No handler found for uri [/_plugins/_security/api/account]

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Debian 12.4 (bookworm)

{
    "cluster_name": "opensearch",
    "cluster_uuid": "qDes-IQDT2-flGKzp0lIuA",
    "name": "opensearch",
    "tagline": "The OpenSearch Project: https://opensearch.org/",
    "version": {
        "build_date": "2023-11-29T21:43:44.221253956Z",
        "build_hash": "6b1986e964d440be9137eba1413015c31c5a7752",
        "build_snapshot": false,
        "build_type": "deb",
        "distribution": "opensearch",
        "lucene_version": "9.7.0",
        "minimum_index_compatibility_version": "7.0.0",
        "minimum_wire_compatibility_version": "7.10.0",
        "number": "2.11.1"
    }
}

Describe the issue:
My server is up. I can connect to it with opensearch-py; the version info above is the output of server.info().

opensearch-security is installed:

$ bin/opensearch-plugin list
opensearch-alerting
opensearch-anomaly-detection
opensearch-asynchronous-search
opensearch-cross-cluster-replication
opensearch-custom-codecs
opensearch-geospatial
opensearch-index-management
opensearch-job-scheduler
opensearch-knn
opensearch-ml
opensearch-neural-search
opensearch-notifications
opensearch-notifications-core
opensearch-observability
opensearch-performance-analyzer
opensearch-reports-scheduler
opensearch-security
opensearch-security-analytics
opensearch-sql

/etc/opensearch/opensearch-security/config.yml contains (in part):

      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: internal

and /usr/share/opensearch/plugins/opensearch-security/internal_users.yml has:

_meta:
  type: "internalusers"
  config_version: 2

admin:
  hash: <elided>
  backend_roles:
  - "admin:
  description: "Admin user"

The problem is when I try to get the current user via the REST API, as described here, it fails:

$ curl -XGET "http://localhost:9200/_plugins/_security/api/account"

{"error":"no handler found for uri [/_plugins/_security/api/account] and method [GET]"}

Obviously I’ve got something mis-configured, but what?

2

I’ve made a little bit of progress. I discovered I had:

plugins.security.disabled: true

in /etc/opensearch/opensearch.yml. I set that to false and restarted opensearch. Now I’m getting:

$ curl -v "http://localhost:9200/_plugins/_security/api/account"
*   Trying 127.0.0.1:9200...
* Connected to localhost (127.0.0.1) port 9200 (#0)
> GET /_plugins/_security/api/account HTTP/1.1
> Host: localhost:9200
> User-Agent: curl/7.88.1
> Accept: */*
> 
* Empty reply from server
* Closing connection 0
curl: (52) Empty reply from server
3

More baby steps…

-plugins.security.ssl.http.enabled: true
+plugins.security.ssl.http.enabled: false

got me to the point where I’m getting:

$ curl -v "http://localhost:9200/_plugins/_security/api/account"
*   Trying 127.0.0.1:9200...
* Connected to localhost (127.0.0.1) port 9200 (#0)
> GET /_plugins/_security/api/account HTTP/1.1
> Host: localhost:9200
> User-Agent: curl/7.88.1
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Basic realm="OpenSearch Security"
< content-type: text/plain; charset=UTF-8
< content-length: 0
< 
* Connection #0 to host localhost left intact

which I think is what I’m actually supposed to be getting at this point.

4

Hi @roy649 ,

Have you tied with -u admin:<adminPassword> ?:

curl -v  -u admin:<adminPassword> "http://localhost:9200/_plugins/_security/api/account"

best,
mj

5

Yes, adding -u works, thanks.

Where all this is going is (I asked this on slack yesterday; not sure if that’s actually active) I’m trying to get this all set up without any certificates, just because cert management is such a pain. I’m in a private secure environment, so there’s no need for anything beyond HTTP basic auth, and no need for SSL. But it looks like to set up basic auth, you need to process internal_users.yml with securityadmin.sh, which apparently needs a cert to run.

Is there any way to avoid certs entirely?

6

@roy649 The minimal security plugin configuration requires a secured transport layer (port 9300-9400) and it can’t be disabled.

However, it can be disabled at HTTP endpoint (port 9200).

As you’ve already noticed, unsecured port 9200 prevents securityadmin.sh from connecting to the OpenSearch node.
The reason behind this is that securityadmin.sh is using admin SSL certificates to connect with the OpenSearch node. It is mandatory to use these certs as the user defined in these certs has special admin privilege to overwrite security configuration.

The workaround would be enabling a secured connection on HTTP just in the single OpenSearch node.