pablo
November 2, 2022, 1:07pm
2
@albgus I think you’ve faced the scenario described in this thread.
Hello,
I’m having trouble deploying an Opensearch 2.0.0 cluster with the security plugin enabled.
When deploying it in this way I get the following error:
[2022-06-02T16:21:38,726][WARN ][o.o.d.HandshakingTransportAddressConnector] [DNS] handshake failed for [connectToRemoteMasterNode[IP:9300]] org.opensearch.transport.RemoteTransportException: [DNS][IP:9300][internal:transport/handshake] Caused by: org.opensearch.OpenSearchException: Transport client authentication no longer supported. …
opensearch-project:main ← jochenkressin:remove-transport-auth
opened 03:47PM - 23 Mar 22 UTC
### Description
With OpenSearch 2.0 the TransportClient is being removed. This … means that there is no need for TransportClient auth/auth code anymore, or audit log categories that are connected with TansportLayer auth/auth. This PR removes the obsolete code and fixes some tests audit log unit tests.
### Issues Resolved
https://github.com/opensearch-project/security/issues/1578
Is this a backport? If so, please add backport PR # and/or commits #
No
### Testing
Ran the complete test suite, adapted tests that involved TransportClient auth/auth or obsolete audit log categories
### Check List
- [x] New functionality includes testing
- [ ] New functionality has been documented
- [x] Commits are signed per the DCO using --signoff
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).
# OpenSearch and Dashboards 2.0.0 Release Notes
## Release Highlights
* Document level alerting allows users to create monitors that can generate alerts per document
* Lucene 9 is now used in OpenSearch
* The Geo Map Tiles in OpenSearch Dashboards are updated and now have a pipeline to update them more frequently
* Document level security now supports term lookup queries
### OpenSearch Notifications
* OpenSearch 2.0.0 is the first official release with OpenSearch Notifications
* Notifications consist of three plugins, `notifications-core` and `notifications` backend plugins for OpenSearch, and a `notificationsDashboards` frontend plugin for OpenSearch Dashboards
## Release Details
OpenSearch and OpenSearch Dashboards 2.0.0 includes the following features, enhancements, bug fixes, infrastructure, documentation, maintenance, and refactoring updates:
OpenSearch [Release Notes](https://github.com/opensearch-project/OpenSearch/blob/2.0/release-notes/opensearch.release-notes-2.0.0.md)
show original
This issue is not present when demo certificates are in use. However, when you migrate to production then you must configure plugins.security.nodes_dn:.
Any node that won’t be in that list, will produce the reported error in OpenSearch logs.plugins.security.nodes_dn: have to match the node certificate.
The error says that TLS is optional for the REST. That is correct. The REST connection is on port 9200. This can be either secured or not. However, since transport layer auth/auth is no longer supported, securityadmin.sh has moved from port 9300 to 9200. That forces port 9200 to be secured for running securityadmin.sh script.
TLS always was and is mandatory for the transport layer (ports 9300 - 9400).