Opensearch config update kubernetes

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

OS: 2.10.0

Describe the issue:

i have deployed multi-node cluster using helm chart, everything works fine, but i am getting the below error message

“audit_request_privilege”: “indices:admin/aliases/get”,

so i have added the permission on role which will get apply for the user.

        - index_patterns:
            - '*'
            - 'indices:data/read/search'
            - 'indices:data/read/search*'
            - 'indices:data/read/search/template'
            - 'indices:admin/refresh*'
            - 'indices:admin/get'
            - 'indices:admin/aliases/get'

then i deployed the change via helm chart, i can see the config update at roles.yaml inside the pod, but i dont see it on api curl and i still get the same error.

GET _plugins/_security/api/roles/role-name
“index_patterns”: [
“fls”: [],
“masked_fields”: [],
“allowed_actions”: [

am i missing something, why the updated config is not taking place
Thanks in advance

Hi @arun_udaiyar,

have you used the script to apply your configuration?

Please see more here: Applying changes to configuration files - OpenSearch documentation

Let m know if any further questions.


Hi @Mantas ,
Thanks for your response.
i tried running the script to apply the configuration
but i am getting the below error.

ERR: Seems you use a node certificate which is also an admin certificate
That may have worked with older OpenSearch Security versions but it indicates
a configuration error and is therefore forbidden now.

and i found that i used the same name for node_dn and admin_dn,

      - ''
      - 'CN=opensearch-cluster-master.opensearch.svc.cluster.local'
      - 'CN=*.cluster.local'
        pemcert_filepath: certs/tls.crt
        pemkey_filepath: certs/tls.key
        pemtrustedcas_filepath: certs/tls.crt
        enforce_hostname_verification: false
        resolve_hostname: false
        enabled: true
        pemcert_filepath: certs/tls.crt
        pemkey_filepath: certs/tls.key
        pemtrustedcas_filepath: certs/tls.crt
    allow_unsafe_democertificates: false
    allow_default_init_securityindex: true
        - CN=opensearch-cluster-master.opensearch.svc.cluster.local

and i used the tls cert which created by cert-manager.

is there any way to change it without deleting the PVC(data).
It will be really helpful.

Hi @Mantas , @pablo
it shows success but security config is not getting updated.
do i need to create separate cert for admin_dn, currently i used the tls certs which created using cert-manager

My bad, it works fine. i just need to run the on all master pods.
Thanks team for your support.