ERROR: Unknown plugin opensearch-security

Versions:
OpenSearch: 2.10.0;
Dashboard: 2.10.0;
Server OS: Ubuntu 22.04.5.

Describe the issue:
I tried to fix issues with Opensearch-dashboards security plugin. It stopped work after admin password changed.
During the investigation I removed (by mistake) openserch-security plugin as described here: https://docs.opensearch.org/2.16/security/configuration/disable-enable-security/#removing-the-security-plugin-from-opensearch
But not able to install it back.

#bin/opensearch-plugin install opensearch-security
→ Installing opensearch-security
→ Failed installing opensearch-security
→ Rolling back opensearch-security
→ Rolled back opensearch-security
A tool for managing installed opensearch plugins

Non-option arguments:
[String] – command
Option Description
-E Configure a setting
-h, --help Show help
-s, --silent Show minimal output
-v, --verbose Show verbose output
ERROR: Unknown plugin opensearch-security

Could somebody be so kind and advise how to re-install openserch-security plugin to get my Opensearch work properly back?

Thank you very much in advance!

Hey @wh1test ,

What do you see when you run ./bin/opensearch-plugin list, could you try installing the plugin again from the zip

./bin/opensearch-plugin install https://repo1.maven.org/maven2/org/opensearch/plugin/opensearch-security/2.10.0.0/opensearch-security-2.10.0.0.zip

Leeroy.

@wh1test Can you try this command?

./bin/opensearch-dashboards-plugin install securityDashboards

Leeroy, thank you for response!

list command shows no opensearch-security plugin installed.

Installing the plugin using zip archive raises the same error

Regarding securityDashboards plugin. It’s installed. I can share my config files.

@wh1test I thought you were talking about the OpenSearch Dashboards security plugin.
OpenSearch and OpenSearch Dashboards have separate plugins.

@wh1test ,

Can you share the error you see when you try install via zip?

Leeroy.

My main issue is opensearch-security. I removed it and not able to install again. =(

root@opensearch:/opt/opensearch# pwd
/opt/opensearch
root@opensearch:/opt/opensearch#
root@opensearch:/opt/opensearch# ./bin/opensearch-plugin install /opt/opensearch/opensearch-security-2.10.0.0.zip
→ Installing /opt/opensearch/opensearch-security-2.10.0.0.zip
→ Failed installing /opt/opensearch/opensearch-security-2.10.0.0.zip
→ Rolling back /opt/opensearch/opensearch-security-2.10.0.0.zip
→ Rolled back /opt/opensearch/opensearch-security-2.10.0.0.zip
A tool for managing installed opensearch plugins

Non-option arguments:
[String] – command

Option Description

-E Configure a setting
-h, --help Show help
-s, --silent Show minimal output
-v, --verbose Show verbose output
ERROR: Unknown plugin /opt/opensearch/opensearch-security-2.10.0.0.zip
root@opensearch:/opt/opensearch#

Update. I downloaded tar archive https://artifacts.opensearch.org/releases/bundle/opensearch/2.10.0/opensearch-2.10.0-linux-x64.tar.gz extracted it and copied opensearch-2.10.0/plugins/opensearch-security folder into my opensearch.
Then uncommented plugins.security settings in opensearch.yml and started opensearch.

I see now opensearch-plugin list found my opensearch-security plugin:
root@opensearch:/opt/opensearch# ./bin/opensearch-plugin list
opensearch-alerting
opensearch-anomaly-detection
opensearch-asynchronous-search
opensearch-cross-cluster-replication
opensearch-custom-codecs
opensearch-geospatial
opensearch-index-management
opensearch-job-scheduler
opensearch-knn
opensearch-ml
opensearch-neural-search
opensearch-notifications
opensearch-notifications-core
opensearch-observability
opensearch-performance-analyzer
opensearch-reports-scheduler
opensearch-security
opensearch-security-analytics
opensearch-sql

So now I’m able to login using as admin. (config/opensearch-security was saved) and watch logs in my dashboards.

Hey @wh1test ,

nice, so everything is working as expected now?

Leeroy.

FYI for anyone else you can install plugin directly from Meaven if needed

./bin/opensearch-plugin install https://repo1.maven.org/maven2/org/opensearch/plugin/opensearch-security/2.10.0.0/opensearch-security-2.10.0.0.zip

If you do download the zip directly to the container or via cp you can install it by using

./bin/opensearch-plugin install --batch file:///usr/share/opensearch/opensearch-security-2.10.0.0.zip

Or you can use the tar option mentioned by @wh1test

Leeroy.

Yes, opensearch-security plugin is working properly now! I’m able to login into web-console using internal users. Thank you!

Now I’m trying to setup securityDashboards plugin for opensearch-dashboards (it was working before admin password changed and cluster mode enabled).

`opensearch@opensearch:/opt/opensearch-dashboards$ ./bin/opensearch-dashboards-plugin install securityDashboards`
`Found previous install attempt. Deleting…`
`Attempting to transfer from securityDashboards`
``` Attempting to transfer from ``https://ci.opensearch.org/ci/dbc/distribution-build-opensearch-dashboards/2.10.0/latest/linux/x64/tar/builds/opensearch-dashboards/plugins/securityDashboards-2.10.0.zip ```
`Transferring 1067294 bytes…`
`Transfer complete`
`Retrieving metadata from plugin archive`
`Extracting plugin archive`
`Extraction complete`
`Plugin installation complete`

But I’m not able to login using my own username which created through security dashboards =|

My opensearch_dashboards.yml

opensearch.hosts: \[http://localhost:9200\]
opensearch.ssl.verificationMode: none
opensearch.username: admin
opensearch.password: b6\*\*\*\*\*\*x1
opensearch.requestHeadersWhitelist: \[authorization, securitytenant\]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: \[Global, Private\]
opensearch_security.readonly_mode.roles: \[kibana_read_only\]
opensearch_security.cookie.secure: false**
**
b6\*\*\*\*\*\*x1 - is my new admin opensearch password.**
**

My opensearch.yml

cluster.name: opensearch
cluster.initial_master_nodes: [“opensearch-node1”\
node.name: opensearch-node1
node.roles: [master, data]
#node.attr.rack: r1
path.data: /opt/opensearch/data
path.logs: /opt/opensearch/logs

#bootstrap.memory_lock: true

network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: [“172.16.1.7”]
#cluster.initial_cluster_manager_nodes: [“node-1”, “node-2”]

#gateway.recover_after_nodes: 3
#action.destructive_requires_name: true

######## Start OpenSearch Security Demo Configuration ########
plugins.security.disabled: false
plugins.security.ssl.transport.pemcert_filepath: node1.pem
plugins.security.ssl.transport.pemkey_filepath: node1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: false
plugins.security.ssl.http.pemcert_filepath: node1.pem
plugins.security.ssl.http.pemkey_filepath: node1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
- “emailAddress=bs-net@work.local,CN=opensearch,OU=IT,O=MyWork,L=City,ST=City,C=PL”
plugins.security.nodes_dn:
- “emailAddress=bs-net@work.local,CN=opensearch-node1,OU=IT,O=MyWork,L=City,ST=City,C=PL”

plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled:
[“all_access”, “security_rest_api_access”]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices:
[
“.plugins-ml-model”,
“.plugins-ml-task”,
“.opendistro-alerting-config”,
“.opendistro-alerting-alert*”,
“.opendistro-anomaly-results*”,
“.opendistro-anomaly-detector*”,
“.opendistro-anomaly-checkpoints”,
“.opendistro-anomaly-detection-state”,
“.opendistro-reports-*",
".opensearch-notifications-*”,
“.opensearch-notebooks”,
“.opensearch-observability”,
“.opendistro-asynchronous-search-response*”,
“.replication-metadata-store”,
]
node.max_local_storage_nodes: 3
######## End OpenSearch Security Demo Configuration ########

Ok, to summarize you’re trying to use admin of which you updated it’s password?

But for opensearch dashboards you’re using opensearch.username: admin and opensearch.password: b6******x1. Why are you doing this and not using opensearch.username: kibanaserver and opensearch.password: kibanaserver?

If you want to use a user than is not kibanaserver you would need to also ensure that the new user has the kibanaserver backend role. This is the minimum requirement and wouldn’t need any additional role or any wider permissions.

Could you to a test and curl against the cluster with the admin and password

curl --insecure -uadmin:b6******x1 https://localhost:9200/_plugins/_security/authinfo?pretty

Leeroy.

curl --insecure -uadmin:b6********x1 http://localhost:9200/_plugins/_security/authinfo?pretty
{
“user” : “User [name=admin, backend_roles=[admin], requestedTenant=null]”,
“user_name” : “admin”,
“user_requested_tenant” : null,
“remote_address” : “127.0.0.1:56196”,
“backend_roles” : [
“admin”
],
“custom_attribute_names” : ,
“roles” : [
“own_index”,
“all_access”
],
“tenants” : {
“global_tenant” : true,
“admin_tenant” : true,
“admin” : true
},
“principal” : null,
“peer_certificates” : “0”,
“sso_logout_url” : null
}

Admin user is the user from opensearch/config/opensearch-security/internal_users.yml
It’s working properly.

securityDashboards plugin for opensearch-dashboards was working properly before I changed admin password and set those options to switch my opensearch node into cluster:
cluster.name: opensearch
cluster.initial_master_nodes: [“opensearch-node1”]
node.name: opensearch-node1
node.roles: [master, data]

We had several users in opensearch including my own account which disappeared from web console =|

hey @wh1test ,

Could you share config.yml?

Leeroy.