Roles.yml is not in Open Distro Security 7 format

madura · September 14, 2022, 4:15am

Hi,

Elasticsearch version : 7.10.2
number of master nodes : 3
data nodes : 1

I’m getting following error when I try enable security tools in opendistro security in elasticsearch,

command : bash /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -nhnv -nrhn -icl -cacert /etc/elasticsearch/certs/MyRootCA.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin.key -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig
Error :

ERR: Seems /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml is not in Open Distro Security 7 format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field “cluster” (class com.amazon.opendistroforelasticsearch.security.securityconf.impl.v7.RoleV7), not marked as ignorable (7 known properties: “index_permissions”, “reserved”, “hidden”, “description”, “static”, “cluster_permissions”, “tenant_permissions”])
at [Source: (String)“{”_meta":{“type”:“roles”,“config_version”:2},“kibana_read_only”:{“reserved”:true},“security_rest_api_access”:{“reserved”:true},“alerting_read_access”:{“reserved”:true,“cluster_permissions”:[“cluster:admin/opendistro/alerting/alerts/get”,“cluster:admin/opendistro/alerting/destination/get”,“cluster:admin/opendistro/alerting/monitor/get”,“cluster:admin/opendistro/alerting/monitor/search”]},“alerting_ack_alerts”:{“reserved”:true,“cluster_permissions”:[“cluster:admin/opendistro/alerting/alerts/*”]},“”[truncated 2851 chars]; line: 1, column: 3181] (through reference chain: com.amazon.opendistroforelasticsearch.security.securityconf.impl.SecurityDynamicConfiguration[“opendistro_security_logstash”]->com.amazon.opendistroforelasticsearch.security.securityconf.impl.v7.RoleV7[“cluster”])

full output :

Clustername: sls-elk
Clusterstate: GREEN
Number of nodes: 4
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/
Will update ‘_doc/config’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml
SUCC: Configuration for ‘config’ created or updated
ERR: Seems /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml is not in Open Distro Security 7 format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field “cluster” (class com.amazon.opendistroforelasticsearch.security.securityconf.impl.v7.RoleV7), not marked as ignorable (7 known properties: “index_permissions”, “reserved”, “hidden”, “description”, “static”, “cluster_permissions”, “tenant_permissions”])
at [Source: (String)“{”_meta":{“type”:“roles”,“config_version”:2},“kibana_read_only”:{“reserved”:true},“security_rest_api_access”:{“reserved”:true},“alerting_read_access”:{“reserved”:true,“cluster_permissions”:[“cluster:admin/opendistro/alerting/alerts/get”,“cluster:admin/opendistro/alerting/destination/get”,“cluster:admin/opendistro/alerting/monitor/get”,“cluster:admin/opendistro/alerting/monitor/search”]},“alerting_ack_alerts”:{“reserved”:true,“cluster_permissions”:[“cluster:admin/opendistro/alerting/alerts/*”]},“”[truncated 2851 chars]; line: 1, column: 3181] (through reference chain: com.amazon.opendistroforelasticsearch.security.securityconf.impl.SecurityDynamicConfiguration[“opendistro_security_logstash”]->com.amazon.opendistroforelasticsearch.security.securityconf.impl.v7.RoleV7[“cluster”])
Will update ‘_doc/rolesmapping’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml
SUCC: Configuration for ‘rolesmapping’ created or updated
Will update ‘_doc/internalusers’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
SUCC: Configuration for ‘internalusers’ created or updated
Will update ‘_doc/actiongroups’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/action_groups.yml
SUCC: Configuration for ‘actiongroups’ created or updated
Will update ‘_doc/tenants’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/tenants.yml
SUCC: Configuration for ‘tenants’ created or updated
Will update ‘_doc/nodesdn’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/nodes_dn.yml
SUCC: Configuration for ‘nodesdn’ created or updated
Will update ‘_doc/whitelist’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/whitelist.yml
SUCC: Configuration for ‘whitelist’ created or updated
Will update ‘_doc/audit’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/audit.yml
SUCC: Configuration for ‘audit’ created or updated
ERR: cannot upload configuration, see errors above

could anyone guide me to resolve this issue ?

Thanks in advance.

vi4life · October 4, 2022, 4:56pm

Hi @madura,
could you please share your roles.yml File?
As the Log tells you the 7 Options are no longer known in the Open Distro Security 7.
Maybe the way you have to configure these have changed since your Version.

Topic		Replies	Views
Can't start 1.0.0 securityadmin.sh fails Security	6	5564	July 12, 2019
Unable to run securityadmin.sh OpenDistro	1	373	November 28, 2022
Securityadmin.bat Security	9	606	March 26, 2021
Trouble configuring OpenDistro Security Index Security	1	1715	May 21, 2021
Seems to be already configured for Security. Quit Security	3	1232	September 24, 2021

Roles.yml is not in Open Distro Security 7 format

Related Topics