Remove admin:admin default and update instructions for demo setup (opensearch-project#5887)

* Update some admin:admin references

Signed-off-by: Derek Ho <[email protected]>

* Update all references except for helm

Signed-off-by: Derek Ho <[email protected]>

* Update helm

Signed-off-by: Derek Ho <[email protected]>

* Reverts changes made to _install-and-configure folder

Signed-off-by: Darshit Chanpura <[email protected]>

* Apply suggestions from code review

Co-authored-by: Naarcha-AWS <[email protected]>
Signed-off-by: Derek Ho <[email protected]>

* Update _about/quickstart.md

Signed-off-by: Naarcha-AWS <[email protected]>

* Apply suggestions from code review

Co-authored-by: Nathan Bower <[email protected]>
Signed-off-by: Naarcha-AWS <[email protected]>

* Update quickstart.md

Signed-off-by: Naarcha-AWS <[email protected]>

---------

Signed-off-by: Derek Ho <[email protected]>
Signed-off-by: Darshit Chanpura <[email protected]>
Signed-off-by: Derek Ho <[email protected]>
Signed-off-by: Naarcha-AWS <[email protected]>
Co-authored-by: Darshit Chanpura <[email protected]>
Co-authored-by: Darshit Chanpura <[email protected]>
Co-authored-by: Naarcha-AWS <[email protected]>
Co-authored-by: Nathan Bower <[email protected]>

Author: 4 people

_about/quickstart.md

@@ -52,9 +52,9 @@ You'll need a special file, called a Compose file, that Docker Compose uses to d
     opensearch-node1        "./opensearch-docker…"   opensearch-node1        running             0.0.0.0:9200->9200/tcp, 9300/tcp, 0.0.0.0:9600->9600/tcp, 9650/tcp
     opensearch-node2        "./opensearch-docker…"   opensearch-node2        running             9200/tcp, 9300/tcp, 9600/tcp, 9650/tcp
     ```
-1. Query the OpenSearch REST API to verify that the service is running. You should use `-k` (also written as `--insecure`) to disable host name checking because the default security configuration uses demo certificates. Use `-u` to pass the default username and password (`admin:admin`).
+1. Query the OpenSearch REST API to verify that the service is running. You should use `-k` (also written as `--insecure`) to disable hostname checking because the default security configuration uses demo certificates. Use `-u` to pass the default username and password (`admin:<custom-admin-password>`).
     ```bash
-    curl https://localhost:9200 -ku admin:admin
+    curl https://localhost:9200 -ku admin:<custom-admin-password>
     ```
     Sample response:
     ```json
@@ -76,7 +76,7 @@ You'll need a special file, called a Compose file, that Docker Compose uses to d
         "tagline" : "The OpenSearch Project: https://opensearch.org/"
     }
     ```
-1. Explore OpenSearch Dashboards by opening `http://localhost:5601/` in a web browser on the same host that is running your OpenSearch cluster. The default username is `admin` and the default password is `admin`.
+1. Explore OpenSearch Dashboards by opening `http://localhost:5601/` in a web browser on the same host that is running your OpenSearch cluster. The default username is `admin` and the default password is set in your `docker-compose.yml` file in the `OPENSEARCH_INITIAL_ADMIN_PASSWORD=<custom-admin-password>` setting.
 
 ## Create an index and field mappings using sample data
 
@@ -100,18 +100,18 @@ Create an index and define field mappings using a dataset provided by the OpenSe
     ```
 1. Define the field mappings with the mapping file.
     ```bash
-    curl -H "Content-Type: application/x-ndjson" -X PUT "https://localhost:9200/ecommerce" -ku admin:admin --data-binary "@ecommerce-field_mappings.json"
+    curl -H "Content-Type: application/x-ndjson" -X PUT "https://localhost:9200/ecommerce" -ku admin:<custom-admin-password> --data-binary "@ecommerce-field_mappings.json"
     ```
 1. Upload the index to the bulk API.
     ```bash
-    curl -H "Content-Type: application/x-ndjson" -X PUT "https://localhost:9200/ecommerce/_bulk" -ku admin:admin --data-binary "@ecommerce.json"
+    curl -H "Content-Type: application/x-ndjson" -X PUT "https://localhost:9200/ecommerce/_bulk" -ku admin:<custom-admin-password> --data-binary "@ecommerce.json"
     ```
 1. Query the data using the search API. The following command submits a query that will return documents where `customer_first_name` is `Sonya`.
     ```bash
-    curl -H 'Content-Type: application/json' -X GET "https://localhost:9200/ecommerce/_search?pretty=true" -ku admin:admin -d' {"query":{"match":{"customer_first_name":"Sonya"}}}'
+    curl -H 'Content-Type: application/json' -X GET "https://localhost:9200/ecommerce/_search?pretty=true" -ku admin:<custom-admin-password> -d' {"query":{"match":{"customer_first_name":"Sonya"}}}'
     ```
     Queries submitted to the OpenSearch REST API will generally return a flat JSON by default. For a human readable response body, use the query parameter `pretty=true`. For more information about `pretty` and other useful query parameters, see [Common REST parameters]({{site.url}}{{site.baseurl}}/opensearch/common-parameters/).
-1. Access OpenSearch Dashboards by opening `http://localhost:5601/` in a web browser on the same host that is running your OpenSearch cluster. The default username is `admin` and the default password is `admin`.
+1. Access OpenSearch Dashboards by opening `http://localhost:5601/` in a web browser on the same host that is running your OpenSearch cluster. The default username is `admin` and the password is set in your `docker-compose.yml` file in the `OPENSEARCH_INITIAL_ADMIN_PASSWORD=<custom-admin-password>` setting.
 1. On the top menu bar, go to **Management > Dev Tools**.
 1. In the left pane of the console, enter the following:
     ```json
@@ -162,4 +162,4 @@ OpenSearch will fail to start if your host's `vm.max_map_count` is too low. Revi
 opensearch-node1         | ERROR: [1] bootstrap checks failed
 opensearch-node1         | [1]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
 opensearch-node1         | ERROR: OpenSearch did not exit normally - check the logs at /usr/share/opensearch/logs/opensearch-cluster.log
-```
+```

_api-reference/tasks.md

@@ -267,7 +267,7 @@ To associate requests with tasks for better tracking, you can provide a `X-Opaqu
 Usage:
 
 ```bash
-curl -i -H "X-Opaque-Id: 111111" "https://localhost:9200/_tasks" -u 'admin:admin' --insecure
+curl -i -H "X-Opaque-Id: 111111" "https://localhost:9200/_tasks" -u 'admin:<custom-admin-password>' --insecure
 ```
 {% include copy.html %}
 
@@ -326,6 +326,6 @@ content-length: 768
 This operation supports the same parameters as the `tasks` operation. The following example shows how you can associate `X-Opaque-Id` with specific tasks:
 
 ```bash
-curl -i -H "X-Opaque-Id: 123456" "https://localhost:9200/_tasks?nodes=opensearch-node1" -u 'admin:admin' --insecure
+curl -i -H "X-Opaque-Id: 123456" "https://localhost:9200/_tasks?nodes=opensearch-node1" -u 'admin:<custom-admin-password>' --insecure
 ```
 {% include copy.html %}

_benchmark/quickstart.md

@@ -31,7 +31,7 @@ After installation, you can verify OpenSearch is running by going to `localhost:
 Use the following command to verify OpenSearch is running with SSL certificate checks disabled:
 
 ```bash
-curl -k -u admin:admin https://localhost:9200			# the "-k" option skips SSL certificate checks
+curl -k -u admin:<custom-admin-password> https://localhost:9200			# the "-k" option skips SSL certificate checks
 
 {
   "name" : "147ddae31bf8.opensearch.org",

_clients/javascript/index.md

@@ -48,7 +48,7 @@ To connect to the default OpenSearch host, create a client object with the addre
 var host = "localhost";
 var protocol = "https";
 var port = 9200;
-var auth = "admin:admin"; // For testing only. Don't store credentials in code.
+var auth = "admin:<custom-admin-password>"; // For testing only. Don't store credentials in code.
 var ca_certs_path = "/full/path/to/root-ca.pem";
 
 // Optional client certificates if you don't want to use HTTP basic authentication.
@@ -360,7 +360,7 @@ The following sample program creates a client, adds an index with non-default se
 var host = "localhost";
 var protocol = "https";
 var port = 9200;
-var auth = "admin:admin"; // For testing only. Don't store credentials in code.
+var auth = "admin:<custom-admin-password>"; // For testing only. Don't store credentials in code.
 var ca_certs_path = "/full/path/to/root-ca.pem";
 
 // Optional client certificates if you don't want to use HTTP basic authentication.

_monitoring-your-cluster/pa/index.md

@@ -245,7 +245,7 @@ curl -XPOST http://localhost:9200/_plugins/_performanceanalyzer/rca/cluster/conf
 If you encounter the `curl: (52) Empty reply from server` response, run the following command to enable RCA:
 
 ```bash
-curl -XPOST https://localhost:9200/_plugins/_performanceanalyzer/rca/cluster/config -H 'Content-Type: application/json' -d '{"enabled": true}' -u 'admin:admin' -k
+curl -XPOST https://localhost:9200/_plugins/_performanceanalyzer/rca/cluster/config -H 'Content-Type: application/json' -d '{"enabled": true}' -u 'admin:<custom-admin-password>' -k
 ```
 
 ### Example API query and response

_observing-your-data/log-ingestion.md

@@ -63,7 +63,7 @@ This should result in a single document being written to the OpenSearch cluster
 Run the following command to see one of the raw documents in the OpenSearch cluster:
 
 ```bash
-curl -X GET -u 'admin:admin' -k 'https://localhost:9200/apache_logs/_search?pretty&size=1'
+curl -X GET -u 'admin:<custom-admin-password>' -k 'https://localhost:9200/apache_logs/_search?pretty&size=1'
 ```
 
 The response should show the parsed log data:

_observing-your-data/trace/getting-started.md

@@ -76,7 +76,7 @@ node-0.example.com  | [2020-11-19T16:29:55,267][INFO ][o.e.c.m.MetadataMappingSe
 In a new terminal window, run the following command to see one of the raw documents in the OpenSearch cluster:
 
 ```bash
-curl -X GET -u 'admin:admin' -k 'https://localhost:9200/otel-v1-apm-span-000001/_search?pretty&size=1'
+curl -X GET -u 'admin:<custom-admin-password>' -k 'https://localhost:9200/otel-v1-apm-span-000001/_search?pretty&size=1'
 ```
 
 Navigate to `http://localhost:5601` in a web browser and choose **Trace Analytics**. You can see the results of your single click in the Jaeger HotROD web interface: the number of traces per API and HTTP method, latency trends, a color-coded map of the service architecture, and a list of trace IDs that you can use to drill down on individual operations.

_reporting/rep-cli-env-var.md

@@ -30,7 +30,7 @@ Values from the command line argument have higher priority than the environment
 The following command requests a report with basic authentication in PNG format:
 
 ```
-opensearch-reporting-cli --url https://localhost:5601/app/dashboards#/view/7adfa750-4c81-11e8-b3d7-01146121b73d --format png --auth basic --credentials admin:admin
+opensearch-reporting-cli --url https://localhost:5601/app/dashboards#/view/7adfa750-4c81-11e8-b3d7-01146121b73d --format png --auth basic --credentials admin:<custom-admin-password>
 ```
 
 Upon success, the report will download to the current directory.

_search-plugins/sql/sql/index.md

@@ -61,7 +61,7 @@ POST _plugins/_sql
 To run the preceding query in the command line, use the [curl](https://curl.haxx.se/) command:
 
 ```bash
-curl -XPOST https://localhost:9200/_plugins/_sql -u 'admin:admin' -k -H 'Content-Type: application/json' -d '{"query": "SELECT * FROM my-index* LIMIT 50"}'
+curl -XPOST https://localhost:9200/_plugins/_sql -u 'admin:<custom-admin-password>' -k -H 'Content-Type: application/json' -d '{"query": "SELECT * FROM my-index* LIMIT 50"}'
 ```
 {% include copy.html %}
 

_security/access-control/cross-cluster-search.md

@@ -77,6 +77,7 @@ services:
       - discovery.type=single-node
       - bootstrap.memory_lock=true # along with the memlock settings below, disables swapping
       - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" # minimum and maximum Java heap size, recommend setting both to 50% of system RAM
+      - "OPENSEARCH_INITIAL_ADMIN_PASSWORD=<custom-admin-password>" # The initial admin password used by the demo configuration
     ulimits:
       memlock:
         soft: -1
@@ -97,6 +98,7 @@ services:
       - discovery.type=single-node
       - bootstrap.memory_lock=true # along with the memlock settings below, disables swapping
       - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" # minimum and maximum Java heap size, recommend setting both to 50% of system RAM
+      - "OPENSEARCH_INITIAL_ADMIN_PASSWORD=<custom-admin-password>" # The initial admin password used by the demo configuration
     ulimits:
       memlock:
         soft: -1
@@ -120,13 +122,13 @@ networks:
 After the clusters start, verify the names of each:
 
 ```json
-curl -XGET -u 'admin:admin' -k 'https://localhost:9200'
+curl -XGET -u 'admin:<custom-admin-password>' -k 'https://localhost:9200'
 {
   "cluster_name" : "opensearch-ccs-cluster1",
   ...
 }
 
-curl -XGET -u 'admin:admin' -k 'https://localhost:9250'
+curl -XGET -u 'admin:<custom-admin-password>' -k 'https://localhost:9250'
 {
   "cluster_name" : "opensearch-ccs-cluster2",
   ...
@@ -154,7 +156,7 @@ docker inspect --format='{% raw %}{{range .NetworkSettings.Networks}}{{.IPAddres
 On the coordinating cluster, add the remote cluster name and the IP address (with port 9300) for each "seed node." In this case, you only have one seed node:
 
 ```json
-curl -k -XPUT -H 'Content-Type: application/json' -u 'admin:admin' 'https://localhost:9250/_cluster/settings' -d '
+curl -k -XPUT -H 'Content-Type: application/json' -u 'admin:<custom-admin-password>' 'https://localhost:9250/_cluster/settings' -d '
 {
   "persistent": {
     "cluster.remote": {
@@ -169,13 +171,13 @@ curl -k -XPUT -H 'Content-Type: application/json' -u 'admin:admin' 'https://loca
 On the remote cluster, index a document:
 
 ```bash
-curl -XPUT -k -H 'Content-Type: application/json' -u 'admin:admin' 'https://localhost:9200/books/_doc/1' -d '{"Dracula": "Bram Stoker"}'
+curl -XPUT -k -H 'Content-Type: application/json' -u 'admin:<custom-admin-password>' 'https://localhost:9200/books/_doc/1' -d '{"Dracula": "Bram Stoker"}'
 ```
 
 At this point, cross-cluster search works. You can test it using the `admin` user:
 
 ```bash
-curl -XGET -k -u 'admin:admin' 'https://localhost:9250/opensearch-ccs-cluster1:books/_search?pretty'
+curl -XGET -k -u 'admin:<custom-admin-password>' 'https://localhost:9250/opensearch-ccs-cluster1:books/_search?pretty'
 {
   ...
   "hits": [{
@@ -192,8 +194,8 @@ curl -XGET -k -u 'admin:admin' 'https://localhost:9250/opensearch-ccs-cluster1:b
 To continue testing, create a new user on both clusters:
 
 ```bash
-curl -XPUT -k -u 'admin:admin' 'https://localhost:9200/_plugins/_security/api/internalusers/booksuser' -H 'Content-Type: application/json' -d '{"password":"password"}'
-curl -XPUT -k -u 'admin:admin' 'https://localhost:9250/_plugins/_security/api/internalusers/booksuser' -H 'Content-Type: application/json' -d '{"password":"password"}'
+curl -XPUT -k -u 'admin:<custom-admin-password>' 'https://localhost:9200/_plugins/_security/api/internalusers/booksuser' -H 'Content-Type: application/json' -d '{"password":"password"}'
+curl -XPUT -k -u 'admin:<custom-admin-password>' 'https://localhost:9250/_plugins/_security/api/internalusers/booksuser' -H 'Content-Type: application/json' -d '{"password":"password"}'
 ```
 
 Then run the same search as before with `booksuser`:
@@ -218,8 +220,8 @@ curl -XGET -k -u booksuser:password 'https://localhost:9250/opensearch-ccs-clust
 Note the permissions error. On the remote cluster, create a role with the appropriate permissions, and map `booksuser` to that role:
 
 ```bash
-curl -XPUT -k -u 'admin:admin' -H 'Content-Type: application/json' 'https://localhost:9200/_plugins/_security/api/roles/booksrole' -d '{"index_permissions":[{"index_patterns":["books"],"allowed_actions":["indices:admin/shards/search_shards","indices:data/read/search"]}]}'
-curl -XPUT -k -u 'admin:admin' -H 'Content-Type: application/json' 'https://localhost:9200/_plugins/_security/api/rolesmapping/booksrole' -d '{"users" : ["booksuser"]}'
+curl -XPUT -k -u 'admin:<custom-admin-password>' -H 'Content-Type: application/json' 'https://localhost:9200/_plugins/_security/api/roles/booksrole' -d '{"index_permissions":[{"index_patterns":["books"],"allowed_actions":["indices:admin/shards/search_shards","indices:data/read/search"]}]}'
+curl -XPUT -k -u 'admin:<custom-admin-password>' -H 'Content-Type: application/json' 'https://localhost:9200/_plugins/_security/api/rolesmapping/booksrole' -d '{"users" : ["booksuser"]}'
 ```
 
 Both clusters must have the user, but only the remote cluster needs the role and mapping; in this case, the coordinating cluster handles authentication (i.e. "Does this request include valid user credentials?"), and the remote cluster handles authorization (i.e. "Can this user access this data?").

_security/access-control/impersonation.md

@@ -47,5 +47,5 @@ plugins.security.authcz.impersonation_dn:
 To impersonate another user, submit a request to the system with the HTTP header `opendistro_security_impersonate_as` set to the name of the user to be impersonated. A good test is to make a GET request to the `_plugins/_security/authinfo` URI:
 
 ```bash
-curl -XGET -u 'admin:admin' -k -H "opendistro_security_impersonate_as: user_1" https://localhost:9200/_plugins/_security/authinfo?pretty
+curl -XGET -u 'admin:<custom-admin-password>' -k -H "opendistro_security_impersonate_as: user_1" https://localhost:9200/_plugins/_security/authinfo?pretty
 ```

_troubleshoot/index.md

@@ -30,7 +30,7 @@ If you run legacy Kibana OSS scripts against OpenSearch Dashboards---for example
 In this case, your scripts likely include the `"kbn-xsrf: true"` header. Switch it to the `osd-xsrf: true` header:
 
 ```
-curl -XPOST -u 'admin:admin' 'https://DASHBOARDS_ENDPOINT/api/saved_objects/_import' -H 'osd-xsrf:true' --form [email protected]
+curl -XPOST -u 'admin:<custom-admin-password>' 'https://DASHBOARDS_ENDPOINT/api/saved_objects/_import' -H 'osd-xsrf:true' --form [email protected]
 ```
 
 

_tuning-your-cluster/availability-and-recovery/remote-store/index.md

@@ -86,7 +86,7 @@ curl -X POST "https://localhost:9200/_remotestore/_restore" -H 'Content-Type: ap
 **Restore all shards of a given index**
 
 ```bash
-curl -X POST "https://localhost:9200/_remotestore/_restore?restore_all_shards=true" -ku admin:admin -H 'Content-Type: application/json' -d'
+curl -X POST "https://localhost:9200/_remotestore/_restore?restore_all_shards=true" -ku admin:<custom-admin-password> -H 'Content-Type: application/json' -d'
 {
   "indices": ["my-index"]
 }

_tuning-your-cluster/index.md

@@ -177,7 +177,7 @@ less /var/log/opensearch/opensearch-cluster.log
 Perform the following `_cat` query on any node to see all the nodes formed as a cluster:
 
 ```bash
-curl -XGET https://<private-ip>:9200/_cat/nodes?v -u 'admin:admin' --insecure
+curl -XGET https://<private-ip>:9200/_cat/nodes?v -u 'admin:<custom-admin-password>' --insecure
 ```
 
 ```

_tuning-your-cluster/replication-plugin/auto-follow.md

@@ -28,7 +28,7 @@ Replication rules are a collection of patterns that you create against a single
 Create a replication rule on the follower cluster:
 
 ```bash
-curl -XPOST -k -H 'Content-Type: application/json' -u 'admin:admin' 'https://localhost:9200/_plugins/_replication/_autofollow?pretty' -d '
+curl -XPOST -k -H 'Content-Type: application/json' -u 'admin:<custom-admin-password>' 'https://localhost:9200/_plugins/_replication/_autofollow?pretty' -d '
 {
    "leader_alias" : "my-connection-alias",
    "name": "my-replication-rule",
@@ -46,13 +46,13 @@ If the Security plugin is disabled, you can leave out the `use_roles` parameter.
 To test the rule, create a matching index on the leader cluster:
 
 ```bash
-curl -XPUT -k -H 'Content-Type: application/json' -u 'admin:admin' 'https://localhost:9201/movies-0001?pretty'
+curl -XPUT -k -H 'Content-Type: application/json' -u 'admin:<custom-admin-password>' 'https://localhost:9201/movies-0001?pretty'
 ```
 
 And confirm its replica shows up on the follower cluster:
 
 ```bash
-curl -XGET -u 'admin:admin' -k 'https://localhost:9200/_cat/indices?v'
+curl -XGET -u 'admin:<custom-admin-password>' -k 'https://localhost:9200/_cat/indices?v'
 ```
 
 It might take several seconds for the index to appear.
@@ -67,7 +67,7 @@ yellow open   movies-0001  kHOxYYHxRMeszLjTD9rvSQ     1   1          0
 To retrieve a list of existing replication rules that are configured on a cluster, send the following request:
 
 ```bash
-curl -XGET -u 'admin:admin' -k 'https://localhost:9200/_plugins/_replication/autofollow_stats'
+curl -XGET -u 'admin:<custom-admin-password>' -k 'https://localhost:9200/_plugins/_replication/autofollow_stats'
 
 {
    "num_success_start_replication": 1,
@@ -96,7 +96,7 @@ curl -XGET -u 'admin:admin' -k 'https://localhost:9200/_plugins/_replication/aut
 To delete a replication rule, send the following request to the follower cluster:
 
 ```bash
-curl -XDELETE -k -H 'Content-Type: application/json' -u 'admin:admin' 'https://localhost:9200/_plugins/_replication/_autofollow?pretty' -d '
+curl -XDELETE -k -H 'Content-Type: application/json' -u 'admin:<custom-admin-password>' 'https://localhost:9200/_plugins/_replication/_autofollow?pretty' -d '
 {
    "leader_alias" : "my-conection-alias",
    "name": "my-replication-rule"