Page MenuHomePhabricator
Create Task
Maniphest T408919

OpenSearch on K8s: Create separate user for the OpenSearch operator
Closed, ResolvedPublic
Actions

Description

As it stands today, the OpenSearch operator and the human admin user share the same username. This is not ideal from a security or auditing standpoint, so let's:

  • Create a separate user for the operator
  • Verify that the operator logs in with that user instead of the human admin's user.

Details

Other Assignee
RKemper
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
WIP: opensearch-cluster: Add operator useroperations/deployment-chartsmaster+35 -3
opensearch-cluster: create separate user for operator and adminoperations/deployment-chartsmaster+45 -17
Customize query in gerrit

Related Objects
Search...

Event Timeline

bking created this task.Oct 31 2025, 1:59 PM
bking mentioned this in T408012: Roll out OpenSearch cluster in `opensearch-ipoid-test` and `opensearch-ipoid` namespaces in dse-k8s-eqiad.Oct 31 2025, 3:27 PM
bking added a parent task: T408012: Roll out OpenSearch cluster in `opensearch-ipoid-test` and `opensearch-ipoid` namespaces in dse-k8s-eqiad.
bking added a comment.Oct 31 2025, 9:25 PM

This Slack thread contains some useful links about how the operator connects to the cluster, where it gets the creds, etc.

At a high level, I think we can achieve our goal by:

  • Tweaking secret.yaml so it creates 2 separate admin users:
    • A hard-coded operator user, and
    • A dynamically-generated human user

I think I'd prefer to have the operator user auth via mTLS since that doesn't require keeping track of secrets in private puppet. I'll study the linked code and discuss this with further with my colleagues.

bking mentioned this in T408238: Create Airflow job that loads Spur data.Nov 3 2025, 3:43 PM
gerritbot added a comment.Nov 3 2025, 4:45 PM

Change #1201104 had a related patch set uploaded (by Bking; author: Bking):

[operations/deployment-charts@master] WIP: opensearch-cluster: Add operator user

https://gerrit.wikimedia.org/r/1201104

gerritbot added a project: Patch-For-Review.Nov 3 2025, 4:45 PM
gerritbot added a comment.Nov 6 2025, 7:44 PM

Change #1202769 had a related patch set uploaded (by Bking; author: Bking):

[operations/deployment-charts@master] opensearch-cluster: create separate user for operator and admin

https://gerrit.wikimedia.org/r/1202769

gerritbot added a comment.Nov 6 2025, 11:07 PM

Change #1202769 merged by Bking:

[operations/deployment-charts@master] opensearch-cluster: create separate user for operator and admin

https://gerrit.wikimedia.org/r/1202769

bking changed the task status from Open to In Progress.Nov 6 2025, 11:09 PM
bking claimed this task.
bking triaged this task as Medium priority.
bking updated Other Assignee, added: RKemper.
bking updated the task description. (Show Details)
Gehel edited projects, added Data-Platform-SRE (2025.11.07 - 2025.11.28); removed Data-Platform-SRE (2025.10.17 - 2025.11.07).Fri, Nov 7, 1:32 PM
bking updated the task description. (Show Details)Fri, Nov 7, 9:57 PM
bking closed this task as Resolved.Fri, Nov 7, 10:00 PM
bking moved this task from Backlog - project to Done on the Data-Platform-SRE (2025.11.07 - 2025.11.28) board.

I've redeployed opensearch-test and opensearch-ipoid-test clusters after merging the above changes, and I can confirm that both the`operator` and opensearch user are created correctly. I've also confirmed that I can create indices with the opensearch user:

curl -H "Content-type: Application/json" -u ${OS} -XPUT https://opensearch-test.discovery.wmnet:30443/enwikibooks -d @mapping.json

and retrieve them: curl -XGET -u ${OS} https://opensearch-test.discovery.wmnet:30443/enwikibooks?pretty

As such, I'm closing out this ticket.

gerritbot added a comment.Mon, Nov 10, 2:31 PM

Change #1201104 abandoned by Bking:

[operations/deployment-charts@master] WIP: opensearch-cluster: Add operator user

Reason:

superseded by 1202769

https://gerrit.wikimedia.org/r/1201104

Maintenance_bot removed a project: Patch-For-Review.Mon, Nov 10, 3:32 PM
Gehel moved this task from Done to Reported on the Data-Platform-SRE (2025.11.07 - 2025.11.28) board.Fri, Nov 14, 10:15 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits