NodesDN endpoint not accessible!

Hello, I followed all the instruction that you give about configuring the super admin using the admin_dn in the opensearch.yml.
However, when querying to
curl -XGET https://192.168.10.32:9200/_plugins/_security/api/nodesdn?pretty -u 'admin:12345678' --insecure --cert /opt/opensearch-2.11.1/config/opensearch-admin.pem --key /opt/opensearch-2.11.1/config/opensearch-admin-key.pem

I get as a response { }, and the following error in the log file:

[2024-02-14T16:34:44,762][INFO ][o.o.s.d.r.a.RestApiPrivilegesEvaluator] [single-1] User User [name=CN=admin,OU=O,O=O,L=O,ST=O,C=O, backend_roles=, requestedTenant=null] with Security roles [own_index] does not have any role privileged for admin access.

I am trying on a single-node cluster to troubleshoot the issue, but I have the same issue on clusters that consist more nodes.

Additionally, when I request the following:

curl -XGET https://192.168.10.32:9200/_plugins/_security/api/account?pretty --cert /opt/opensearch-2.11.1/config/opensearch-admin.pem --key /opt/opensearch-2.11.1/config/opensearch-admi
n-key.pem --insecure  

I get the following result:

{
  "user_name" : "CN=admin,OU=O,O=O,L=O,ST=O,C=O",
  "is_reserved" : false,
  "is_hidden" : false,
  "is_internal_user" : false,
  "user_requested_tenant" : null,
  "backend_roles" : [ ],
  "custom_attribute_names" : [ ],
  "tenants" : {
    "CN=admin,OU=O,O=O,L=O,ST=O,C=O" : true
  },
  "roles" : [
    "own_index"
  ]
}

Is this okay?
Why can’t I have access to nodesdn API endpoint despite the fact that I use a superadmin certificate?

Following is my opensearch.yml file:

cluster.name: singleNode-cluster
node.name: single-1
node.roles: [cluster_manager, data, ingest]  

compatibility.override_main_response_version: true

network.bind_host: 192.168.10.32
network.publish_host: 192.168.10.32
discovery.type: single-node
plugins.security.ssl.transport.pemcert_filepath: /opt/opensearch-2.11.1/config/node1.pem
plugins.security.ssl.transport.pemkey_filepath: /opt/opensearch-2.11.1/config/node1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /opt/opensearch-2.11.1/config/opensearch-root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false 
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /opt/opensearch-2.11.1/config/node1.pem
plugins.security.ssl.http.pemkey_filepath: /opt/opensearch-2.11.1/config/node1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /opt/opensearch-2.11.1/config/opensearch-root-ca.pem
plugins.security.allow_default_init_securityindex: true
plugins.security.allow_unsafe_democertificates: false 
plugins.security.authcz.admin_dn:
  - 'CN=admin,OU=O,O=O,L=O,ST=O,C=O'
plugins.security.nodes_dn:
  - 'CN=single2.test.com,OU=O,O=O,L=O,ST=O,C=O'
plugins.security.audit.type: internal_opensearch
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access","security_rest_api_full_access"]
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn_dynamic_config_enabled: true
plugins.security.system_indices.indices:
- .plugins-ml-config
- .plugins-ml-connector
- .plugins-ml-model-group
- .plugins-ml-model
- .plugins-ml-task
- .plugins-ml-conversation-meta
- .plugins-ml-conversation-interactions
- .opendistro-alerting-config
- .opendistro-alerting-alert*
- .opendistro-anomaly-results*
- .opendistro-anomaly-detector*
- .opendistro-anomaly-checkpoints
- .opendistro-anomaly-detection-state
- .opendistro-reports-*
- .opensearch-notifications-*
- .opensearch-notebooks
- .opensearch-observability
- .ql-datasources
- .opendistro-asynchronous-search-response*
- .replication-metadata-store
- .opensearch-knn-models
- .geospatial-ip2geo-data*

Hi @Kmrs97 ,

Could you please share your nodes_dn.yml ?

You can see more details here:

Best,
mj

You can use GET /_cat/nodes?pretty to get some node info as well.

curl -XGET https://192.168.10.32:9200/_cat/nodes?pretty --cert /opt/opensearch-2.11.1/config/opensearch-admin.pem --key /opt/opensearch-2.11.1/config/opensearch-admin-key.pem --insecure

Best,
mj

Hello Mantas, thank you for your response!

My nodes_dn.yml file is the default one. I didn’t make any changes there. It is provided below:

_meta:
  type: "nodesdn"
  config_version: 2

# Define nodesdn mapping name and corresponding values
# cluster1:
#   nodes_dn:
#       - CN=*.example.com

Regarding the query that you suggested, I get the following information about the nodes, however my aim is to get the distinguished names of the nodes, that apparently I cannot have access to, even using the super admin.

image930×107 4.77 KB

I define the DNs of the nodes in the opensearch.yml as shown above, but my goal is to be able to insert new nodes, along with their DN (PUT request on nodesdn endpoint), on a running cluster, without the necessity of restarting the cluster.

UPDATE:
Uncommenting the lines in the nodes_dn.yml, declaring the cluster name, and using a client certficate, with its DN declared as super admin in the admin_dn property, grants you the permissions to execute GET and PATCH requests on the nodes_dn endpoint.