Hi,
We are facing an issue while upgrading OpenSearch from 1.x to 2.x.
Our cluster was originally created on OpenSearch 1.x and later upgraded to 2.x without problems. However, when preparing for further upgrades, we found that the .opendistro_security index is still created with a 1.x version.
We understand that this index should ideally be recreated to be compatible with newer versions.
The recommended approach is to use securityadmin.sh, but it requires HTTPS/TLS on the REST layer.
Problem:
Our cluster runs with:
-
http.tlsdisabled (HTTP only on port 9200) -
TLS is enabled only on the transport layer (port 9300)
We cannot enable TLS on HTTP because existing clients are not prepared for it.
When running securityadmin.sh, we get:
Unrecognized SSL message, plaintext connection?
We also tried to reinitialize or delete .opendistro_security via REST API, but:
-
the REST management API is restricted
-
permissions are insufficient to manage the security index
Questions:
-
Is there a supported way to migrate or recreate
.opendistro_securityfrom 1.x to 2.x without enabling HTTP TLS? -
Can
securityadmin.shbe safely used over plain HTTP in this scenario? -
Is there any recommended workaround for clusters that cannot enable TLS on the REST layer?
Any guidance or best practices would be greatly appreciated.
Thanks!