I am upgrading from 2.3.0 to 2.18.0. I can't authenticate to port 9200 if a 2.3.0 database is present, but can if starting on a bare machine

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.3.0, 2.18.0

Describe the issue:
I am running 2.3.0, single node. I am using curl to get a list of indexes. I am using https and the --insecure flag. When running 2.3.0, the username/password was the default admin:admin (as is setup in the opensearch docker image on dockerhub). In 2.18.0, I have a different password.

If a v2.3 database is present when I start v2.18, I can’t authenticate using curl. However, if I start v2.18 in a pristine environment, I can authenticate.

I have tried finding documentation on how to migrate, but my v2.3 security index to something 2.18 will like, but have not found anything useful

Configuration:

Relevant Logs or Screenshots:

@markfanara I did upgrade from 2.3 to 2.18 and had no issues with authentication.
Also, the password didn’t change.

I used docker-compose for the test.

If you want to update the admin password you can use securityadmin.sh script with admin certificates.

To be more clear on my description

  • I am running Opensearch in a Docker container built from 2.3.0 (from Dockerhub). I am running in single node mode

  • I have the data folder as a Docker volume so that the data is persistent.

  • The security is the default demo security

  • From within that container (or others) I can use curl to list indices using this command - curl -XGET https://127.0.0.1:9200/_cat/indices -u ‘admin:admin’ --insecure

  • I built a new docker container built from Opensearch 2.18.0 (from Dockerhub). I am running in single node mode.

  • I have the data folder as a Docker volume so that the data is persistent.

  • The security is the default demo security

  • An entrypoint script for the container sets the environment variable OPENSEARCH_INITIAL_ADMIN_PASSWORD to something other than ‘admin’ as that one is not accepted (not complex enough) and then launches the /usr/share/opensearch/opensearch-docker-entrypoint.sh script.

  • When I run this container image and the persistent data folder contains data from Opensearch 2.3.0, I am unable to run the curl command shown above with either the password ‘admin’ or the new password that I set in the environment variable. It indicates a failure to authenticate.

  • However, when I run the new container image and the persistent data folder contains no data (or data originally created by 2.18.0), the curl command using the new password works just fine.

@markfanara I did exactly as you described.

I created a cluster 2.3.0 with persistent volume. I created an index pattern, visualisation and dashboard in 2.3.0.

Then I stopped the cluster (docker compose down). The OpenSearch volume remained.

image

Then I updated the OpenSearch version to 2.18.0 in the docker-compose.yml and started the cluster. I logged in with the old password as the data persisted and the .opendistro_security index remained, so no password update happened.

I confirmed that OpenSearch Dashboard objects created in 2.3.0 are available in 2.18.0.

Did you create a security configuration backup with sgadmin.sh script before the upgrade?

I did not create a security configuration backup.

Is there a document that describes the steps necessary to upgrade?

Note - in my case, the upgrade is simply stopping the original container containing 2.3, uninstalling the container (docker image rm), installing the new container containing 2.18 and then running it.

I have found documentation related to securityadmin.sh but it is all somewhat confusing.

I don’t understand the exact steps required to do the security migration given my very specific order of operations show above. (I am just running the opensearch docker images with either no changes at all, or just setting the default admin password in case of 2.18)

It looks like running the command in config/securityadmin_demo.sh without the sudo (which is not in the docker image) does the trick.

@markfanara That script will overwrite the security configuration with files located in /usr/share/opensearch/config/opesearch-security folder.

You can use the same command from that script to backup the security config. You must use -backup instead of -cd to backup the configuration.