Securityadmin.sh ERR....is not an admin user

Security
, ,
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

opensearch-2.5.0-1.x86_64

Describe the issue:

when I try to runsecurityadmin.sh script

Configuration:
single server on RHEL 8.7
in opensearch.yml file
plugins.security.disabled: false
#plugins.security.disabled: true
plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/opensearch-poc.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/opensearch-poc-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/opensearch-poc.pem
plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/opensearch-poc-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/root-ca.pem
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:

  • “CN=A,OU=xxxx at xxx,O=Xxxx xx Xxxxxx,L=Xx Xxxx,ST=Xxxxxxx,C=US”
    plugins.security.nodes_dn:
  • ‘CN=opensearch-poc-1.xxx.xxx.xxx.xx,OU=xxxx at xxx,O=Xxxx xx Xxxxxx,L=Xx Xxxx,ST=Xxxxxxx,C=US’
    plugins.security.audit.type: internal_opensearch
    plugins.security.enable_snapshot_restore_privilege: true
    plugins.security.check_snapshot_restore_write_privileges: true
    plugins.security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”]

Relevant Logs or Screenshots:
[root@opensearch-dev-1 opensearch]# cd /usr/share/opensearch/plugins/opensearch-security/tools
[root@opensearch-dev-1 tools]# OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk ./securityadmin.sh -cd /etc/opensearch/opensearch-security/ -cacert /etc/opensearch/root-ca.pem -cert /etc/opensearch/admin.pem -key /etc/opensearch/admin-key.pem -icl -nhnv

** This tool will be deprecated in the next major release of OpenSearch **
** [DEPRECATION] Security Plugin Tools will be replaced · Issue #1755 · opensearch-project/security · GitHub **

Security Admin v7
Will connect to localhost:9200 … done
Connected as “CN=A,OU=xxxx at xxx,O=Xxxx xx Mxxxxx,L=Xx Xxxx,ST=Xxxxxxx,C=US”
ERR: “CN=A,OU=xxxx at xxx,O=Xxxx xx Xxxxxx,L=Xx Xxxx,ST=Xxxxxxx,C=US” is not an admin user
Seems you use a client certificate but this one is not registered as admin_dn
Make sure opensearch.yml on all nodes contains:
plugins.security.authcz.admin_dn:

  • ““CN=A,OU=xxxx at xxx,O=Xxxx xx Xxxxxx,L=Xx Xxxx,ST=Xxxxxxx,C=US””
2

Hi @keithhammel

Could you share the output of the below command?

openssl x509 -in admin.pem -noout -subject

Also, please try to use only CN in the admin_dn.

3

opensearch]# openssl x509 -in admin.pem -noout -subject
subject=CN = A, C = US, ST = Minnesota, L = StPaul, O = StateofMinnesota, OU = MNITatBCA

here is actual entry in opensearch.yml file
echo “plugins.security.authcz.admin_dn:” | sudo tee -a /etc/opensearch/opensearch.yml
echo " - ‘CN=A,OU=MNITatBCA,O=StateofMinnesota,L=StPaul,ST=Minnesoata,C=US’ | sudo tee -a /etc/opensearch/opensearch.yml

and command creating cert.
openssl genrsa -out admin-key-temp.pem 4096
openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
ls -ltr
openssl req -new -key admin-key.pem -subj “/CN=A/C=US/ST=Minnesota/L=StPaul/O=StateofMinnesota/OU=MNITatBCA” -out admin.csr
openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 365

4

You have different values for the ST parameter. You have ST=Minnesoata in the plugins.security.authcz.admin_dn and ST = Minnesota in the admin.pem file.

Please try to change it to the same values.

5

Thank you that worked, everything looks good now.

1 Like