Force index allocation for. opendistro, .opensearch index

Security
1

** version 2.2.0**

Describe the issue:
I added 2 new data nodes on in my opensearch Cluster to store the logs of our API-Gateway

I dont want .opensearch* and .opendistro* indexes to be created on these 2 new nodes
So I set a rack id for my existing nodes called applicative_rack

And i created ( successfully) 2 index templates for these indexes as follow : ( to force allocating these system indexes on the applicative_rack and not on the new nodes for which rack id is different ) :
POST /_index_template/opendistro { “index_patterns”: [“.opendistro*”], “template”: { “settings”: { “index.routing.allocation.require.rack”: “applicative_rack” } }}
POST /_index_template/opensearch { “index_patterns”: [“.opensearch*”], “template”: { “settings”: { “index.routing.allocation.require.rack”: “applicative_rack” } }}

But when I started my new Opensearch data nodes :
it seems the .opendistro* and .opensearch* indexes are created on them ( the new nodes ) and the index templates are absolutely NOT applied ( issue occurs only for these system indexes, no issue with any others indexes… )

Why can t I force index allocation for : .opendistro* and .opensearch* indexes ?
( mainly:
.opendistro-job-scheduler-lock
.opendistro-ism-managed-index-history
.opendistro-alerting-config
.opensearch-notifications-config
)
Is there any other way to proceed and force allocation for these system indexes ?

Regards

2

@kristof.larcher Could you share the settings of these indices?

3

I found out the solution :slight_smile:

4

You cant set configuration for these system indexes aven with user ADMIN
but

5

if you use the admin_dn set with security plugin ( confer conf )
You can do whatever you want…

6

conf in opensearch.yml
plugins.security.authcz.admin_dn: CN=kirk,OU=client,O=client,L=test, C=de

7

and curl request to push index template fo system index ( forcing allocation to a rack )
curl -k --cert ./kirk.pem --key ./kirk-key.pem -X PUT https://localhost:9200/_index_template/opensearch -d ‘{ “index_patterns”: [“.opensearch*”], “template”: { “settings”: { “index.routing.allocation.require.rack”: “applicative_rack” }}}’ -H 'Content-Type: application/json

8

it s mentionned i n any documentation

9

@kristof.larcher As per OpenSearch documentation, the securityadmin.sh script is used to manage the security plugin. The plugin requires admin certificate that is defined in the admin_dn in opensearch.yml

The secuirtyadmin.sh is using certificate authentication against the HTTP endpoint 9200. Therefore, using the curl command with an admin certificate mimics securityadmin.sh script authentication and allows to access the cluster without basic authentication.