not an admin user

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):


Describe the issue:

when I try to script

single server on RHEL 8.7
in opensearch.yml file false true /etc/opensearch/opensearch-poc.pem /etc/opensearch/opensearch-poc-key.pem /etc/opensearch/root-ca.pem true /etc/opensearch/opensearch-poc.pem /etc/opensearch/opensearch-poc-key.pem /etc/opensearch/root-ca.pem true

  • “CN=A,OU=xxxx at xxx,O=Xxxx xx Xxxxxx,L=Xx Xxxx,ST=Xxxxxxx,C=US”
  • ‘,OU=xxxx at xxx,O=Xxxx xx Xxxxxx,L=Xx Xxxx,ST=Xxxxxxx,C=US’ internal_opensearch true true [“all_access”, “security_rest_api_access”]

Relevant Logs or Screenshots:
[root@opensearch-dev-1 opensearch]# cd /usr/share/opensearch/plugins/opensearch-security/tools
[root@opensearch-dev-1 tools]# OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk ./ -cd /etc/opensearch/opensearch-security/ -cacert /etc/opensearch/root-ca.pem -cert /etc/opensearch/admin.pem -key /etc/opensearch/admin-key.pem -icl -nhnv

** This tool will be deprecated in the next major release of OpenSearch **
** [DEPRECATION] Security Plugin Tools will be replaced · Issue #1755 · opensearch-project/security · GitHub **

Security Admin v7
Will connect to localhost:9200 … done
Connected as “CN=A,OU=xxxx at xxx,O=Xxxx xx Mxxxxx,L=Xx Xxxx,ST=Xxxxxxx,C=US”
ERR: “CN=A,OU=xxxx at xxx,O=Xxxx xx Xxxxxx,L=Xx Xxxx,ST=Xxxxxxx,C=US” is not an admin user
Seems you use a client certificate but this one is not registered as admin_dn
Make sure opensearch.yml on all nodes contains:

  • ““CN=A,OU=xxxx at xxx,O=Xxxx xx Xxxxxx,L=Xx Xxxx,ST=Xxxxxxx,C=US””

Hi @keithhammel

Could you share the output of the below command?

openssl x509 -in admin.pem -noout -subject

Also, please try to use only CN in the admin_dn.

opensearch]# openssl x509 -in admin.pem -noout -subject
subject=CN = A, C = US, ST = Minnesota, L = StPaul, O = StateofMinnesota, OU = MNITatBCA

here is actual entry in opensearch.yml file
echo “” | sudo tee -a /etc/opensearch/opensearch.yml
echo " - ‘CN=A,OU=MNITatBCA,O=StateofMinnesota,L=StPaul,ST=Minnesoata,C=US’ | sudo tee -a /etc/opensearch/opensearch.yml

and command creating cert.
openssl genrsa -out admin-key-temp.pem 4096
openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
ls -ltr
openssl req -new -key admin-key.pem -subj “/CN=A/C=US/ST=Minnesota/L=StPaul/O=StateofMinnesota/OU=MNITatBCA” -out admin.csr
openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 365

You have different values for the ST parameter. You have ST=Minnesoata in the and ST = Minnesota in the admin.pem file.

Please try to change it to the same values.

Thank you that worked, everything looks good now.

1 Like