Path to internal_users.yml change admin password

Security
,
1

opensearch latest container connection via dashboards container in docker-compose

im trying to change default admin user pass ,add local users
/usr/share/opensearch/config/opensearch-security/internal_users.yml
is this the default path to opensearch container users pass as it doesnt seem to take new hash and admin:admin still works

any log file i can look at to trouble shoot internal users login

internal_users.yml change admin password

see references to this but it doesnt exist ?
/usr/share/opensearch/plugins/opensearch-security/securityconfig

2

@infodata What OpenSearch version are you running?
The location of the security config files has changed in the version 2.0 from /usr/share/opensearch/plugins/opensearch-security/securityconfig to /usr/share/opensearch/config/opensearch-security/.

Version 1.3 is still using /usr/share/opensearch/plugins/opensearch-security/securityconfig.

3

using these images

opensearchproject/opensearch:latest
opensearchproject/opensearch-dashboards:latest

also copied updated internal_users.yml to other path,so same file in both paths
but the authentication seems to be using default hash and not updated file internal_users.yml ?

any logs to look

[opensearch@b0d0dbf90dea ~]$ diff ./plugins/opensearch-security/securityconfig/internal_users.yml ./config/opensearch-security/internal_users.yml
[opensearch@b0d0dbf90dea ~]$

4

@infodata How did you apply the change to the cluster?
Did you build the containers again with docker-compose up --build or executed securityadmin.sh script?

5

didnt know securityadmin.sh must be run to apply changes as the doc I was looking assumes managed service

this is what im getting

[opensearch@258538c06c3e tools]$ ./securityadmin.sh -f …/…/…/config/opensearch-security/internal_users.yml -icl -nhnv -cert /usr/share/opensearch/config/kirk.pem -cacert /usr/share/opensearch/config/root-ca.pem -key /usr/share/opensearch/config/kirk-key.pem -t config

** This tool will be deprecated in the next major release of OpenSearch **
** [DEPRECATION] Security Plugin Tools will be replaced · Issue #1755 · opensearch-project/security · GitHub **

Security Admin v7
Will connect to localhost:9200 … done
Connected as “CN=kirk,OU=client,O=client,L=test,C=de”
OpenSearch Version: 2.0.0
Contacting opensearch cluster ‘opensearch’ and wait for YELLOW clusterstate …
Clustername: opensearch-cluster
Clusterstate: YELLOW
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Legacy index ‘.opendistro_security’ (ES 6) detected (or forced). You should migrate the configuration!
Populate config from /usr/share/opensearch/plugins/opensearch-security/tools
Force type: config
ERR: Seems …/…/…/config/opensearch-security/internal_users.yml is not in legacy format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field “hash” (class org.opensearch.security.securityconf.impl.v7.ConfigV7), not marked as ignorable (one known property: “dynamic”])
at [Source: (String)“{”_meta":{“type”:“internalusers”,“config_version”:2},“admin”:{“hash”:“xxxx”,“reserved”:true,“backend_roles”:[“admin”],“description”:“Demo admin user”},“opensearchadmin”:{“hash”:“xxx”,“reserved”:true,“backend_roles”:[“admin”],“description”:“opensearchadmin user”},“kibanaserver”:{“hash”:“xxx”,“reserved”:true,“description”:“Demo Op”[truncated 817 chars]; line: 1, column: 71] (through reference chain: org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration[“admin”]->org.opensearch.security.securityconf.impl.v7.ConfigV7[“hash”])
ERR: cannot upload configuration, see errors above

=====================
[opensearch@258538c06c3e tools]$ ./securityadmin.sh -backup backup6172022 \

-icl
-nhnv
-cacert …/…/…/config/root-ca.pem
-cert …/…/…/config/kirk.pem
-key …/…/…/config/kirk-key.pem

** This tool will be deprecated in the next major release of OpenSearch **
** [DEPRECATION] Security Plugin Tools will be replaced · Issue #1755 · opensearch-project/security · GitHub **

Security Admin v7
Will connect to localhost:9200 … done
Connected as “CN=kirk,OU=client,O=client,L=test,C=de”
OpenSearch Version: 2.0.0
Contacting opensearch cluster ‘opensearch’ and wait for YELLOW clusterstate …
Clustername: opensearch-cluster
Clusterstate: YELLOW
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Legacy index ‘.opendistro_security’ (ES 6) detected (or forced). You should migrate the configuration!
Will retrieve ‘/config’ into /usr/share/opensearch/plugins/opensearch-security/tools/backup6172022/config.yml (legacy mode)
ERR: Seems config from cluster is not in legacy format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field “description” (class org.opensearch.security.securityconf.impl.v6.ConfigV6$AuthcDomain), not marked as ignorable (6 known properties: “enabled”, “http_enabled”, “transport_enabled”, “http_authenticator”, “authentication_backend”, “order”])
at [Source: (String)“{”_meta":{“type”:“config”,“config_version”:2},“config”:{“dynamic”:{“http”:{“anonymous_auth_enabled”:false,“xff”:{“enabled”:false,“internalProxies”:“192\.168\.0\.10|192\.168\.0\.11”}},“authc”:{“kerberos_auth_domain”:{“http_enabled”:false,“transport_enabled”:false,“order”:6,“http_authenticator”:{“type”:“kerberos”,“challenge”:true,“config”:{“krb_debug”:false,“strip_realm_from_principal”:true}},“authentication_backend”:{“type”:“noop”}},“basic_internal_auth_domain”:{“description”:“Authenticate “[truncated 2394 chars]; line: 1, column: 488] (through reference chain: org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration[“config”]->org.opensearch.security.securityconf.impl.v6.ConfigV6[“dynamic”]->org.opensearch.security.securityconf.impl.v6.ConfigV6$Dynamic[“authc”]->org.opensearch.security.securityconf.impl.v6.ConfigV6$Authc[“basic_internal_auth_domain”]->org.opensearch.security.securityconf.impl.v6.ConfigV6$AuthcDomain[“description”])
Will retrieve ‘/roles’ into /usr/share/opensearch/plugins/opensearch-security/tools/backup6172022/roles.yml (legacy mode)
ERR: Seems roles from cluster is not in legacy format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field “cluster_permissions” (class org.opensearch.security.securityconf.impl.v6.RoleV6), not marked as ignorable (5 known properties: “tenants”, “readonly”, “indices”, “hidden”, “cluster”])
at [Source: (String)”{”_meta":{“type”:“roles”,“config_version”:2},“kibana_read_only”:{“reserved”:true},“security_rest_api_access”:{“reserved”:true},“alerting_read_access”:{“reserved”:true,“cluster_permissions”:[“cluster:admin/opendistro/alerting/alerts/get”,“cluster:admin/opendistro/alerting/destination/get”,“cluster:admin/opendistro/alerting/monitor/get”,“cluster:admin/opendistro/alerting/monitor/search”,“cluster:admin/opensearch/alerting/findings/get”]},“alerting_ack_alerts”:{“reserved”:true,“cluster_permissions”:“[truncated 5296 chars]; line: 1, column: 191] (through reference chain: org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration[“alerting_read_access”]->org.opensearch.security.securityconf.impl.v6.RoleV6[“cluster_permissions”])
Will retrieve ‘/rolesmapping’ into /usr/share/opensearch/plugins/opensearch-security/tools/backup6172022/roles_mapping.yml (legacy mode)
ERR: Seems rolesmapping from cluster is not in legacy format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field “backend_roles” (class org.opensearch.security.securityconf.impl.v6.RoleMappingsV6), not marked as ignorable (6 known properties: “and_backendroles”, “readonly”, “users”, “backendroles”, “hidden”, “hosts”])
at [Source: (String)”{“_meta”:{“type”:“rolesmapping”,“config_version”:2},“all_access”:{“reserved”:false,“backend_roles”:[“admin”],“description”:“Maps admin to all_access”},“own_index”:{“reserved”:false,“users”:[“*”],“description”:“Allow full access to an index named like the username”},“logstash”:{“reserved”:false,“backend_roles”:[“logstash”]},“kibana_user”:{“reserved”:false,“backend_roles”:[“kibanauser”],“description”:“Maps kibanauser to kibana_user”},“readall”:{“reserved”:false,“backend_roles”:[“readall”]},“manage”[truncated 126 chars]; line: 1, column: 101] (through reference chain: org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration[“all_access”]->org.opensearch.security.securityconf.impl.v6.RoleMappingsV6[“backend_roles”])
Will retrieve ‘/internalusers’ into /usr/share/opensearch/plugins/opensearch-security/tools/backup6172022/internal_users.yml (legacy mode)
ERR: Seems internalusers from cluster is not in legacy format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field “backend_roles” (class org.opensearch.security.securityconf.impl.v6.InternalUserV6), not marked as ignorable (7 known properties: “readonly”, “username”, “attributes”, “hidden”, “password”, “roles”, “hash”])
at [Source: (String)“{”_meta":{“type”:“internalusers”,“config_version”:2},“admin”:{“hash”:“xxxx”,“reserved”:true,“backend_roles”:[“admin”],“description”:“Demo admin user”},“kibanaserver”:{“hash”:“xxxxx.”,“reserved”:true,“description”:“Demo OpenSearch Dashboards user”},“kibanaro”:{“hash”:“xxxx”,“reserved”:false,“backend_roles”:[“kibanauser”,“readall”],“a”[truncated 648 chars]; line: 1, column: 166] (through reference chain: org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration[“admin”]->org.opensearch.security.securityconf.impl.v6.InternalUserV6[“backend_roles”])
Will retrieve ‘/actiongroups’ into /usr/share/opensearch/plugins/opensearch-security/tools/backup6172022/action_groups.yml (legacy mode)
ERR: Seems actiongroups from cluster is not in legacy format: java.io.IOException: A version of 1 can not have a _meta key for ACTIONGROUPS
Will retrieve ‘/nodesdn’ into /usr/share/opensearch/plugins/opensearch-security/tools/backup6172022/nodes_dn.yml (legacy mode)
ERR: Seems nodesdn from cluster is not in legacy format: java.io.IOException: A version of 1 can not have a _meta key for NODESDN
Will retrieve ‘/whitelist’ into /usr/share/opensearch/plugins/opensearch-security/tools/backup6172022/whitelist.yml (legacy mode)
ERR: Seems whitelist from cluster is not in legacy format: java.io.IOException: A version of 1 can not have a _meta key for WHITELIST
Will retrieve ‘/audit’ into /usr/share/opensearch/plugins/opensearch-security/tools/backup6172022/audit.yml (legacy mode)
ERR: Seems audit from cluster is not in legacy format: java.io.IOException: A version of 1 can not have a _meta key for AUDIT
[opensearch@258538c06c3e tools]$

6

This below worked

[opensearch@258538c06c3e tools]$ ./securityadmin.sh -f …/…/…/config/opensearch-security/internal_users.yml -t internalusers -icl -nhnv -cacert …/…/…/config/root-ca.pem -cert …/…/…/config/kirk.pem -key …/…/…/config/kirk-key.pem

** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755 **

Security Admin v7
Will connect to localhost:9200 … done
Connected as “CN=kirk,OU=client,O=client,L=test,C=de”
OpenSearch Version: 2.0.0
Contacting opensearch cluster ‘opensearch’ and wait for YELLOW clusterstate …
Clustername: opensearch-cluster
Clusterstate: YELLOW
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Legacy index ‘.opendistro_security’ (ES 6) detected (or forced). You should migrate the configuration!
Populate config from /usr/share/opensearch/plugins/opensearch-security/tools
Force type: internalusers
Will update ‘/internalusers’ with …/…/…/config/opensearch-security/internal_users.yml (legacy mode)
SUCC: Configuration for ‘internalusers’ created or updated
SUCC: Expected 1 config types for node {“updated_config_types”:[“internalusers”],“updated_config_size”:1,“message”:null} is 1 ([“internalusers”]) due to: null
Done with success

7

@infodata The backup error is a bug and has been already reported to the dev team.

8

@infodata As per documentation -t internalusers must be used to apply only internal_users.yml configuration file.

You could also use -cd flag instead of -f and -t this flags to upload of all configuration files from the folder.

Since there is a bug with backup function, I would suggest to use either OpenSearch Dashboards UI or securityadmin.sh only until it’s fixed.

9

@pablo thank you
when use full path it did not work even though files were there , but relative path it worked
-cert /usr/share/opensearch/config/kirk.pem -cacert /usr/share/opensearch/config/root-ca.pem -key /usr/share/opensearch/config/kirk-key.pem

also below doc has /etc/ path to cert/pem files where they dont exist and should be updated to use relative path

Sample commands

10

@infodata The etc path is not important when you use them with securityadmin.sh script. You can keep those files where you want as long as you have read access. By default, these demo certs are placed in /usr/share/opensearch/config.

However, when you define cert files inside of the opensearch.yml file then you must place them in the /usr/share/opensearch/config folder.