Securityadmin.sh breaks alerting

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): v 3.5.0

Describe the issue:

We had a local user setup to process alerting. After running securityadmin.sh the user is missing and alerting created using a local user fails.

Configuration:

Local User created gets deleted and alerting fails to run. This cluster is connected to another cluster which holds the data[snapshot].

Relevant Logs or Screenshots:

Executing monitor from API - id: g7LqTJsB0XCKyeUkXLvb, type: query_level_monitor, periodStart: 2026-02-19T23:45:06.206Z, periodEnd: 2026-02-19T23:46:06.206Z, dryrun: false
{
    "type": "opensearch-log",
    "timestamp": "2026-02-19T23:46:06,293+0000",
    "level": "INFO",
    "component": "o.o.a.InputService",
    "message": "Error collecting inputs for monitor: g7LqTJsB0XCKyeUkXLvb",
    "stacktrace": [
        "org.opensearch.script.ScriptException: runtime error",
        "at org.opensearch.alerting.QueryLevelMonitorRunner$runMonitor$1.invokeSuspend(QueryLevelMonitorRunner.kt) ~[opensearch-alerting-3.5.0.0.jar:3.5.0.0]",
        "at kotlinx.coroutines.ResumeModeKt.resumeUninterceptedMode(ResumeMode.kt:46) ~[kotlinx-coroutines-core-1.1.1.jar:?]",
        "at kotlinx.coroutines.AbstractCoroutine.resumeWith(AbstractCoroutine.kt:117) ~[kotlinx-coroutines-core-1.1.1.jar:?]",
        "at kotlinx.coroutines.scheduling.CoroutineScheduler.access$runSafely(CoroutineScheduler.kt:60) [kotlinx-coroutines-core-1.1.1.jar:?]",
        "Caused by: org.opensearch.transport.RemoteTransportException: [snapshots][172.19.0.2:9303][indices:data/read/search]",
        "at org.opensearch.action.support.ActionFilter.apply(ActionFilter.java:67) ~[opensearch-3.5.0.jar:3.5.0]",
        "at org.opensearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:218) ~[opensearch-3.5.0.jar:3.5.0]",
        "at org.opensearch.security.ssl.transport.SecuritySSLRequestHandler.messageReceivedDecorate(SecuritySSLRequestHandler.java:186) ~[?:?]",
        "at org.opensearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:95) ~[?:?]",
        "at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:354) ~[?:?]",
        "at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:107) ~[?:?]",
        "at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1398) ~[?:?]",
        "at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:545) ~[?:?]",
        "at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1429) ~[?:?]",
        "at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:918) ~[?:?]",
        "at io.netty.channel.nio.NioIoHandler.run(NioIoHandler.java:484) ~[?:?]",
        "at io.netty.channel.SingleThreadIoEventLoop.run(SingleThreadIoEventLoop.java:196) ~[?:?]",
        ""
    ]
2

@doug_f How did you create the user? Did you back up the security plugin configuration first with securityadmin.sh and then make the changes?