Can't get _plugins/_security/api/nodesdn

Melok · February 11, 2022, 12:56pm

When I try to call GET _plugins/_security/api/nodesdn, I get an error:
{ "status" : "FORBIDDEN", "message" : "API allowed only for admin." }
My opensearch.yml:

plugins.security.ssl.transport.pemcert_filepath: /usr/share/opensearch/config/node.pem
plugins.security.ssl.transport.pemkey_filepath: /usr/share/opensearch/config/node-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/opensearch/config/root-ca-new.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /usr/share/opensearch/config/node.pem
plugins.security.ssl.http.pemkey_filepath: /usr/share/opensearch/config/node-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/opensearch/config/root-ca-new.pem
#plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
  - 'CN=admin,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
plugins.security.nodes_dn:
  - 'CN=node*,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
opendistro_security.audit.config.disabled_rest_categories: NONE
plugins.security.nodes_dn_dynamic_config_enabled: true
opendistro_security.audit.config.disabled_transport_categories: NONE

Anthony · February 11, 2022, 2:11pm

@Melok

What version of opensearch are you running? The message would indicate that you need to use admin certificate to call this API.

Melok · February 18, 2022, 12:32pm

Latest version. Login with admin:admin. How to loging with admin certificate?

Anthony · February 21, 2022, 11:02am

@Melok
The admin certificate is the one configured in opensearch.yaml

plugins.security.authcz.admin_dn:
  - 'CN=admin,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'

You should be able to run curl like below:

curl --insecure -XGET “https://localhost:9200/_plugins/_security/api/nodesdn” --cert /usr/share/opensearch/config/kirk.pem --key /usr/share/opensearch/config/kirk-key.pem
(kirk.pem and kirk-key.pem being the admin certificates in this case)

Melok · March 2, 2022, 8:59am

But how can i do this with REST API?

Anthony · March 2, 2022, 9:47am

@Melok I don’t follow your question. This is indeed a REST API call using curl command I provided.
If you are asking how can you run it from Opensearch Dashboards dev tools, I don’t think you can, because you need to provide the admin certificate.

Melok · March 2, 2022, 11:36am

Yes, I wanted to run from DevTools. Thanks for your answer.

Topic		Replies	Views
NodesDN endpoint not accessible! Security troubleshoot , security-issue	4	234	February 19, 2024
No permissions for user Security	38	6747	September 21, 2024
NodesDN and Allowlist API only allowed for super admin Security troubleshoot , configure	3	650	April 18, 2023
Have a problem to enable security OpenSearch discuss , troubleshoot , configure , install	6	1537	November 28, 2023
Securityadmin errors with certificates Security security-issue	13	2009	May 15, 2023

Can't get _plugins/_security/api/nodesdn

Related topics