API access issue for securityadmin.bat

florent · May 26, 2023, 10:26am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

{
“version” : {
“distribution” : “opensearch”,
“number” : “2.7.0”,
“build_type” : “zip”,
“build_hash” : “b7a6e09e492b1e965d827525f7863b366ef0e304”,
“build_date” : “2023-04-27T22:07:30.119689100Z”,
“build_snapshot” : false,
“lucene_version” : “9.5.0”,
“minimum_wire_compatibility_version” : “7.10.0”,
“minimum_index_compatibility_version” : “7.0.0”
}
}

OS: Windows server 2019

Describe the issue:
When running the following command:

securityadmin.bat -cert ..\..\..\config\cert\kirk.pem -cacert ..\..\..\config\cert\root-ca.pem -key ..\..\..\config\cert\admin-key.pem -diagnose -nhnv

I have an error message telling me the superadmin cannot access /_nodes

"**************************************************************************"
"** This tool will be deprecated in the next major release of OpenSearch **"
"** https://github.com/opensearch-project/security/issues/1755           **"
"**************************************************************************"
Security Admin v7
Will connect to localhost:9200 ... done
Connected as "CN=kirk,O=Default Company Ltd,L=Default City,C=XX"
Unable to check whether cluster is sane
ERR: An unexpected ResponseException occured: method [GET], host [https://localhost:9200], URI [/_nodes], status line [HTTP/1.1 401 Unauthorized]
Unauthorized
Trace:
org.opensearch.client.ResponseException: method [GET], host [https://localhost:9200], URI [/_nodes], status line [HTTP/1.1 401 Unauthorized]
Unauthorized
        at org.opensearch.client.RestClient.convertResponse(RestClient.java:375)
        at org.opensearch.client.RestClient.performRequest(RestClient.java:345)
        at org.opensearch.client.RestClient.performRequest(RestClient.java:320)
        at org.opensearch.security.tools.SecurityAdmin.issueWarnings(SecurityAdmin.java:1102)
        at org.opensearch.security.tools.SecurityAdmin.execute(SecurityAdmin.java:498)
        at org.opensearch.security.tools.SecurityAdmin.main(SecurityAdmin.java:162)

Configuration:

network.host: 0.0.0.0
discovery.type: single-node
plugins.security.disabled: false
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opendistro-asynchronous-search-response*"]



plugins.security.allow_default_init_securityindex: true
plugins.security.audit.type: internal_opensearch
plugins.security.audit.config.index: "'auditlog-'YYYY.MM.dd"

plugins.security.ssl.transport.pemcert_filepath: cert/node.pem
plugins.security.ssl.transport.pemkey_filepath: cert/node-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: cert/root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: cert/node.pem
plugins.security.ssl.http.pemkey_filepath: cert/node-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: cert/root-ca.pem
plugins.security.ssl.http.clientauth_mode: OPTIONAL
plugins.security.authcz.admin_dn: ["CN=kirk,O=Default Company Ltd,L=Default City,C=XX"]
plugins.security.nodes_dn:
  - "CN=*.xxx.org,OU=IT,O=ORG,L=City,ST=DDDDD,C=DD"

I have been looking for a solution for days, with absolutely no clues. Do you have any idea from where the issue could come from ?

Thank you in advance for your help, kind regards

pablo · May 26, 2023, 12:00pm

Could you share the output of the below API calls?

GET _cluster/health  
GET _cat/nodes

florent · May 26, 2023, 12:09pm

Hello @pablo ,

First thank you for your reply.
So for GET _cluster/health :

{
  "cluster_name": "ITSEC-OpenSearch",
  "status": "yellow",
  "timed_out": false,
  "number_of_nodes": 1,
  "number_of_data_nodes": 1,
  "discovered_master": true,
  "discovered_cluster_manager": true,
  "active_primary_shards": 6,
  "active_shards": 6,
  "relocating_shards": 0,
  "initializing_shards": 0,
  "unassigned_shards": 2,
  "delayed_unassigned_shards": 0,
  "number_of_pending_tasks": 0,
  "number_of_in_flight_fetch": 0,
  "task_max_waiting_in_queue_millis": 0,
  "active_shards_percent_as_number": 75
}

and for GET _cat/nodes:

10.10.242.71 50 20 1    dimr cluster_manager,data,ingest,remote_cluster_client * io-ws-elk1

And I looked at GET _plugins/_security/api/roles/ :

{
  "security_analytics_ack_alerts": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster:admin/opensearch/securityanalytics/alerts/*"
    ],
    "index_permissions": [],
    "tenant_permissions": [],
    "static": false
  },
  "observability_read_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster:admin/opensearch/observability/get"
    ],
    "index_permissions": [],
    "tenant_permissions": [],
    "static": false
  },
  "kibana_user": {
    "reserved": true,
    "hidden": false,
    "description": "Provide the minimum permissions for a kibana user",
    "cluster_permissions": [
      "cluster_composite_ops"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          ".kibana",
          ".kibana-6",
          ".kibana_*",
          ".opensearch_dashboards",
          ".opensearch_dashboards-6",
          ".opensearch_dashboards_*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read",
          "delete",
          "manage",
          "index"
        ]
      },
      {
        "index_patterns": [
          ".tasks",
          ".management-beats",
          "*:.tasks",
          "*:.management-beats"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "indices_all"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": true
  },
  "own_index": {
    "reserved": true,
    "hidden": false,
    "description": "Allow all for indices named like the current user",
    "cluster_permissions": [
      "cluster_composite_ops"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "${user_name}"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "indices_all"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": true
  },
  "alerting_full_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster_monitor",
      "cluster:admin/opendistro/alerting/*",
      "cluster:admin/opensearch/alerting/*",
      "cluster:admin/opensearch/notifications/feature/publish"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "indices_monitor",
          "indices:admin/aliases/get",
          "indices:admin/mappings/get"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": false
  },
  "snapshot_management_read_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster:admin/opensearch/snapshot_management/policy/get",
      "cluster:admin/opensearch/snapshot_management/policy/search",
      "cluster:admin/opensearch/snapshot_management/policy/explain",
      "cluster:admin/repository/get",
      "cluster:admin/snapshot/get"
    ],
    "index_permissions": [],
    "tenant_permissions": [],
    "static": false
  },
  "all_access": {
    "reserved": true,
    "hidden": false,
    "description": "Allow full access to all indices and all cluster APIs",
    "cluster_permissions": [
      "*"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "*"
        ]
      }
    ],
    "tenant_permissions": [
      {
        "tenant_patterns": [
          "*"
        ],
        "allowed_actions": [
          "kibana_all_write"
        ]
      }
    ],
    "static": true
  },
  "alerting_read_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster:admin/opendistro/alerting/alerts/get",
      "cluster:admin/opendistro/alerting/destination/get",
      "cluster:admin/opendistro/alerting/monitor/get",
      "cluster:admin/opendistro/alerting/monitor/search",
      "cluster:admin/opensearch/alerting/findings/get"
    ],
    "index_permissions": [],
    "tenant_permissions": [],
    "static": false
  },
  "cross_cluster_replication_follower_full_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster:admin/plugins/replication/autofollow/update"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "indices:admin/plugins/replication/index/setup/validate",
          "indices:data/write/plugins/replication/changes",
          "indices:admin/plugins/replication/index/start",
          "indices:admin/plugins/replication/index/pause",
          "indices:admin/plugins/replication/index/resume",
          "indices:admin/plugins/replication/index/stop",
          "indices:admin/plugins/replication/index/update",
          "indices:admin/plugins/replication/index/status_check"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": false
  },
  "manage_snapshots": {
    "reserved": true,
    "hidden": false,
    "description": "Provide the minimum permissions for managing snapshots",
    "cluster_permissions": [
      "manage_snapshots"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "indices:data/write/index",
          "indices:admin/create"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": true
  },
  "logstash": {
    "reserved": true,
    "hidden": false,
    "description": "Provide the minimum permissions for logstash and beats",
    "cluster_permissions": [
      "cluster_monitor",
      "cluster_composite_ops",
      "indices:admin/template/get",
      "indices:admin/template/put",
      "cluster:admin/ingest/pipeline/put",
      "cluster:admin/ingest/pipeline/get"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "logstash-*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "crud",
          "create_index"
        ]
      },
      {
        "index_patterns": [
          "*beat*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "crud",
          "create_index"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": true
  },
  "observability_full_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster:admin/opensearch/observability/create",
      "cluster:admin/opensearch/observability/update",
      "cluster:admin/opensearch/observability/delete",
      "cluster:admin/opensearch/observability/get"
    ],
    "index_permissions": [],
    "tenant_permissions": [],
    "static": false
  },
  "point_in_time_full_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [],
    "index_permissions": [
      {
        "index_patterns": [
          "*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "manage_point_in_time"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": false
  },
  "notifications_full_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster:admin/opensearch/notifications/*"
    ],
    "index_permissions": [],
    "tenant_permissions": [],
    "static": false
  },
  "notifications_read_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster:admin/opensearch/notifications/configs/get",
      "cluster:admin/opensearch/notifications/features",
      "cluster:admin/opensearch/notifications/channels/get"
    ],
    "index_permissions": [],
    "tenant_permissions": [],
    "static": false
  },
  "cross_cluster_replication_leader_full_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [],
    "index_permissions": [
      {
        "index_patterns": [
          "*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "indices:admin/plugins/replication/index/setup/validate",
          "indices:data/read/plugins/replication/changes",
          "indices:data/read/plugins/replication/file_chunk"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": false
  },
  "knn_read_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster:admin/knn_search_model_action",
      "cluster:admin/knn_get_model_action",
      "cluster:admin/knn_stats_action"
    ],
    "index_permissions": [],
    "tenant_permissions": [],
    "static": false
  },
  "security_analytics_read_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster:admin/opensearch/securityanalytics/alerts/get",
      "cluster:admin/opensearch/securityanalytics/detector/get",
      "cluster:admin/opensearch/securityanalytics/detector/search",
      "cluster:admin/opensearch/securityanalytics/findings/get",
      "cluster:admin/opensearch/securityanalytics/mapping/get",
      "cluster:admin/opensearch/securityanalytics/mapping/view/get",
      "cluster:admin/opensearch/securityanalytics/rule/get",
      "cluster:admin/opensearch/securityanalytics/rule/search"
    ],
    "index_permissions": [],
    "tenant_permissions": [],
    "static": false
  },
  "security_analytics_full_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster:admin/opensearch/securityanalytics/alerts/*",
      "cluster:admin/opensearch/securityanalytics/detector/*",
      "cluster:admin/opensearch/securityanalytics/findings/*",
      "cluster:admin/opensearch/securityanalytics/mapping/*",
      "cluster:admin/opensearch/securityanalytics/rule/*"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "indices:admin/mapping/put",
          "indices:admin/mappings/get"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": false
  },
  "knn_full_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster:admin/knn_training_model_action",
      "cluster:admin/knn_training_job_router_action",
      "cluster:admin/knn_training_job_route_decision_info_action",
      "cluster:admin/knn_warmup_action",
      "cluster:admin/knn_delete_model_action",
      "cluster:admin/knn_remove_model_from_cache_action",
      "cluster:admin/knn_update_model_graveyard_action",
      "cluster:admin/knn_search_model_action",
      "cluster:admin/knn_get_model_action",
      "cluster:admin/knn_stats_action"
    ],
    "index_permissions": [],
    "tenant_permissions": [],
    "static": false
  },
  "asynchronous_search_read_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster:admin/opendistro/asynchronous_search/get"
    ],
    "index_permissions": [],
    "tenant_permissions": [],
    "static": false
  },
  "index_management_full_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster:admin/opendistro/ism/*",
      "cluster:admin/opendistro/rollup/*",
      "cluster:admin/opendistro/transform/*",
      "cluster:admin/opensearch/notifications/feature/publish"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "indices:admin/opensearch/ism/*"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": false
  },
  "readall_and_monitor": {
    "reserved": true,
    "hidden": false,
    "description": "Provide the minimum permissions for to readall indices and monitor the cluster",
    "cluster_permissions": [
      "cluster_monitor",
      "cluster_composite_ops_ro"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": true
  },
  "ml_read_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster:admin/opensearch/ml/stats/nodes",
      "cluster:admin/opensearch/ml/models/get",
      "cluster:admin/opensearch/ml/models/search",
      "cluster:admin/opensearch/ml/tasks/get",
      "cluster:admin/opensearch/ml/tasks/search"
    ],
    "index_permissions": [],
    "tenant_permissions": [],
    "static": false
  },
  "kibana_read_only": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [],
    "index_permissions": [],
    "tenant_permissions": [],
    "static": false
  },
  "reports_read_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster:admin/opendistro/reports/definition/get",
      "cluster:admin/opendistro/reports/definition/list",
      "cluster:admin/opendistro/reports/instance/list",
      "cluster:admin/opendistro/reports/instance/get",
      "cluster:admin/opendistro/reports/menu/download"
    ],
    "index_permissions": [],
    "tenant_permissions": [],
    "static": false
  },
  "anomaly_read_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster:admin/opendistro/ad/detector/info",
      "cluster:admin/opendistro/ad/detector/search",
      "cluster:admin/opendistro/ad/detectors/get",
      "cluster:admin/opendistro/ad/result/search",
      "cluster:admin/opendistro/ad/tasks/search",
      "cluster:admin/opendistro/ad/detector/validate",
      "cluster:admin/opendistro/ad/result/topAnomalies"
    ],
    "index_permissions": [],
    "tenant_permissions": [],
    "static": false
  },
  "anomaly_full_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster_monitor",
      "cluster:admin/opendistro/ad/*"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "indices_monitor",
          "indices:admin/aliases/get",
          "indices:admin/mappings/get"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": false
  },
  "reports_instances_read_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster:admin/opendistro/reports/instance/list",
      "cluster:admin/opendistro/reports/instance/get",
      "cluster:admin/opendistro/reports/menu/download"
    ],
    "index_permissions": [],
    "tenant_permissions": [],
    "static": false
  },
  "snapshot_management_full_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster:admin/opensearch/snapshot_management/*",
      "cluster:admin/opensearch/notifications/feature/publish",
      "cluster:admin/repository/*",
      "cluster:admin/snapshot/*"
    ],
    "index_permissions": [],
    "tenant_permissions": [],
    "static": false
  },
  "readall": {
    "reserved": true,
    "hidden": false,
    "description": "Provide the minimum permissions for to readall indices",
    "cluster_permissions": [
      "cluster_composite_ops_ro"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": true
  },
  "asynchronous_search_full_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster:admin/opendistro/asynchronous_search/*"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "indices:data/read/search*"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": false
  },
  "ml_full_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster_monitor",
      "cluster:admin/opensearch/ml/*"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "indices_monitor"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": false
  },
  "reports_full_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster:admin/opendistro/reports/definition/create",
      "cluster:admin/opendistro/reports/definition/update",
      "cluster:admin/opendistro/reports/definition/on_demand",
      "cluster:admin/opendistro/reports/definition/delete",
      "cluster:admin/opendistro/reports/definition/get",
      "cluster:admin/opendistro/reports/definition/list",
      "cluster:admin/opendistro/reports/instance/list",
      "cluster:admin/opendistro/reports/instance/get",
      "cluster:admin/opendistro/reports/menu/download"
    ],
    "index_permissions": [],
    "tenant_permissions": [],
    "static": false
  },
  "security_rest_api_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [],
    "index_permissions": [],
    "tenant_permissions": [],
    "static": false
  },
  "alerting_ack_alerts": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster:admin/opendistro/alerting/alerts/*"
    ],
    "index_permissions": [],
    "tenant_permissions": [],
    "static": false
  },
  "kibana_server": {
    "reserved": true,
    "hidden": false,
    "description": "Provide the minimum permissions for the Kibana server",
    "cluster_permissions": [
      "cluster_monitor",
      "cluster_composite_ops",
      "manage_point_in_time",
      "indices:admin/template*",
      "indices:admin/index_template*",
      "indices:data/read/scroll*"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          ".kibana",
          ".opensearch_dashboards"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "indices_all"
        ]
      },
      {
        "index_patterns": [
          ".kibana-6",
          ".opensearch_dashboards-6"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "indices_all"
        ]
      },
      {
        "index_patterns": [
          ".kibana_*",
          ".opensearch_dashboards_*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "indices_all"
        ]
      },
      {
        "index_patterns": [
          ".tasks"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "indices_all"
        ]
      },
      {
        "index_patterns": [
          ".management-beats*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "indices_all"
        ]
      },
      {
        "index_patterns": [
          "*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "indices:admin/aliases*"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": true
  },
  "notebooks_read_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster:admin/opendistro/notebooks/list",
      "cluster:admin/opendistro/notebooks/get"
    ],
    "index_permissions": [],
    "tenant_permissions": [],
    "static": false
  },
  "notebooks_full_access": {
    "reserved": true,
    "hidden": false,
    "cluster_permissions": [
      "cluster:admin/opendistro/notebooks/create",
      "cluster:admin/opendistro/notebooks/update",
      "cluster:admin/opendistro/notebooks/delete",
      "cluster:admin/opendistro/notebooks/get",
      "cluster:admin/opendistro/notebooks/list"
    ],
    "index_permissions": [],
    "tenant_permissions": [],
    "static": false
  }
}

pablo · May 26, 2023, 12:29pm

Is the admin-key.pem a private key of the kirk.pem?

florent · May 26, 2023, 12:36pm

Yes it is.

If the wrong key file is used it simply cannot read the certificate and can’t get the DN and as such prompt the “null” id.

pablo · May 26, 2023, 12:37pm

@florent Did you run GET calls from the Dev Tool or the curl?

pablo · May 26, 2023, 12:44pm

@florent Could you share your config.yml?

florent · May 26, 2023, 12:45pm

I run them from the devtool, I can also do it through postman.

The config file:

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
    # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
    # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
    #filtered_alias_mode: warn
    #do_not_fail_on_forbidden: false
    #kibana:
    # Kibana multitenancy
    #multitenancy_enabled: true
    #private_tenant_enabled: true
    #default_tenant: ""
    #server_username: kibanaserver
    #index: '.kibana'
    
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
        #internalProxies: '.*' # trust all internal proxies, regex pattern
        #remoteIpHeader:  'x-forwarded-for'
        ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
        ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
        ###### and here https://tools.ietf.org/html/rfc7239
        ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
    authc:
      kerberos_auth_domain:
        http_enabled: false
        transport_enabled: false
        order: 6
        http_authenticator:
          type: kerberos
          challenge: true
          config:
            # If true a lot of kerberos/security related debugging output will be logged to standard out
            krb_debug: false
            # If true then the realm will be stripped from the user name
            strip_realm_from_principal: true
        authentication_backend:
          type: noop
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 4
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern
      proxy_auth_domain:
        description: "Authenticate via proxy"
        http_enabled: false
        transport_enabled: false
        order: 3
        http_authenticator:
          type: proxy
          challenge: false
          config:
            user_header: "x-proxy-user"
            roles_header: "x-proxy-roles"
        authentication_backend:
          type: noop
      jwt_auth_domain:
        description: "Authenticate via Json Web Token"
        http_enabled: false
        transport_enabled: false
        order: 0
        http_authenticator:
          type: jwt
          challenge: false
          config:
            signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"
            jwt_header: "Authorization"
            jwt_url_parameter: null
            jwt_clock_skew_tolerance_seconds: 30
            roles_key: null
            subject_key: null
        authentication_backend:
          type: noop
      clientcert_auth_domain:
        description: "Authenticate via SSL client certificates"
        http_enabled: false
        transport_enabled: false
        order: 2
        http_authenticator:
          type: clientcert
          config:
            username_attribute: cn #optional, if omitted DN becomes username
          challenge: false
        authentication_backend:
          type: noop
      ldap:
        http_enabled: true
        transport_enabled: true
        order: 5
        http_authenticator:
            type: basic
            challenge: false
        authentication_backend:
          type: ldap
          config:
            pemtrustedcas_filepath: C:\Program Files\Opensearch\Opensearch\opensearch-2.7.0\config\cert\trustedcas.pem
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: false
            hosts:
            - xxxxx:636
            - xxxxxxx:636
            - xxxxxxxx:636
            bind_dn: null
            password: null
            userbase: "xxxxxxxx"
            usersearch: "(sAMAccountName={0})"
            username_attribute: sAMAccountName
    authz:
      roles_from_myldap:
        description: "Authorize via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: true
        authorization_backend:
          # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
          type: ldap
          config:
            # enable ldaps
            pemtrustedcas_filepath: cert\trustedcas.pem
            enable_ssl: true
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            hosts:
            - xxxxxxx:636
            - xxxxxxxx:636
            - xxxxxxxxx:636
            bind_dn: null
            password: null
            rolebase: "xxxxxxxx"
            # Filter to search for roles (currently in the whole subtree beneath rolebase)
            # {0} is substituted with the DN of the user
            # {1} is substituted with the username
            # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
            rolesearch: '(member={0})'
            # Specify the name of the attribute which value should be substituted with {2} above
            userroleattribute: null
            # Roles as an attribute of the user entry
            userrolename: disabled
            #userrolename: memberOf
            # The attribute in a role entry containing the name of that role, Default is "name".
            # Can also be "dn" to use the full DN as rolename.
            rolename: cn
            # Resolve nested roles transitive (roles which are members of other roles and so on ...)
            resolve_nested_roles: true
            userbase: "xxxxxxxxx"
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: "(sAMAccountName={0})"
            # Skip users matching a user name, a wildcard or a regex pattern
            skip_users:
              - 'cn=Michael Jackson,ou*people,o=TEST'
      roles_from_another_ldap:
        description: "Authorize via another Active Directory"
        http_enabled: false
        transport_enabled: false
        authorization_backend:
          type: ldap
          #config goes here ...
  #    auth_failure_listeners:
  #      ip_rate_limiting:
  #        type: ip
  #        allowed_tries: 10
  #        time_window_seconds: 3600
  #        block_expiry_seconds: 600
  #        max_blocked_clients: 100000
  #        max_tracked_clients: 100000
  #      internal_authentication_backend_limiting:
  #        type: username
  #        authentication_backend: intern
  #        allowed_tries: 10
  #        time_window_seconds: 3600
  #        block_expiry_seconds: 600
  #        max_blocked_clients: 100000
  #        max_tracked_clients: 100000

pablo · May 26, 2023, 12:48pm

Can you try with the postman and use kirk.pem and admin-key.pem certs?

pablo · May 26, 2023, 1:00pm

As per documentation you need this line only for cert authentication.

florent · May 26, 2023, 1:05pm

Without certificate or credentials supplied:

Unauthorized

With certificates and no credentials supplied:
for

https://localhost:9200/_cluster/health

{    "cluster_name": "ITSEC-OpenSearch",    "status": "yellow",    "timed_out": false,    "number_of_nodes": 1,    "number_of_data_nodes": 1,    "discovered_master": true,    "discovered_cluster_manager": true,    "active_primary_shards": 6,    "active_shards": 6,    "relocating_shards": 0,    "initializing_shards": 0,    "unassigned_shards": 2,    "delayed_unassigned_shards": 0,    "number_of_pending_tasks": 0,    "number_of_in_flight_fetch": 0,    "task_max_waiting_in_queue_millis": 0,    "active_shards_percent_as_number": 75.0}

for

https://localhost:9200/_nodes  (the failing request in the script)

{
  "_nodes": {
    "total": 1,
    "successful": 1,
    "failed": 0
  },
  "cluster_name": "ITSEC-OpenSearch",
  "nodes": {
    "AeCY3QMGS0C5pH4N2OU7Pg": {
      "name": "xxxxx",
      "transport_address": "xxxxxx:9300",
      "host": "xxxxxx",
      "ip": "xxxxxxxxx",
      "version": "2.7.0",
      "build_type": "zip",
      "build_hash": "b7a6e09e492b1e965d827525f7863b366ef0e304",
      "total_indexing_buffer": 107374182,
      "roles": [
        "cluster_manager",
        "data",
        "ingest",
        "remote_cluster_client"
      ],
      "attributes": {
        "shard_indexing_pressure_enabled": "true"
      },
      "settings": {
        "cluster": {
          "name": "ITSEC-OpenSearch"
        },
        "node": {
          "attr": {
            "shard_indexing_pressure_enabled": "true"
          },
          "name": "io-ws-elk1"
        },
        "path": {
          "data": [
            "E:\\OpenSearch\\data"
          ],
          "logs": "E:\\OpenSearch\\logs",
          "home": "C:\\Program Files\\Opensearch\\Opensearch\\opensearch-2.7.0"
        },
        "discovery": {
          "type": "single-node"
        },
        "client": {
          "type": "node"
        },
        "http": {
          "compression": "false",
          "type": "org.opensearch.security.http.SecurityHttpServerTransport",
          "port": "9200",
          "type.default": "netty4"
        },
        "index": {
          "store": {
            "hybrid": {
              "mmap": {
                "extensions": [
                  "nvd",
                  "dvd",
                  "tim",
                  "tip",
                  "dim",
                  "kdd",
                  "kdi",
                  "cfs",
                  "doc",
                  "vec",
                  "vex"
                ]
              }
            }
          }
        },
        "transport": {
          "type": "org.opensearch.security.ssl.http.netty.SecuritySSLNettyTransport",
          "type.default": "netty4"
        },
        "network": {
          "host": "0.0.0.0"
        }
      },
      "os": {
        "refresh_interval_in_millis": 1000,
        "name": "Windows Server 2016",
        "pretty_name": "Windows Server 2016",
        "arch": "amd64",
        "version": "10.0",
        "available_processors": 16,
        "allocated_processors": 16
      },
      "process": {
        "refresh_interval_in_millis": 1000,
        "id": 21860,
        "mlockall": false
      },
      "jvm": {
        "pid": 21860,
        "version": "11",
        "vm_name": "OpenJDK 64-Bit Server VM",
        "vm_version": "11+28",
        "vm_vendor": "Oracle Corporation",
        "bundled_jdk": true,
        "using_bundled_jdk": false,
        "start_time_in_millis": 1685094568799,
        "mem": {
          "heap_init_in_bytes": 1073741824,
          "heap_max_in_bytes": 1073741824,
          "non_heap_init_in_bytes": 7667712,
          "non_heap_max_in_bytes": 0,
          "direct_max_in_bytes": 0
        },
        "gc_collectors": [
          "G1 Young Generation",
          "G1 Old Generation"
        ],
        "memory_pools": [
          "CodeHeap 'non-nmethods'",
          "Metaspace",
          "CodeHeap 'profiled nmethods'",
          "Compressed Class Space",
          "G1 Eden Space",
          "G1 Old Gen",
          "G1 Survivor Space",
          "CodeHeap 'non-profiled nmethods'"
        ],
        "using_compressed_ordinary_object_pointers": "true",
        "input_arguments": [
          "-Dopensearch.networkaddress.cache.ttl=60",
          "-Dopensearch.networkaddress.cache.negative.ttl=10",
          "-XX:+AlwaysPreTouch",
          "-Xss1m",
          "-Djava.awt.headless=true",
          "-Dfile.encoding=UTF-8",
          "-Djna.nosys=true",
          "-XX:-OmitStackTraceInFastThrow",
          "-Dio.netty.noUnsafe=true",
          "-Dio.netty.noKeySetOptimization=true",
          "-Dio.netty.recycler.maxCapacityPerThread=0",
          "-Dio.netty.allocator.numDirectArenas=0",
          "-Dlog4j.shutdownHookEnabled=false",
          "-Dlog4j2.disable.jmx=true",
          "-Djava.locale.providers=SPI,COMPAT",
          "-Xms1g",
          "-Xmx1g",
          "-XX:+UseG1GC",
          "-XX:G1ReservePercent=25",
          "-XX:InitiatingHeapOccupancyPercent=30",
          "-Djava.io.tmpdir=C:\\Users\\LABOUY~1\\AppData\\Local\\Temp\\opensearch",
          "-XX:+HeapDumpOnOutOfMemoryError",
          "-XX:HeapDumpPath=data",
          "-XX:ErrorFile=logs/hs_err_pid%p.log",
          "-Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m",
          "-XX:MaxDirectMemorySize=536870912",
          "-Dopensearch",
          "-Dopensearch.path.home=C:\\Program Files\\Opensearch\\Opensearch\\opensearch-2.7.0",
          "-Dopensearch.path.conf=C:\\Program Files\\Opensearch\\Opensearch\\opensearch-2.7.0\\config",
          "-Dopensearch.distribution.type=zip",
          "-Dopensearch.bundled_jdk=true"
        ]
      },
      "thread_pool": {
        "force_merge": {
          "type": "fixed",
          "size": 1,
          "queue_size": -1
        },
        "fetch_shard_started": {
          "type": "scaling",
          "core": 1,
          "max": 32,
          "keep_alive": "5m",
          "queue_size": -1
        },
        "listener": {
          "type": "fixed",
          "size": 8,
          "queue_size": -1
        },
        "opensearch_ml_execute": {
          "type": "fixed",
          "size": 15,
          "queue_size": 10
        },
        "training": {
          "type": "fixed",
          "size": 1,
          "queue_size": 1
        },
        "opensearch_ml_train": {
          "type": "fixed",
          "size": 15,
          "queue_size": 10
        },
        "remote_purge": {
          "type": "scaling",
          "core": 1,
          "max": 5,
          "keep_alive": "5m",
          "queue_size": -1
        },
        "sql-worker": {
          "type": "fixed",
          "size": 16,
          "queue_size": 1000
        },
        "search": {
          "type": "fixed_auto_queue_size",
          "size": 25,
          "queue_size": 1000
        },
        "opensearch_asynchronous_search_generic": {
          "type": "scaling",
          "core": 1,
          "max": 32,
          "keep_alive": "30m",
          "queue_size": -1
        },
        "flush": {
          "type": "scaling",
          "core": 1,
          "max": 5,
          "keep_alive": "5m",
          "queue_size": -1
        },
        "fetch_shard_store": {
          "type": "scaling",
          "core": 1,
          "max": 32,
          "keep_alive": "5m",
          "queue_size": -1
        },
        "opensearch_ml_predict": {
          "type": "fixed",
          "size": 32,
          "queue_size": 10000
        },
        "get": {
          "type": "fixed",
          "size": 16,
          "queue_size": 1000
        },
        "system_read": {
          "type": "fixed",
          "size": 5,
          "queue_size": 2000
        },
        "open_distro_job_scheduler": {
          "type": "fixed",
          "size": 16,
          "queue_size": 200
        },
        "write": {
          "type": "fixed",
          "size": 16,
          "queue_size": 10000
        },
        "opensearch_ml_general": {
          "type": "fixed",
          "size": 15,
          "queue_size": 100
        },
        "replication_follower": {
          "type": "scaling",
          "core": 1,
          "max": 10,
          "keep_alive": "1m",
          "queue_size": -1
        },
        "refresh": {
          "type": "scaling",
          "core": 1,
          "max": 8,
          "keep_alive": "5m",
          "queue_size": -1
        },
        "opensearch_ml_deploy": {
          "type": "fixed",
          "size": 15,
          "queue_size": 10
        },
        "replication_leader": {
          "type": "fixed",
          "size": 25,
          "queue_size": 1000
        },
        "translog_sync": {
          "type": "fixed",
          "size": 64,
          "queue_size": 10000
        },
        "system_write": {
          "type": "fixed",
          "size": 5,
          "queue_size": 1000
        },
        "generic": {
          "type": "scaling",
          "core": 4,
          "max": 128,
          "keep_alive": "30s",
          "queue_size": -1
        },
        "warmer": {
          "type": "scaling",
          "core": 1,
          "max": 5,
          "keep_alive": "5m",
          "queue_size": -1
        },
        "translog_transfer": {
          "type": "scaling",
          "core": 1,
          "max": 8,
          "keep_alive": "5m",
          "queue_size": -1
        },
        "opensearch_ml_register": {
          "type": "fixed",
          "size": 15,
          "queue_size": 10
        },
        "management": {
          "type": "scaling",
          "core": 1,
          "max": 5,
          "keep_alive": "5m",
          "queue_size": -1
        },
        "analyze": {
          "type": "fixed",
          "size": 1,
          "queue_size": 16
        },
        "ad-threadpool": {
          "type": "scaling",
          "core": 1,
          "max": 8,
          "keep_alive": "10m",
          "queue_size": -1
        },
        "snapshot": {
          "type": "scaling",
          "core": 1,
          "max": 5,
          "keep_alive": "5m",
          "queue_size": -1
        },
        "search_throttled": {
          "type": "fixed_auto_queue_size",
          "size": 1,
          "queue_size": 100
        },
        "ad-batch-task-threadpool": {
          "type": "scaling",
          "core": 1,
          "max": 2,
          "keep_alive": "10m",
          "queue_size": -1
        }
      },
      "transport": {
        "bound_address": [
          "[::]:9300"
        ],
        "publish_address": "10.10.242.71:9300",
        "profiles": {
          
        }
      },
      "http": {
        "bound_address": [
          "[::]:9200"
        ],
        "publish_address": "10.10.242.71:9200",
        "max_content_length_in_bytes": 104857600
      },
      "plugins": [
        {
          "name": "opensearch-alerting",
          "version": "2.7.0.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "Amazon OpenSearch alerting plugin",
          "classname": "org.opensearch.alerting.AlertingPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            "lang-painless"
          ],
          "has_native_controller": false
        },
        {
          "name": "opensearch-anomaly-detection",
          "version": "2.7.0.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "OpenSearch anomaly detector plugin",
          "classname": "org.opensearch.ad.AnomalyDetectorPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            "lang-painless",
            "opensearch-job-scheduler"
          ],
          "has_native_controller": false
        },
        {
          "name": "opensearch-asynchronous-search",
          "version": "2.7.0.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "Provides support for asynchronous search",
          "classname": "org.opensearch.search.asynchronous.plugin.AsynchronousSearchPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            
          ],
          "has_native_controller": false
        },
        {
          "name": "opensearch-cross-cluster-replication",
          "version": "2.7.0.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "OpenSearch Cross Cluster Replication Plugin",
          "classname": "org.opensearch.replication.ReplicationPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            
          ],
          "has_native_controller": false
        },
        {
          "name": "opensearch-geospatial",
          "version": "2.7.0.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "OpenSearch Geospatial plugin to host geospatial features",
          "classname": "org.opensearch.geospatial.plugin.GeospatialPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            
          ],
          "has_native_controller": false
        },
        {
          "name": "opensearch-index-management",
          "version": "2.7.0.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "OpenSearch Index Management Plugin",
          "classname": "org.opensearch.indexmanagement.IndexManagementPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            "opensearch-job-scheduler"
          ],
          "has_native_controller": false
        },
        {
          "name": "opensearch-job-scheduler",
          "version": "2.7.0.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "OpenSearch Job Scheduler plugin",
          "classname": "org.opensearch.jobscheduler.JobSchedulerPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            
          ],
          "has_native_controller": false
        },
        {
          "name": "opensearch-knn",
          "version": "2.7.0.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "OpenSearch k-NN plugin",
          "classname": "org.opensearch.knn.plugin.KNNPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            "lang-painless"
          ],
          "has_native_controller": false
        },
        {
          "name": "opensearch-ml",
          "version": "2.7.0.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "machine learning plugin for opensearch",
          "classname": "org.opensearch.ml.plugin.MachineLearningPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            
          ],
          "has_native_controller": false
        },
        {
          "name": "opensearch-neural-search",
          "version": "2.7.0.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "A plugin that adds dense neural retrieval into the OpenSearch ecosytem",
          "classname": "org.opensearch.neuralsearch.plugin.NeuralSearch",
          "custom_foldername": "",
          "extended_plugins": [
            "opensearch-knn"
          ],
          "has_native_controller": false
        },
        {
          "name": "opensearch-notifications",
          "version": "2.7.0.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "OpenSearch Notifications Plugin",
          "classname": "org.opensearch.notifications.NotificationPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            "opensearch-notifications-core"
          ],
          "has_native_controller": false
        },
        {
          "name": "opensearch-notifications-core",
          "version": "2.7.0.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "OpenSearch Notifications Core Plugin",
          "classname": "org.opensearch.notifications.core.NotificationCorePlugin",
          "custom_foldername": "",
          "extended_plugins": [
            
          ],
          "has_native_controller": false
        },
        {
          "name": "opensearch-observability",
          "version": "2.7.0.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "OpenSearch Plugin for OpenSearch Dashboards Observability",
          "classname": "org.opensearch.observability.ObservabilityPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            "opensearch-job-scheduler"
          ],
          "has_native_controller": false
        },
        {
          "name": "opensearch-reports-scheduler",
          "version": "2.7.0.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "Scheduler for Dashboards Reports Plugin",
          "classname": "org.opensearch.reportsscheduler.ReportsSchedulerPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            "opensearch-job-scheduler"
          ],
          "has_native_controller": false
        },
        {
          "name": "opensearch-security",
          "version": "2.7.0.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "Provide access control related features for OpenSearch",
          "classname": "org.opensearch.security.OpenSearchSecurityPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            
          ],
          "has_native_controller": false
        },
        {
          "name": "opensearch-security-analytics",
          "version": "2.7.0.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "OpenSearch Security Analytics plugin",
          "classname": "org.opensearch.securityanalytics.SecurityAnalyticsPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            
          ],
          "has_native_controller": false
        },
        {
          "name": "opensearch-sql",
          "version": "2.7.0.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "OpenSearch SQL",
          "classname": "org.opensearch.sql.plugin.SQLPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            
          ],
          "has_native_controller": false
        }
      ],
      "modules": [
        {
          "name": "aggs-matrix-stats",
          "version": "2.7.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "Adds aggregations whose input are a list of numeric fields and output includes a matrix.",
          "classname": "org.opensearch.search.aggregations.matrix.MatrixAggregationPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            
          ],
          "has_native_controller": false
        },
        {
          "name": "analysis-common",
          "version": "2.7.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "Adds \"built in\" analyzers to OpenSearch.",
          "classname": "org.opensearch.analysis.common.CommonAnalysisPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            "lang-painless"
          ],
          "has_native_controller": false
        },
        {
          "name": "geo",
          "version": "2.7.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "Plugin for geospatial features in OpenSearch. Registering the geo_shape and aggregations GeoBounds on Geo_Shape and Geo_Point",
          "classname": "org.opensearch.geo.GeoModulePlugin",
          "custom_foldername": "",
          "extended_plugins": [
            
          ],
          "has_native_controller": false
        },
        {
          "name": "ingest-common",
          "version": "2.7.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "Module for ingest processors that do not require additional security permissions or have large dependencies and resources",
          "classname": "org.opensearch.ingest.common.IngestCommonPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            "lang-painless"
          ],
          "has_native_controller": false
        },
        {
          "name": "ingest-geoip",
          "version": "2.7.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "Ingest processor that uses looksup geo data based on ip adresses using the Maxmind geo database",
          "classname": "org.opensearch.ingest.geoip.IngestGeoIpPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            
          ],
          "has_native_controller": false
        },
        {
          "name": "ingest-user-agent",
          "version": "2.7.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "Ingest processor that extracts information from a user agent",
          "classname": "org.opensearch.ingest.useragent.IngestUserAgentPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            
          ],
          "has_native_controller": false
        },
        {
          "name": "lang-expression",
          "version": "2.7.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "Lucene expressions integration for OpenSearch",
          "classname": "org.opensearch.script.expression.ExpressionPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            
          ],
          "has_native_controller": false
        },
        {
          "name": "lang-mustache",
          "version": "2.7.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "Mustache scripting integration for OpenSearch",
          "classname": "org.opensearch.script.mustache.MustachePlugin",
          "custom_foldername": "",
          "extended_plugins": [
            
          ],
          "has_native_controller": false
        },
        {
          "name": "lang-painless",
          "version": "2.7.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "An easy, safe and fast scripting language for OpenSearch",
          "classname": "org.opensearch.painless.PainlessPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            
          ],
          "has_native_controller": false
        },
        {
          "name": "mapper-extras",
          "version": "2.7.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "Adds advanced field mappers",
          "classname": "org.opensearch.index.mapper.MapperExtrasPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            
          ],
          "has_native_controller": false
        },
        {
          "name": "opensearch-dashboards",
          "version": "2.7.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "Plugin exposing APIs for OpenSearch Dashboards system indices",
          "classname": "org.opensearch.dashboards.OpenSearchDashboardsPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            
          ],
          "has_native_controller": false
        },
        {
          "name": "parent-join",
          "version": "2.7.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "This module adds the support parent-child queries and aggregations",
          "classname": "org.opensearch.join.ParentJoinPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            
          ],
          "has_native_controller": false
        },
        {
          "name": "percolator",
          "version": "2.7.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "Percolator module adds capability to index queries and query these queries by specifying documents",
          "classname": "org.opensearch.percolator.PercolatorPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            
          ],
          "has_native_controller": false
        },
        {
          "name": "rank-eval",
          "version": "2.7.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "The Rank Eval module adds APIs to evaluate ranking quality.",
          "classname": "org.opensearch.index.rankeval.RankEvalPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            
          ],
          "has_native_controller": false
        },
        {
          "name": "reindex",
          "version": "2.7.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "The Reindex module adds APIs to reindex from one index to another or update documents in place.",
          "classname": "org.opensearch.index.reindex.ReindexPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            
          ],
          "has_native_controller": false
        },
        {
          "name": "repository-url",
          "version": "2.7.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "Module for URL repository",
          "classname": "org.opensearch.plugin.repository.url.URLRepositoryPlugin",
          "custom_foldername": "",
          "extended_plugins": [
            
          ],
          "has_native_controller": false
        },
        {
          "name": "search-pipeline-common",
          "version": "2.7.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "Module for search pipeline processors that do not require additional security permissions or have large dependencies and resources",
          "classname": "org.opensearch.search.pipeline.common.SearchPipelineCommonModulePlugin",
          "custom_foldername": "",
          "extended_plugins": [
            
          ],
          "has_native_controller": false
        },
        {
          "name": "transport-netty4",
          "version": "2.7.0",
          "opensearch_version": "2.7.0",
          "java_version": "11",
          "description": "Netty 4 based transport implementation",
          "classname": "org.opensearch.transport.Netty4Plugin",
          "custom_foldername": "",
          "extended_plugins": [
            
          ],
          "has_native_controller": false
        }
      ],
      "ingest": {
        "processors": [
          {
            "type": "append"
          },
          {
            "type": "bytes"
          },
          {
            "type": "convert"
          },
          {
            "type": "csv"
          },
          {
            "type": "date"
          },
          {
            "type": "date_index_name"
          },
          {
            "type": "dissect"
          },
          {
            "type": "dot_expander"
          },
          {
            "type": "drop"
          },
          {
            "type": "fail"
          },
          {
            "type": "foreach"
          },
          {
            "type": "geoip"
          },
          {
            "type": "geojson-feature"
          },
          {
            "type": "grok"
          },
          {
            "type": "gsub"
          },
          {
            "type": "html_strip"
          },
          {
            "type": "join"
          },
          {
            "type": "json"
          },
          {
            "type": "kv"
          },
          {
            "type": "lowercase"
          },
          {
            "type": "pipeline"
          },
          {
            "type": "remove"
          },
          {
            "type": "rename"
          },
          {
            "type": "script"
          },
          {
            "type": "set"
          },
          {
            "type": "sort"
          },
          {
            "type": "split"
          },
          {
            "type": "text_embedding"
          },
          {
            "type": "trim"
          },
          {
            "type": "uppercase"
          },
          {
            "type": "urldecode"
          },
          {
            "type": "user_agent"
          }
        ]
      },
      "aggregations": {
        "adjacency_matrix": {
          "types": [
            "other"
          ]
        },
        "auto_date_histogram": {
          "types": [
            "boolean",
            "date",
            "numeric"
          ]
        },
        "avg": {
          "types": [
            "boolean",
            "date",
            "numeric"
          ]
        },
        "cardinality": {
          "types": [
            "boolean",
            "bytes",
            "date",
            "geopoint",
            "ip",
            "numeric",
            "range"
          ]
        },
        "children": {
          "types": [
            "other"
          ]
        },
        "composite": {
          "types": [
            "other"
          ]
        },
        "date_histogram": {
          "types": [
            "boolean",
            "date",
            "numeric",
            "range"
          ]
        },
        "date_range": {
          "types": [
            "boolean",
            "date",
            "numeric"
          ]
        },
        "diversified_sampler": {
          "types": [
            "boolean",
            "bytes",
            "date",
            "numeric"
          ]
        },
        "extended_stats": {
          "types": [
            "boolean",
            "date",
            "numeric"
          ]
        },
        "filter": {
          "types": [
            "other"
          ]
        },
        "filters": {
          "types": [
            "other"
          ]
        },
        "geo_bounds": {
          "types": [
            "geopoint"
          ]
        },
        "geo_centroid": {
          "types": [
            "geopoint"
          ]
        },
        "geo_distance": {
          "types": [
            "geopoint"
          ]
        },
        "geohash_grid": {
          "types": [
            "geopoint"
          ]
        },
        "geohex_grid": {
          "types": [
            "geopoint"
          ]
        },
        "geotile_grid": {
          "types": [
            "geopoint"
          ]
        },
        "global": {
          "types": [
            "other"
          ]
        },
        "histogram": {
          "types": [
            "boolean",
            "date",
            "numeric",
            "range"
          ]
        },
        "ip_range": {
          "types": [
            "ip"
          ]
        },
        "matrix_stats": {
          "types": [
            "other"
          ]
        },
        "max": {
          "types": [
            "boolean",
            "date",
            "numeric"
          ]
        },
        "median_absolute_deviation": {
          "types": [
            "numeric"
          ]
        },
        "min": {
          "types": [
            "boolean",
            "date",
            "numeric"
          ]
        },
        "missing": {
          "types": [
            "boolean",
            "bytes",
            "date",
            "geopoint",
            "ip",
            "numeric",
            "range"
          ]
        },
        "multi_terms": {
          "types": [
            "boolean",
            "bytes",
            "date",
            "ip",
            "numeric",
            "other"
          ]
        },
        "nested": {
          "types": [
            "other"
          ]
        },
        "parent": {
          "types": [
            "other"
          ]
        },
        "percentile_ranks": {
          "types": [
            "boolean",
            "date",
            "numeric"
          ]
        },
        "percentiles": {
          "types": [
            "boolean",
            "date",
            "numeric"
          ]
        },
        "range": {
          "types": [
            "boolean",
            "date",
            "numeric"
          ]
        },
        "rare_terms": {
          "types": [
            "boolean",
            "bytes",
            "date",
            "ip",
            "numeric"
          ]
        },
        "reverse_nested": {
          "types": [
            "other"
          ]
        },
        "sampler": {
          "types": [
            "other"
          ]
        },
        "scripted_metric": {
          "types": [
            "other"
          ]
        },
        "significant_terms": {
          "types": [
            "boolean",
            "bytes",
            "date",
            "ip",
            "numeric"
          ]
        },
        "significant_text": {
          "types": [
            "other"
          ]
        },
        "stats": {
          "types": [
            "boolean",
            "date",
            "numeric"
          ]
        },
        "sum": {
          "types": [
            "boolean",
            "date",
            "numeric"
          ]
        },
        "terms": {
          "types": [
            "boolean",
            "bytes",
            "date",
            "ip",
            "numeric"
          ]
        },
        "top_hits": {
          "types": [
            "other"
          ]
        },
        "value_count": {
          "types": [
            "boolean",
            "bytes",
            "date",
            "geopoint",
            "ip",
            "numeric",
            "range"
          ]
        },
        "variable_width_histogram": {
          "types": [
            "numeric"
          ]
        },
        "weighted_avg": {
          "types": [
            "numeric"
          ]
        }
      },
      "search_pipelines": {
        "processors": [
          {
            "type": "filter_query"
          }
        ]
      }
    }
  }
}

So it seems to be working through postman but not with the securityadmin.bat script

florent · May 26, 2023, 1:05pm

I have tried with and without, but I can remove it If you think it might help

pablo · May 26, 2023, 1:10pm

@florent I’m testing mine in a Linux environment. This shouldn’t matter but I’ll try to set up the Windows version.
So far I can’t repro your scenario. It works with the same config as yours.

pablo · May 26, 2023, 1:12pm

Could you also check OpenSearch logs? Do you see any errors when you run securityadmin.bat?

florent · May 26, 2023, 1:18pm

Nothing in the logs except this error: No ‘Authorization’ header, send 401 and 'WWW-Authenticate Basic when I try to run the script.

Silly question, how can you turn debug logs ?

florent · May 26, 2023, 1:58pm

@pablo I managed to make it work, apparently the scrip does not work well with java 11, after upgrading to java 17 it works as expected.

The java compatibility page (https://opensearch.org/docs/2.7/install-and-configure/install-opensearch/index/) might need a little correction.

Thank you for your time and help !

Topic		Replies	Views
NodesDN endpoint not accessible! Security troubleshoot , security-issue	4	234	February 19, 2024
Open Search Security Not Initialized Security troubleshoot	22	7231	November 3, 2024
Securityadmin.sh ERR....is not an admin user Security troubleshoot , configure , security-issue	4	742	March 28, 2023
Securityadmin.sh failing to upload config OpenSearch	19	1782	May 26, 2023
Securityadmin errors with certificates Security security-issue	13	2009	May 15, 2023

API access issue for securityadmin.bat

Related topics