I am using OpenSearch with security and want to integrate Istio with it.
Earlier we were using ELasticsearch with searchguard and integrated istio with it, we were suggested to use steps mentioned in ticket: Searchguard without tls - Search Guard - Search Guard Forum
We had disabled TLS on Rest layer as part of suggested steps and enabled MTLS using istio.
These same steps worked fine for OpenSearch v1.3.2.
However now with Opensearch v2.x since securityadmin.sh should be run on http port and not transport port, it is failing with error “ERR: An unexpected IOException occured: Unrecognized SSL message, plaintext connection?”
It looks like that now with this change, setting of “plugins.security.ssl.http.enabled” as false has introduced a bug. As disabling it would fail execution of securityadmin.sh script.
Kindly recommend a way on how to integrate istio with Opensearch security.
Kindly share an update on this, What can be the possible approach to integrate istio with Opensearch security and if there is any plan for fixing usage of “plugins.security.ssl.http.enabled” parameter.
@Pratiksha I wouldn’t call that a bug but a design change.
TransportClient authorization and authentication have been deprecated in version 2.0.0 as per release notes.
All client authentication is now handled by HTTP endpoint (9200).
The securityadmin.sh requires an admin certificate to manage the security plugin configuration. Certificate authentication/authorization requires HTTPS connection and securityadmin.sh follows that logic.
Yes, I understand. However, as now ssl cannnot be disabled on Rest layer as securityadmin.sh requires a HTTPS connection then “plugins.security.ssl.http.enabled” parameter is of no use as it cannot be set to false as that would lead to error.