Securityadmin error when initializing the cluster

Self-Answering

  • By comparing two opensearch.yml (Cluster A’s certificates are created by cert-manager and the other Cluster B’s are by operator), I found that authcz.admin_dn and nodes_dn settings are different.
# Cluster A : test-opensearch-cluster-1
security:
    tls:
      transport:
        generate: false
        perNode: false
        secret: 
          name: test-opensearch-cluster-1-transport-cert
        caSecret:
          name: test-opensearch-cluster-1-ca
        nodesDn: [CN=test-opensearch-cluster-1,OU=test-opensearch-cluster-1]
        adminDn: [CN=admin,OU=test-opensearch-cluster-1]
      http:
        generate: false
        secret:
          name: test-opensearch-cluster-1-http-cert
# Cluster B : test-opensearch-cluster-2
security:
    tls:
      transport:
        generate: true
        perNode: true
      http:
        generate: true

As printing two opensearch.yml, DNs for the former have been splitted by double-quotes but the latter’s have been combined with a single double-quote. (See the below:)

$ k get cm test-opensearch-cluster-1-config -o yaml | grep plugins.security.nodes_dn --context=3
    plugins.security.authcz.admin_dn: ["CN=admin","OU=test-opensearch-cluster-1"]
    plugins.security.check_snapshot_restore_write_privileges: true
    plugins.security.enable_snapshot_restore_privilege: true
    plugins.security.nodes_dn: ["CN=test-opensearch-cluster-1","OU=test-opensearch-cluster-1"]
    plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
    plugins.security.ssl.http.enabled: true
    plugins.security.ssl.http.pemcert_filepath: tls-http/tls.crt

$ k get cm test-opensearch-cluster-2-config -o yaml -n test-opensearch-cluster-2 | grep plugins.security.nodes_dn --context=3
    plugins.security.authcz.admin_dn: ["CN=admin,OU=test-opensearch-cluster-2"]
    plugins.security.check_snapshot_restore_write_privileges: true
    plugins.security.enable_snapshot_restore_privilege: true
    plugins.security.nodes_dn: ["CN=test-opensearch-cluster-2,OU=test-opensearch-cluster-2"]
    plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
    plugins.security.ssl.http.enabled: true
    plugins.security.ssl.http.pemcert_filepath: tls-http/tls.crt

Today’s Lesson

  • Watch OUT Array type and Double Quote in yaml (Especially, If you use a single transport certificate across nodes.)
2 Likes