Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch: 2.2.1
Describe the issue:
- Installed Opensearch with security plugin enabled (in kubernetes env as helm chart)
- Executed securityadmin.sh and the opensearch_security index got initialised successfully.
- Re-ran securityadmin.sh with exact same configurations again - Now it detects the security index to be of legacy (6) format.
The configurations are of 2.x Opensearch format only - then how is the plugin detecting it as legacy format on upgrade?
Configuration:
internal_users.yml:
---
_meta:
type: "internalusers"
config_version: 2
admin:
reserved: false
hidden: false
hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"
backend_roles:
- "admin"
kibanaserver:
reserved: false
hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
action_groups.yml:
---
_meta:
type: "actiongroups"
config_version: 2
config_yml:
---
_meta:
type: "config"
config_version: 2
config:
dynamic:
kibana:
multitenancy_enabled: false
server_username: kibanaserver
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: ".+"
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: "basic"
challenge: true
config: {}
authentication_backend:
type: "intern"
config: {}
roles.yml:
---
_meta:
type: "roles"
config_version: 2
kibana_read_only:
reserved: false
security_rest_api_access:
reserved: false
kibana_multitenancy_user:
reserved: false
hidden: false
index_permissions:
- index_patterns:
- ".kibana_*"
allowed_actions:
- manage
- read
- delete
- index
tenant_permissions:
- tenant_patterns:
- global_tenant
allowed_actions:
- kibana_all_write
roles_mapping_yml:
---
_meta:
type: "rolesmapping"
config_version: 2
all_access:
reserved: false
hidden: false
backend_roles:
- "admin"
description: "Migrated from v6"
own_index:
reserved: false
hidden: false
users:
- "*"
kibana_user:
reserved: false
backend_roles:
- "kibanauser"
description: "Maps kibanauser to kibana_user role"
readall:
reserved: false
backend_roles:
- "readall"
kibana_server:
reserved: false
users:
- "kibanaserver"
kibana_multitenancy_user:
reserved: "false"
hidden: "false"
users:
- "*"
tenants.yml:
---
_meta:
type: "tenants"
config_version: 2
allowlist.yml:
---
_meta:
type: "allowlist"
config_version: 2
audit.yml:
---
_meta:
type: "audit"
config_version: 2
config:
# enable/disable audit logging
enabled: false
nodes_dn.yml
---
_meta:
type: "nodesdn"
config_version: 2
Relevant Logs or Screenshots:
Logs of 1st run of securityadmin.sh:
Security Admin v7
Will connect to shiv-opensearch-client-d9c8b6545-lf9q5:9200 ... done
Connected as "CN=admin,C=AU"
OpenSearch Version: 2.2.1
Contacting opensearch cluster 'shiv-shiv-es' and wait for YELLOW clusterstate ...
Clustername: shiv-shiv-es
Clusterstate: GREEN
Number of nodes: 3
Number of data nodes: 1
.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /etc/opensearch/opensearch-security/
Will update '/config' with /etc/opensearch/opensearch-security/config.yml
SUCC: Configuration for 'config' created or updated
Will update '/roles' with /etc/opensearch/opensearch-security/roles.yml
SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with /etc/opensearch/opensearch-security/roles_mapping.yml
SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with /etc/opensearch/opensearch-security/internal_users.yml
SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with /etc/opensearch/opensearch-security/action_groups.yml
SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with /etc/opensearch/opensearch-security/tenants.yml
SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with /etc/opensearch/opensearch-security/nodes_dn.yml
SUCC: Configuration for 'nodesdn' created or updated
Will update '/whitelist' with /etc/opensearch/opensearch-security/whitelist.yml
SUCC: Configuration for 'whitelist' created or updated
Will update '/audit' with /etc/opensearch/opensearch-security/audit.yml
SUCC: Configuration for 'audit' created or updated
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
Done with success
securityadmin ended
Logs of 2nd run of securityadmin with same configs →
Security Admin v7
Will connect to shiv-opensearch-client-d9c8b6545-lf9q5:9200 ... done
Connected as "CN=admin,C=AU"
OpenSearch Version: 2.2.1
Contacting opensearch cluster 'shiv-shiv-es' and wait for YELLOW clusterstate ...
Clustername: shiv-shiv-es
Clusterstate: GREEN
Number of nodes: 3
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Legacy index '.opendistro_security' (ES 6) detected (or forced). You should migrate the configuration!
Populate config from /etc/opensearch/opensearch-security/
Will update '/config' with /etc/opensearch/opensearch-security/config.yml (legacy mode)
SUCC: Configuration for 'config' created or updated
Will update '/roles' with /etc/opensearch/opensearch-security/roles.yml (legacy mode)
SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with /etc/opensearch/opensearch-security/roles_mapping.yml (legacy mode)
SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with /etc/opensearch/opensearch-security/internal_users.yml (legacy mode)
SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with /etc/opensearch/opensearch-security/action_groups.yml (legacy mode)
SUCC: Configuration for 'actiongroups' created or updated
Will update '/nodesdn' with /etc/opensearch/opensearch-security/nodes_dn.yml (legacy mode)
SUCC: Configuration for 'nodesdn' created or updated
Will update '/whitelist' with /etc/opensearch/opensearch-security/whitelist.yml (legacy mode)
SUCC: Configuration for 'whitelist' created or updated
Will update '/audit' with /etc/opensearch/opensearch-security/audit.yml (legacy mode)
SUCC: Configuration for 'audit' created or updated
SUCC: Expected 7 config types for node {"updated_config_types":["config","roles","rolesmapping","internalusers","actiongroups","nodesdn","audit"],"updated_config_size":7,"message":null} is 7 (["config","roles","rolesmapping","internalusers","actiongroups","nodesdn","audit"]) due to: null
SUCC: Expected 7 config types for node {"updated_config_types":["config","roles","rolesmapping","internalusers","actiongroups","nodesdn","audit"],"updated_config_size":7,"message":null} is 7 (["config","roles","rolesmapping","internalusers","actiongroups","nodesdn","audit"]) due to: null
SUCC: Expected 7 config types for node {"updated_config_types":["config","roles","rolesmapping","internalusers","actiongroups","nodesdn","audit"],"updated_config_size":7,"message":null} is 7 (["config","roles","rolesmapping","internalusers","actiongroups","nodesdn","audit"]) due to: null
Done with success
Also observed: In the second run, it does not update have a successful updation msg for tenants.yml file. Why is this inconsistency seen with this file?
How do we resolve this from being incorrectly detected as legacy index?