NodesDN and Allowlist API only allowed for super admin

saketmht · April 18, 2023, 2:59pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): OS, OSD v2.3

Describe the issue:

I am trying to configure the nodesdn via the REST API on the dashboards UI but its giving me an error:

{
  "status" : "FORBIDDEN",
  "message" : "API allowed only for super admin."
}

I have already added plugins.security.nodes_dn_dynamic_config_enabled: true in the opensearch.yml as the docs suggest. And I am logged in as the admin user which has the all_access role mapped to it. So what exactly is the issue here? Is the super admin different from the internal admin user? If so, how do I access the API as super admin or make admin have same permission as super admin?
Configuration:

plugins.security.audit.type: internal_opensearch
plugins.security.authcz.admin_dn: ["CN=admin,OU=vz-os-cluster"]
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn: ["CN=vz-os-cluster,OU=vz-os-cluster"]
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.nodes_dn_dynamic_config_enabled: true
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: tls-http/tls.crt
plugins.security.ssl.http.pemkey_filepath: tls-http/tls.key
plugins.security.ssl.http.pemtrustedcas_filepath: tls-http/ca.crt
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.pemcert_filepath: tls-transport/tls.crt
plugins.security.ssl.transport.pemkey_filepath: tls-transport/tls.key
plugins.security.ssl.transport.pemtrustedcas_filepath: tls-transport/ca.crt
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config",".opendistro-alerting-alert*",".opendistro-anomaly-results*",".opendistro-anomaly-detector*",".opendistro-anomaly-checkpoints",".opendistro-anomaly-detection-state",".opendistro-reports-*",".opendistro-notifications-*",".opendistro-notebooks",".opensearch-observability",".opendistro-asynchronous-search-response*",".replication-metadata-store"]

pablo · April 18, 2023, 4:24pm

@saketmht super admin should refer to admin user defined in admin_dn in opensearch.yml.

In short, this API can be executed as curl and with the admin’s certificate.

i.e.
GET API

curl --insecure --cert config/kirk.pem --key config/kirk-key.pem  -XGET https://localhost:9200/_plugins/_security/api/nodesdn?pretty

PUT API

curl --insecure --cert config/kirk.pem --key config/kirk-key.pem -H "Content-Type:application/json" -XPUT https://localhost:9200/_plugins/_security/api/nodesdn/opensearch-cluster -d '
> {
>   "nodes_dn": [
>     "CN=cluster3.example.com"
>   ]
> }'

saketmht · April 18, 2023, 4:56pm

@pablo Thanks for the response. So do you mean that this API cannot be accessed via the Dashboards UI no matter what user I am logged in as?
Because I have admin set in the admin_dn in opensearch.yml
plugins.security.authcz.admin_dn: ["CN=admin,OU=vz-os-cluster"]

Is there any way this can be achieved without the certs? Like using curl with the basic admin credentials? Any roles that needs be mapped to admin user to achieve this?

curl --insecure -u admin:admin  -XGET https://localhost:9200/_plugins/_security/api/nodesdn?pretty

pablo · April 18, 2023, 8:25pm

@saketmht Correct. As per documentation, you must use an admin certificate to manage security plugin configuration.

Topic		Replies	Views
NodesDN endpoint not accessible! Security troubleshoot , security-issue	4	242	February 19, 2024
Can't get _plugins/_security/api/nodesdn Security troubleshoot	6	693	March 2, 2022
API access issue for securityadmin.bat Security troubleshoot	15	487	May 26, 2023
No permissions for user Security	38	7406	September 21, 2024
Struggling with REST API Access on K8s Deployment Security troubleshoot	5	90	August 20, 2024

NodesDN and Allowlist API only allowed for super admin

Related topics