Error securityadmin.sh execution

panta · July 22, 2024, 9:02pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.14.0

Describe the issue:

plugins/opensearch-security/tools/securityadmin.sh -cd config/opensearch-security/ -cacert config/certificates/ca.pem -key config/certificates/hostkey.pem -cert config/certificates/hostcert.pem -h vulcan.jlab.org
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to vulcan.jlab.org:9200 ... done
Connected as "CN=vulcan.jlab.org,O=Thomas Jefferson National Accelerator Facility,ST=Virginia,C=US,DC=incommon,DC=org"
ERR: "CN=vulcan.jlab.org,O=Thomas Jefferson National Accelerator Facility,ST=Virginia,C=US,DC=incommon,DC=org" is not an admin user
Seems you use a client certificate but this one is not registered as admin_dn
Make sure opensearch.yml on all nodes contains:
plugins.security.authcz.admin_dn:
  - ""CN=vulcan.jlab.org,O=Thomas Jefferson National Accelerator Facility,ST=Virginia,C=US,DC=incommon,DC=org""

Configuration:
opensearch.yml

cluster.name: "opensearch-cluster"
node.name: "opensearch-node1"
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["opensearch-node1"] #, "opensearch-node2"]
cluster.initial_master_nodes: ["opensearch-node1"] #, "opensearch-node2"]

# Security settings
plugins.security.ssl.transport.pemcert_filepath: certificates/hostcert.pem
plugins.security.ssl.transport.pemkey_filepath: certificates/hostkey.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: certificates/ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: certificates/hostcert.pem
plugins.security.ssl.http.pemkey_filepath: certificates/hostkey.pem
plugins.security.ssl.http.pemtrustedcas_filepath: certificates/ca.pem

plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
  - DC=org,DC=incommon,C=US,ST=Virginia,O=Thomas Jefferson National Accelerator Facility,CN=vulcan.jlab.org

plugins.security.nodes_dn:
  - 'DC = org, DC = incommon, C = US, ST = Virginia, O = Thomas Jefferson National Accelerator Facility, CN = vulcan.jlab.org'

plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
opendistro_security.audit.config.disabled_rest_categories: NONE
opendistro_security.audit.config.disabled_transport_categories: NONE

Relevant Logs or Screenshots:

Eugene7 · July 23, 2024, 9:00am

Hi @panta ,

Have you restarted your cluster after making changes to opensearch.yml ? How many OpenSearch nodes do you have?

panta · July 23, 2024, 1:30pm

Hi Eugene,
Its seems the admin_dn has to be written in exact order the securityadmin.sh shows.
So I made the changes as:

plugins.security.authcz.admin_dn:
  - CN=vulcan.jlab.org,O=Thomas Jefferson National Accelerator Facility,ST=Virginia,C=US,DC=incommon,DC=org

It is working now.

Topic		Replies	Views
Securityadmin.sh ERR....is not an admin user Security troubleshoot , configure , security-issue	4	743	March 28, 2023
Open Search Security Not Initialized Security troubleshoot	22	7263	November 3, 2024
Securityadmin.sh no permissions Security	10	905	July 12, 2023
Opensearch security not initialized; Securityadmin.sh not running Security troubleshoot , configure	10	4378	June 20, 2022
Securityadmin.sh not working due to admin certificate issue Security	4	42	November 5, 2024

Error securityadmin.sh execution

Related topics