opensearch-project · cwperks · Mar 19, 2026 · Mar 19, 2026 · Mar 19, 2026 · Mar 19, 2026
@@ -7,19 +7,20 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ### Added
 
 ### Changed
+- Copy scripts from tools to bin/ directory in assembly and make scripts agnostic to directory ([#6023](https://github.com/opensearch-project/security/pull/6023))
 
 ### Features
 
 ### Enhancements
 - Make security plugin aware of FIPS build param (-Pcrypto.standard=FIPS-140-3) ([#5952](https://github.com/opensearch-project/security/pull/5952))
-- Hardens input validation for resource sharing APIs ([#5831](https://github.com/opensearch-project/security/pull/5831)
+- Hardens input validation for resource sharing APIs ([#5831](https://github.com/opensearch-project/security/pull/5831))
 - Optimize getFieldFilter to only return a predicate when index has FLS restrictions for user ([#5777](https://github.com/opensearch-project/security/pull/5777))
 - Performance optimizations for building internal authorization data structures upon config updates ([#5988](https://github.com/opensearch-project/security/pull/5988))
 - Make encryption_key optional for obo token authenticator ([#6017](https://github.com/opensearch-project/security/pull/6017)
 - Enable basic authentication for gRPC transport ([#6005](https://github.com/opensearch-project/security/pull/6005))
 
 ### Bug Fixes
-- Fix audit log writing errors for rollover-enabled alias indices ([#5878](https://github.com/opensearch-project/security/pull/5878)
+- Fix audit log writing errors for rollover-enabled alias indices ([#5878](https://github.com/opensearch-project/security/pull/5878))
 - Fix the issue of unprocessed X-Request-Id ([#5954](https://github.com/opensearch-project/security/pull/5954))
 - Improve DLS error message to identify undefined user attributes when query substitution fails ([#5975](https://github.com/opensearch-project/security/pull/5975))
 

@@ -448,6 +448,9 @@ bundlePlugin {
     from('config') {
         into 'config'
     }
+    from('tools') {
+        into 'bin'
+    }
     from('tools') {
         into 'tools'
     }

@@ -258,8 +258,8 @@ void initializeVariables() {
      * Sets the base directory to be used by the script.
      */
     void setBaseDir() {
-        File baseDirFile = new File(SCRIPT_DIR).getParentFile().getParentFile().getParentFile();
-        BASE_DIR = baseDirFile != null ? baseDirFile.getAbsolutePath() : null;
+        File baseDirFile = new File(SCRIPT_DIR);
+        BASE_DIR = baseDirFile.isDirectory() ? baseDirFile.getAbsolutePath() : null;
 
         if (BASE_DIR == null || !new File(BASE_DIR).isDirectory()) {
             System.out.println("DEBUG: basedir does not exist");

@@ -208,15 +208,9 @@ public void testGatherInputs_withAssumeYes() {
 
     @Test
     public void testInitializeVariables_setBaseDir_invalidPath() {
-        String[] invalidScriptDirPath = { "/scriptDir", "-y" };
+        String[] invalidScriptDirPath = { "/nonexistent/opensearch-home", "-y" };
         installer.readOptions(invalidScriptDirPath);
 
-        // If BASE_DIR cannot be determined, a NullPointerException is expected.
-        assertThrows("Expected NullPointerException to be thrown", NullPointerException.class, installer::initializeVariables);
-
-        String[] invalidScriptDirPath2 = { "/opensearch/plugins/opensearch-security/tools", "-y" };
-        installer.readOptions(invalidScriptDirPath2);
-
         installer.setExitHandler(status -> { throw new TestExitException(status); });
         TestExitException ex = assertThrows("Expected exit with status -1", TestExitException.class, installer::initializeVariables);
         assertThat(ex.getStatus(), equalTo(-1));
@@ -233,8 +227,7 @@ public void testSetBaseDir_valid() {
 
         installer.setBaseDir();
 
-        String expectedBaseDirValue = new File(currentDir).getParentFile().getParentFile().getParentFile().getAbsolutePath()
-            + File.separator;
+        String expectedBaseDirValue = new File(currentDir).getAbsolutePath() + File.separator;
         assertThat(installer.BASE_DIR, equalTo(expectedBaseDirValue));
     }
 
@@ -257,8 +250,7 @@ public void testSetOpenSearchVariables_invalidPath() {
         verifyStdOutContainsString("Unable to determine OpenSearch plugins directory. Quit.");
         verifyStdOutContainsString("Unable to determine OpenSearch lib directory. Quit.");
 
-        String expectedBaseDirValue = new File(currentDir).getParentFile().getParentFile().getParentFile().getAbsolutePath()
-            + File.separator;
+        String expectedBaseDirValue = new File(currentDir).getAbsolutePath() + File.separator;
         String expectedOpensearchConfFilePath = expectedBaseDirValue + "config" + File.separator + "opensearch.yml";
         String expectedOpensearchBinDirPath = expectedBaseDirValue + "bin" + File.separator;
         String expectedOpensearchPluginDirPath = expectedBaseDirValue + "plugins" + File.separator;

@@ -1,6 +1,22 @@
 @echo off
 set DIR=%~dp0
 
+if defined OPENSEARCH_HOME goto find_home_done
+
+set "OPENSEARCH_HOME=%DIR%"
+:find_home
+if exist "%OPENSEARCH_HOME%lib\opensearch-*.jar" goto find_home_done
+for %%I in ("%OPENSEARCH_HOME%.") do set "PARENT=%%~dpI"
+if "%PARENT%" == "%OPENSEARCH_HOME%" (
+  echo Could not locate OpenSearch home. Set OPENSEARCH_HOME manually. 1>&2
+  exit /b 1
+)
+set "OPENSEARCH_HOME=%PARENT%"
+goto find_home
+:find_home_done
+
+set "PLUGIN_DIR=%OPENSEARCH_HOME%plugins\opensearch-security"
+
 if defined OPENSEARCH_JAVA_HOME (
   set BIN_PATH="%OPENSEARCH_JAVA_HOME%\bin\java.exe"
 ) else if defined JAVA_HOME (
@@ -11,4 +27,4 @@ if defined OPENSEARCH_JAVA_HOME (
   exit /b 1
 )
 
-%BIN_PATH% -cp "%DIR%\..\*;%DIR%\..\..\..\lib\*;%DIR%\..\deps\*" org.opensearch.security.tools.AuditConfigMigrater %*
+%BIN_PATH% -cp "%PLUGIN_DIR%\*;%PLUGIN_DIR%\deps\*;%OPENSEARCH_HOME%lib\*" org.opensearch.security.tools.AuditConfigMigrater %*
@@ -15,6 +15,19 @@ else
     DIR="$( cd "$( dirname "$(realpath "$SCRIPT_PATH")" )" && pwd -P)"
 fi
 
+if [ -z "$OPENSEARCH_HOME" ]; then
+  OPENSEARCH_HOME="$DIR"
+  while [ "$OPENSEARCH_HOME" != "/" ] && [ -z "$(ls "$OPENSEARCH_HOME/lib/opensearch-"*.jar 2>/dev/null)" ]; do
+    OPENSEARCH_HOME="$(dirname "$OPENSEARCH_HOME")"
+  done
+  if [ "$OPENSEARCH_HOME" = "/" ]; then
+    echo "Could not locate OpenSearch home. Set OPENSEARCH_HOME manually." >&2
+    exit 1
+  fi
+fi
+
+PLUGIN_DIR="$OPENSEARCH_HOME/plugins/opensearch-security"
+
 BIN_PATH="java"
 
 # now set the path to java: first OPENSEARCH_JAVA_HOME, then JAVA_HOME
@@ -26,4 +39,4 @@ else
     echo "WARNING: nor OPENSEARCH_JAVA_HOME nor JAVA_HOME is set, will use $(which $BIN_PATH)"
 fi
 
-"$BIN_PATH" $JAVA_OPTS -cp "$DIR/../../opendistro_security_ssl/*:$DIR/../*:$DIR/../deps/*:$DIR/../../../lib/*" org.opensearch.security.tools.AuditConfigMigrater "$@"
+"$BIN_PATH" $JAVA_OPTS -cp "$PLUGIN_DIR/*:$PLUGIN_DIR/deps/*:$OPENSEARCH_HOME/lib/*" org.opensearch.security.tools.AuditConfigMigrater "$@"
@@ -1,15 +1,30 @@
-@echo off
-set DIR=%~dp0
-
-if defined OPENSEARCH_JAVA_HOME (
-  set BIN_PATH="%OPENSEARCH_JAVA_HOME%\bin\java.exe"
-) else if defined JAVA_HOME (
-  set BIN_PATH="%JAVA_HOME%\bin\java.exe"
-) else (
-  echo Unable to find java runtime
-  echo OPENSEARCH_JAVA_HOME or JAVA_HOME must be defined
-  exit /b 1
-)
-
-%BIN_PATH% -cp "%DIR%\..\*;%DIR%\..\..\..\lib\*;%DIR%\..\deps\*" org.opensearch.security.tools.Hasher %*
-
+@echo off
+set DIR=%~dp0
+
+if defined OPENSEARCH_HOME goto find_home_done
+
+set "OPENSEARCH_HOME=%DIR%"
+:find_home
+if exist "%OPENSEARCH_HOME%lib\opensearch-*.jar" goto find_home_done
+for %%I in ("%OPENSEARCH_HOME%.") do set "PARENT=%%~dpI"
+if "%PARENT%" == "%OPENSEARCH_HOME%" (
+  echo Could not locate OpenSearch home. Set OPENSEARCH_HOME manually. 1>&2
+  exit /b 1
+)
+set "OPENSEARCH_HOME=%PARENT%"
+goto find_home
+:find_home_done
+
+set "PLUGIN_DIR=%OPENSEARCH_HOME%plugins\opensearch-security"
+
+if defined OPENSEARCH_JAVA_HOME (
+  set BIN_PATH="%OPENSEARCH_JAVA_HOME%\bin\java.exe"
+) else if defined JAVA_HOME (
+  set BIN_PATH="%JAVA_HOME%\bin\java.exe"
+) else (
+  echo Unable to find java runtime
+  echo OPENSEARCH_JAVA_HOME or JAVA_HOME must be defined
+  exit /b 1
+)
+
+%BIN_PATH% -cp "%PLUGIN_DIR%\*;%PLUGIN_DIR%\deps\*;%OPENSEARCH_HOME%lib\*" org.opensearch.security.tools.Hasher %*
@@ -15,6 +15,19 @@ else
     DIR="$( cd "$( dirname "$(realpath "$SCRIPT_PATH")" )" && pwd -P)"
 fi
 
+if [ -z "$OPENSEARCH_HOME" ]; then
+  OPENSEARCH_HOME="$DIR"
+  while [ "$OPENSEARCH_HOME" != "/" ] && [ -z "$(ls "$OPENSEARCH_HOME/lib/opensearch-"*.jar 2>/dev/null)" ]; do
+    OPENSEARCH_HOME="$(dirname "$OPENSEARCH_HOME")"
+  done
+  if [ "$OPENSEARCH_HOME" = "/" ]; then
+    echo "Could not locate OpenSearch home. Set OPENSEARCH_HOME manually." >&2
+    exit 1
+  fi
+fi
+
+PLUGIN_DIR="$OPENSEARCH_HOME/plugins/opensearch-security"
+
 BIN_PATH="java"
 
 # now set the path to java: first OPENSEARCH_JAVA_HOME, then JAVA_HOME
@@ -26,5 +39,4 @@ else
     echo "WARNING: nor OPENSEARCH_JAVA_HOME nor JAVA_HOME is set, will use $(which $BIN_PATH)"
 fi
 
-
-"$BIN_PATH" $JAVA_OPTS -cp "$DIR/../../opendistro_security_ssl/*:$DIR/../*:$DIR/../deps/*:$DIR/../../../lib/*" org.opensearch.security.tools.Hasher "$@"
+"$BIN_PATH" $JAVA_OPTS -cp "$PLUGIN_DIR/*:$PLUGIN_DIR/deps/*:$OPENSEARCH_HOME/lib/*" org.opensearch.security.tools.Hasher "$@"
@@ -1,29 +1,42 @@
 @echo off
 set DIR=%~dp0
-
 set CUR_DIR=%DIR%
 
-rem set opensearch home for instances when using bundled jdk
-if not defined OPENSEARCH_HOME (
-  for %%I in ("%DIR%..\..\..") do set "OPENSEARCH_HOME=%%~dpfI"
+if defined OPENSEARCH_HOME goto find_home_done
+
+set "OPENSEARCH_HOME=%DIR%"
+:find_home
+if exist "%OPENSEARCH_HOME%lib\opensearch-*.jar" goto find_home_done
+for %%I in ("%OPENSEARCH_HOME%.") do set "PARENT=%%~dpI"
+if "%PARENT%" == "%OPENSEARCH_HOME%" (
+  echo Could not locate OpenSearch home. Set OPENSEARCH_HOME manually. 1>&2
+  exit /b 1
 )
+set "OPENSEARCH_HOME=%PARENT%"
+goto find_home
+:find_home_done
 cd %CUR_DIR%
 
+set "PLUGIN_DIR=%OPENSEARCH_HOME%plugins\opensearch-security"
+
 if not "%OPENSEARCH_JAVA_HOME%" == "" (
   set "JAVA=%OPENSEARCH_JAVA_HOME%\bin\java.exe"
   set JAVA_TYPE=OPENSEARCH_JAVA_HOME
 ) else if not "%JAVA_HOME%" == "" (
   set "JAVA=%JAVA_HOME%\bin\java.exe"
   set JAVA_TYPE=JAVA_HOME
 ) else (
-  set "JAVA=%OPENSEARCH_HOME%\jdk\bin\java.exe"
-  set "JAVA_HOME=%OPENSEARCH_HOME%\jdk"
+  set "JAVA=%OPENSEARCH_HOME%jdk\bin\java.exe"
+  set "JAVA_HOME=%OPENSEARCH_HOME%jdk"
   set JAVA_TYPE=bundled jdk
 )
 
 if not exist "%JAVA%" (
-  echo "could not find java in %JAVA_TYPE% at %JAVA%" >&2
+  echo could not find java in %JAVA_TYPE% at %JAVA% 1>&2
   exit /b 1
 )
 
-"%JAVA%" -Dorg.apache.logging.log4j.simplelog.StatusLogger.level=OFF -cp "%DIR%\..\*;%DIR%\..\..\..\lib\*;%DIR%\..\deps\*" org.opensearch.security.tools.democonfig.Installer %DIR% %* 2> nul
+set "OPENSEARCH_HOME_ARG=%OPENSEARCH_HOME%"
+if "%OPENSEARCH_HOME_ARG:~-1%" == "\" set "OPENSEARCH_HOME_ARG=%OPENSEARCH_HOME_ARG:~0,-1%"
+
+"%JAVA%" -Dorg.apache.logging.log4j.simplelog.StatusLogger.level=OFF -cp "%PLUGIN_DIR%\*;%PLUGIN_DIR%\deps\*;%OPENSEARCH_HOME%lib\*" org.opensearch.security.tools.democonfig.Installer "%OPENSEARCH_HOME_ARG%" %* 2> nul
@@ -25,12 +25,19 @@ else
     DIR="$( cd "$( dirname "$(realpath "$SCRIPT_PATH")" )" && pwd -P)"
 fi
 
-
 if [ -z "$OPENSEARCH_HOME" ]; then
-  # move to opensearch root folder and set the variable
-  OPENSEARCH_HOME=`cd "$DIR/../../.."; pwd`
+  OPENSEARCH_HOME="$DIR"
+  while [ "$OPENSEARCH_HOME" != "/" ] && [ -z "$(ls "$OPENSEARCH_HOME/lib/opensearch-"*.jar 2>/dev/null)" ]; do
+    OPENSEARCH_HOME="$(dirname "$OPENSEARCH_HOME")"
+  done
+  if [ "$OPENSEARCH_HOME" = "/" ]; then
+    echo "Could not locate OpenSearch home. Set OPENSEARCH_HOME manually." >&2
+    exit 1
+  fi
 fi
 
+PLUGIN_DIR="$OPENSEARCH_HOME/plugins/opensearch-security"
+
 # now set the path to java: OPENSEARCH_JAVA_HOME -> JAVA_HOME -> bundled JRE -> bundled JDK
 if [ -n "$OPENSEARCH_JAVA_HOME" ]; then
   JAVA="$OPENSEARCH_JAVA_HOME/bin/java"
@@ -61,4 +68,4 @@ if [ ! -x "$JAVA" ]; then
     exit 1
 fi
 
-"$JAVA" -Dorg.apache.logging.log4j.simplelog.StatusLogger.level=OFF -cp "$DIR/../*:$DIR/../../../lib/*:$DIR/../deps/*" org.opensearch.security.tools.democonfig.Installer "$DIR" "$@" 2>/dev/null
+"$JAVA" -Dorg.apache.logging.log4j.simplelog.StatusLogger.level=OFF -cp "$PLUGIN_DIR/*:$PLUGIN_DIR/deps/*:$OPENSEARCH_HOME/lib/*" org.opensearch.security.tools.democonfig.Installer "$OPENSEARCH_HOME" "$@" 2>/dev/null
@@ -1,14 +1,30 @@
-@echo off
-set DIR=%~dp0
-
-if defined OPENSEARCH_JAVA_HOME (
-  set BIN_PATH="%OPENSEARCH_JAVA_HOME%\bin\java.exe"
-) else if defined JAVA_HOME (
-  set BIN_PATH="%JAVA_HOME%\bin\java.exe"
-) else (
-  echo Unable to find java runtime
-  echo OPENSEARCH_JAVA_HOME or JAVA_HOME must be defined
-  exit /b 1
-)
-
-%BIN_PATH% -Dorg.apache.logging.log4j.simplelog.StatusLogger.level=OFF -cp "%DIR%\..\*;%DIR%\..\..\..\lib\*;%DIR%\..\deps\*" org.opensearch.security.tools.SecurityAdmin %* 2> nul
+@echo off
+set DIR=%~dp0
+
+if defined OPENSEARCH_HOME goto find_home_done
+
+set "OPENSEARCH_HOME=%DIR%"
+:find_home
+if exist "%OPENSEARCH_HOME%lib\opensearch-*.jar" goto find_home_done
+for %%I in ("%OPENSEARCH_HOME%.") do set "PARENT=%%~dpI"
+if "%PARENT%" == "%OPENSEARCH_HOME%" (
+  echo Could not locate OpenSearch home. Set OPENSEARCH_HOME manually. 1>&2
+  exit /b 1
+)
+set "OPENSEARCH_HOME=%PARENT%"
+goto find_home
+:find_home_done
+
+set "PLUGIN_DIR=%OPENSEARCH_HOME%plugins\opensearch-security"
+
+if defined OPENSEARCH_JAVA_HOME (
+  set BIN_PATH="%OPENSEARCH_JAVA_HOME%\bin\java.exe"
+) else if defined JAVA_HOME (
+  set BIN_PATH="%JAVA_HOME%\bin\java.exe"
+) else (
+  echo Unable to find java runtime
+  echo OPENSEARCH_JAVA_HOME or JAVA_HOME must be defined
+  exit /b 1
+)
+
+%BIN_PATH% -Dorg.apache.logging.log4j.simplelog.StatusLogger.level=OFF -cp "%PLUGIN_DIR%\*;%PLUGIN_DIR%\deps\*;%OPENSEARCH_HOME%lib\*" org.opensearch.security.tools.SecurityAdmin %* 2> nul
@@ -15,6 +15,19 @@ else
     DIR="$( cd "$( dirname "$(realpath "$SCRIPT_PATH")" )" && pwd -P)"
 fi
 
+if [ -z "$OPENSEARCH_HOME" ]; then
+  OPENSEARCH_HOME="$DIR"
+  while [ "$OPENSEARCH_HOME" != "/" ] && [ -z "$(ls "$OPENSEARCH_HOME/lib/opensearch-"*.jar 2>/dev/null)" ]; do
+    OPENSEARCH_HOME="$(dirname "$OPENSEARCH_HOME")"
+  done
+  if [ "$OPENSEARCH_HOME" = "/" ]; then
+    echo "Could not locate OpenSearch home. Set OPENSEARCH_HOME manually." >&2
+    exit 1
+  fi
+fi
+
+PLUGIN_DIR="$OPENSEARCH_HOME/plugins/opensearch-security"
+
 BIN_PATH="java"
 
 # now set the path to java: first OPENSEARCH_JAVA_HOME, then JAVA_HOME
@@ -26,4 +39,4 @@ else
     echo "WARNING: nor OPENSEARCH_JAVA_HOME nor JAVA_HOME is set, will use $(which $BIN_PATH)"
 fi
 
-"$BIN_PATH" $JAVA_OPTS -Dorg.apache.logging.log4j.simplelog.StatusLogger.level=OFF -cp "$DIR/../*:$DIR/../../../lib/*:$DIR/../deps/*" org.opensearch.security.tools.SecurityAdmin "$@" 2>/dev/null
+"$BIN_PATH" $JAVA_OPTS -Dorg.apache.logging.log4j.simplelog.StatusLogger.level=OFF -cp "$PLUGIN_DIR/*:$PLUGIN_DIR/deps/*:$OPENSEARCH_HOME/lib/*" org.opensearch.security.tools.SecurityAdmin "$@" 2>/dev/null