NodesDN and Allowlist API only allowed for super admin

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): OS, OSD v2.3

Describe the issue:

I am trying to configure the nodesdn via the REST API on the dashboards UI but its giving me an error:

  "status" : "FORBIDDEN",
  "message" : "API allowed only for super admin."

I have already added true in the opensearch.yml as the docs suggest. And I am logged in as the admin user which has the all_access role mapped to it. So what exactly is the issue here? Is the super admin different from the internal admin user? If so, how do I access the API as super admin or make admin have same permission as super admin?
Configuration: internal_opensearch ["CN=admin,OU=vz-os-cluster"] true true ["CN=vz-os-cluster,OU=vz-os-cluster"] ["all_access", "security_rest_api_access"] true true tls-http/tls.crt tls-http/tls.key tls-http/ca.crt false tls-transport/tls.crt tls-transport/tls.key tls-transport/ca.crt true [".opendistro-alerting-config",".opendistro-alerting-alert*",".opendistro-anomaly-results*",".opendistro-anomaly-detector*",".opendistro-anomaly-checkpoints",".opendistro-anomaly-detection-state",".opendistro-reports-*",".opendistro-notifications-*",".opendistro-notebooks",".opensearch-observability",".opendistro-asynchronous-search-response*",".replication-metadata-store"]

@saketmht super admin should refer to admin user defined in admin_dn in opensearch.yml.

In short, this API can be executed as curl and with the admin’s certificate.


curl --insecure --cert config/kirk.pem --key config/kirk-key.pem  -XGET https://localhost:9200/_plugins/_security/api/nodesdn?pretty


curl --insecure --cert config/kirk.pem --key config/kirk-key.pem -H "Content-Type:application/json" -XPUT https://localhost:9200/_plugins/_security/api/nodesdn/opensearch-cluster -d '
> {
>   "nodes_dn": [
>     ""
>   ]
> }'


@pablo Thanks for the response. So do you mean that this API cannot be accessed via the Dashboards UI no matter what user I am logged in as?
Because I have admin set in the admin_dn in opensearch.yml ["CN=admin,OU=vz-os-cluster"]

Is there any way this can be achieved without the certs? Like using curl with the basic admin credentials? Any roles that needs be mapped to admin user to achieve this?

curl --insecure -u admin:admin  -XGET https://localhost:9200/_plugins/_security/api/nodesdn?pretty

@saketmht Correct. As per documentation, you must use an admin certificate to manage security plugin configuration.