
terminal.println(" possibly be removed in a future release.");
jkakavas marked this conversation as resolved.
Show resolved Hide resolved
terminal.println("******************************************************************************");
terminal.println("");
terminal.println("Initiating the setup of passwords for reserved users " + String.join(",", USERS) + ".");
terminal.println("The passwords will be randomly generated and printed to the console.");
boolean shouldContinue = terminal.promptYesNo("Please confirm that you would like to continue", false);
Expand Down Expand Up @@ -180,6 +190,12 @@ protected void execute(Terminal terminal, OptionSet options, Environment env) th
checkClusterHealth(terminal);

if (shouldPrompt) {
terminal.println("******************************************************************************");
terminal.println("Note: The 'elasticsearch-setup-passwords' tool has been deprecated in favour");
terminal.println(" of the 'elasticsearch-reset-elastic-password' tool. This command will");
terminal.println(" possibly be removed in a future release.");
jkakavas marked this conversation as resolved.
Show resolved Hide resolved
terminal.println("******************************************************************************");
terminal.println("");
terminal.println("Initiating the setup of passwords for reserved users " + String.join(",", USERS) + ".");
terminal.println("You will be prompted to enter passwords as the process progresses.");
boolean shouldContinue = terminal.promptYesNo("Please confirm that you would like to continue", false);
Expand Down Expand Up @@ -314,6 +330,11 @@ void checkElasticKeystorePasswordValid(Terminal terminal, Environment env) throw
terminal.errorPrintln(" * Your elasticsearch node is running against a different keystore");
terminal.errorPrintln(" This tool used the keystore at " + KeyStoreWrapper.keystorePath(env.configFile()));
terminal.errorPrintln("");
terminal.errorPrintln(
"You can use `elasticsearch-reset-elastic-password` CLI tool to reset the password of the '" + elasticUser
lockewritesdocs marked this conversation as resolved.
Show resolved Hide resolved
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"You can use `elasticsearch-reset-elastic-password` CLI tool to reset the password of the '" + elasticUser
"You can use the `elasticsearch-reset-elastic-password` CLI tool to reset the password of the '" + elasticUser

+ "' user"
);
terminal.errorPrintln("");
throw new UserException(ExitCodes.CONFIG, "Failed to verify bootstrap password");
} else if (httpCode != HttpURLConnection.HTTP_OK) {
terminal.errorPrintln("");
Expand Down