Opensearch config update kubernetes

OpenSearch
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

OS: 2.10.0

Describe the issue:

i have deployed multi-node cluster using helm chart, everything works fine, but i am getting the below error message

“audit_request_privilege”: “indices:admin/aliases/get”,

so i have added the permission on role which will get apply for the user.

        - index_patterns:
            - '*'
          allowed_actions:
            - 'indices:data/read/search'
            - 'indices:data/read/search*'
            - 'indices:data/read/search/template'
            - 'indices:admin/refresh*'
            - 'indices:admin/get'
            - 'indices:admin/aliases/get'

then i deployed the change via helm chart, i can see the config update at roles.yaml inside the pod, but i dont see it on api curl and i still get the same error.

GET _plugins/_security/api/roles/role-name
{
“index_patterns”: [
"
],
“fls”: [],
“masked_fields”: [],
“allowed_actions”: [
“indices:data/read/search”,
"indices:data/read/search”,
“indices:data/read/search/template”
]
}

am i missing something, why the updated config is not taking place
Thanks in advance

2

Hi @arun_udaiyar,

have you used the securityadmin.sh script to apply your configuration?

Please see more here: Applying changes to configuration files - OpenSearch documentation

Let m know if any further questions.

Best,
Mantas

3

Hi @Mantas ,
Thanks for your response.
i tried running the securityadmin.sh script to apply the configuration
but i am getting the below error.

ERR: Seems you use a node certificate which is also an admin certificate
That may have worked with older OpenSearch Security versions but it indicates
a configuration error and is therefore forbidden now.

and i found that i used the same name for node_dn and admin_dn,

  security:
    nodes_dn:
      - 'CN=search.myorg.net'
      - 'CN=opensearch-cluster-master.opensearch.svc.cluster.local'
      - 'CN=*.cluster.local'
    ssl:
      transport:
        pemcert_filepath: certs/tls.crt
        pemkey_filepath: certs/tls.key
        pemtrustedcas_filepath: certs/tls.crt
        enforce_hostname_verification: false
        resolve_hostname: false
      http:
        enabled: true
        pemcert_filepath: certs/tls.crt
        pemkey_filepath: certs/tls.key
        pemtrustedcas_filepath: certs/tls.crt
    allow_unsafe_democertificates: false
    allow_default_init_securityindex: true
    authcz:
      admin_dn:
        - CN=search.myorg.net
        - CN=opensearch-cluster-master.opensearch.svc.cluster.local

output
output1891×905 292 KB

and i used the tls cert which created by cert-manager.

is there any way to change it without deleting the PVC(data).
It will be really helpful.

4

Hi @Mantas , @pablo
it shows success but security config is not getting updated.
do i need to create separate cert for admin_dn, currently i used the tls certs which created using cert-manager

5

My bad, it works fine. i just need to run the securityadmin.sh on all master pods.
Thanks team for your support.