Securityadmin.sh failing to upload config

Versions 2.6.0 (tar distribution)

sudo ./securityadmin_demo.sh

** This tool will be deprecated in the next major release of OpenSearch **
** [DEPRECATION] Security Plugin Tools will be replaced · Issue #1755 · opensearch-project/security · GitHub **

Security Admin v7
Will connect to localhost:9200 … done
Connected as “***********************” <----omitted the actual line
OpenSearch Version: 2.6.0
Contacting opensearch cluster ‘opensearch’ …
Clustername: opensearch-alpha-st1
Clusterstate: RED
Number of nodes: 1
Number of data nodes: 0
.opendistro_security index already exists, so we do not need to create one.
ERR: .opendistro_security index state is RED.
Populate config from /opt/opensearch-2.6.0-alpha/config/opensearch-security/
Will update ‘/config’ with /opt/opensearch-2.6.0-alpha/config/opensearch-security/config.yml
FAIL: Configuration for ‘config’ failed because of java.net.SocketTimeoutException: 30,000 milliseconds timeout on connection http-outgoing-6 [ACTIVE]
Will update ‘/roles’ with /opt/opensearch-2.6.0-alpha/config/opensearch-security/roles.yml
FAIL: Configuration for ‘roles’ failed because of java.net.SocketTimeoutException: 30,000 milliseconds timeout on connection http-outgoing-7 [ACTIVE]
Will update ‘/rolesmapping’ with /opt/opensearch-2.6.0-alpha/config/opensearch-security/roles_mapping.yml
FAIL: Configuration for ‘rolesmapping’ failed because of java.net.SocketTimeoutException: 30,000 milliseconds timeout on connection http-outgoing-8 [ACTIVE]
Will update ‘/internalusers’ with /opt/opensearch-2.6.0-alpha/config/opensearch-security/internal_users.yml
FAIL: Configuration for ‘internalusers’ failed because of java.net.SocketTimeoutException: 30,000 milliseconds timeout on connection http-outgoing-9 [ACTIVE]
Will update ‘/actiongroups’ with /opt/opensearch-2.6.0-alpha/config/opensearch-security/action_groups.yml
FAIL: Configuration for ‘actiongroups’ failed because of java.net.SocketTimeoutException: 30,000 milliseconds timeout on connection http-outgoing-10 [ACTIVE]
Will update ‘/tenants’ with /opt/opensearch-2.6.0-alpha/config/opensearch-security/tenants.yml

I am able to run the API calls

sudo curl -k -GET --key config/opensearch_admin_key.pem --cert config/opensearch_admin_cert.pem https://localhost:9200/_cat/nodes
10.5.xxx.34 21 94 3 0.19 0.15 0.18 m cluster_manager * nodem02.example.pvt-alpha
sudo curl -k -GET --key config/opensearch_admin_key.pem --cert config/opensearch_admin_cert.pem https://localhost:9200/_cat/indices
red open .opensearch-observability pPrzHgYNQqGKYyMbL5Z0ig 1 0
red open .opendistro_security lUljvrkZSPa6vffbIOjp1w 1 1

I can view the index mapping

sudo curl -k -GET --key config/opensearch_admin_key.pem --cert config/opensearch_admin_cert.pem https://localhost:9200/.opendistro_security
{“.opendistro_security”:{“aliases”:{},“mappings”:{},“settings”:{“index”:{“number_of_shards”:“1”,“auto_expand_replicas”:“0-all”,“provided_name”:“.opendistro_security”,“creation_date”:“1684907739056”,“number_of_replicas”:“1”,“uuid”:“VCWc_44PSoizk0ghd_UTbg”,“version”:{“created”:“136277827”}}}}}

But when I try to query the index I get the error due to the red state

sudo curl -k -GET --key config/opensearch_admin_key.pem --cert config/opensearch_admin_cert.pem https://localhost:9200/.opendistro_security/_search
{“error”:{“root_cause”:,“type”:“search_phase_execution_exception”,“reason”:“all shards failed”,“phase”:“query”,“grouped”:true,“failed_shards”:},“status”:503}

Can I force assign the shards?

sudo curl -k -GET --key config/opensearch_admin_key.pem --cert config/opensearch_admin_cert.pem https://localhost:9200/_cat/shards
.opendistro_security 0 p UNASSIGNED
.opendistro_security 0 r UNASSIGNED
.opensearch-observability 0 p UNASSIGNED

Ran allocation command

sudo curl -k -GET --key config/opensearch_admin_key.pem --cert config/opensearch_admin_cert.pem https://localhost:9200/_cluster/allocation/explain?pretty
{
“index” : “.opendistro_security”,
“shard” : 0,
“primary” : true,
“current_state” : “unassigned”,
“unassigned_info” : {
“reason” : “CLUSTER_RECOVERED”,
“at” : “2023-05-24T06:24:05.629Z”,
“last_allocation_status” : “no”
},
“can_allocate” : “no”,
“allocate_explanation” : “cannot allocate because allocation is not permitted to any of the nodes”
}

Ran command to disable the auto expand, getting this:

ERR: Unable to reload config due to /{“_nodes”:{“total”:1,“successful”:0,“failed”:1,“failures”:[{“type”:“failed_node_exception”,“reason”:“Failed node [gQLGEJt2QkKlBOLjl-pKtg]”,“node_id”:“gQLGEJt2QkKlBOLjl-pKtg”,“caused_by”:{“type”:“exception”,“reason”:“java.util.concurrent.TimeoutException: Timeout after 10SECONDS while retrieving configuration for INTERNALUSERS, WHITELIST, ACTIONGROUPS, AUDIT, ROLES, TENANTS, CONFIG, ALLOWLIST, ROLESMAPPING, NODESDN”,“caused_by”:{“type”:“timeout_exception”,“reason”:“Timeout after 10SECONDS while retrieving configuration for INTERNALUSERS, WHITELIST, ACTIONGROUPS, AUDIT, ROLES, TENANTS, CONFIG, ALLOWLIST, ROLESMAPPING, NODESDN”}}}]},“cluster_name”:“opensearch-alpha-st1”,“configupdate_response”:{“nodes”:{},“node_size”:0,“has_failures”:true,“failures_size”:1}}
Reload config on all nodes
Auto-expand replicas disabled

Then I tried to set the replica, .opendistro-security index still shows red

OpenSearch Version: 2.6.0
ERR: Unable to reload config due to /{“_nodes”:{“total”:1,“successful”:0,“failed”:1,“failures”:[{“type”:“failed_node_exception”,“reason”:“Failed node [gQLGEJt2QkKlBOLjl-pKtg]”,“node_id”:“gQLGEJt2QkKlBOLjl-pKtg”,“caused_by”:{“type”:“exception”,“reason”:“java.util.concurrent.TimeoutException: Timeout after 10SECONDS while retrieving configuration for INTERNALUSERS, ACTIONGROUPS, ROLES, AUDIT, CONFIG, ROLESMAPPING, NODESDN”,“caused_by”:{“type”:“timeout_exception”,“reason”:“Timeout after 10SECONDS while retrieving configuration for INTERNALUSERS, ACTIONGROUPS, ROLES, AUDIT, CONFIG, ROLESMAPPING, NODESDN”}}}]},“cluster_name”:“opensearch-alpha-st1”,“configupdate_response”:{“nodes”:{},“node_size”:0,“has_failures”:true,“failures_size”:1}}
Reload config on all nodes
Update number of replicas to 1 with result: true

@stecino Just to clarify, are you running a single node with only the master role enabled?

@pablo correct for now. Once I resolve this, I plan to add add another master node to it

Here is my config

cluster.name: opensearch-alpha-st1
node.name: ${HOSTNAME}-alpha
node.roles: [cluster_manager]
path.data: ${PWD}/data
path.logs: ${PWD}/logs
path.repo: ["/mnt/opensearch_st1_repo/alpha"]
network.host: 0.0.0.0
http.port: 9200
transport.tcp.port: 9300

discovery.seed_hosts: ["nodem02.example.pvt"]
cluster.initial_cluster_manager_nodes: ["nodem02.example.pvt-alpha"]
plugins.security.disabled: false
plugins.security.ssl.transport.pemcert_filepath: opensearch_hosts_cert.pem
plugins.security.ssl.transport.pemkey_filepath: opensearch_hosts_key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: Private_Issuing_CA.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: opensearch_hosts_cert.pem
plugins.security.ssl.http.pemkey_filepath: opensearch_hosts_key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: Private_Issuing_CA.pem
plugins.security.authcz.admin_dn:
 - "O=Example\\, Inc,OU=Enterprise SSL,CN=opensearchadmin.example.pvt"
plugins.security.nodes_dn:
 - "O=Example\\, Inc,OU=Enterprise SSL,CN=opensearch.example.pvt"
plugins.security.allow_default_init_securityindex: true
plugins.security.system_indices.enabled: true

plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.indices: [".opendistro-security", ".opensearch-observability"]

I dropped the replica shard from .opendistro-security index, since I read somewhere that because it has one primary and one replica assigned to it, with one node it wont’ write both shards to single node

sudo curl -k -XPUT -H "Content-Type: application/json" --key config/opensearch_admin_key.pem --cert config/opensearch_admin_cert.pem https://localhost:9200/.opendistro_security/_settings -d '{"index": {"number_of_replicas":0}}'

I also set routing allocation enabled

sudo curl -k -XPUT -H "Content-Type: application/json" --key config/opensearch_admin_key.pem --cert config/opensearch_admin_cert.pem https://localhost:9200/.opendistro_security/_settings -d '{"index": {"routing.allocation.enable":"all"}}'

How do I set can_allocate  in allocation explained to yes?

Tried to force allocate both .opendistro_security and .opensearch-observability indices no response from the cluster

sudo curl -k -XPOST -H "Content-Type: application/json" --key config/opensearch_admin_key.pem --cert config/opensearch_admin_cert.pem 'https://localhost:9200/_cluster/reroute' -d '{"commands": [ {"allocate_stale_primary": {"accept_data_loss":true,"index": ".opensearch-observability", "shard": 0,"node": "nodem02.example.pvt-alpha"}}]}'

sudo curl -k -XPOST -H "Content-Type: application/json" --key config/opensearch_admin_key.pem --cert config/opensearch_admin_cert.pem 'https://localhost:9200/_cluster/reroute' -d '{"commands": [ {"allocate_stale_primary": {"accept_data_loss":true,"index": ".opendistro_security", "shard": 0,"node": "nodem02.example.pvt-alpha"}}]}'

Not seeing anything in the logs

Hey @stecino

was this working before you enabled Security Plugin?

Yes, I had 3 master, 10 data and 2 coordinator node cluster. Now I am trying to troubleshoot with one node too see what’s going on. This sucks big time

@Gsmitt ^^

@stecino

During my lab testing I had this happen, im looking up notes how i fixed it. out of curiousity does

Have the correct permissions?

I also noticed in your file you have disabled security plugin.

plugins.security.disabled: false

@Gsmitt

path.repo is for taking index snapshots. Before the enabling security plugin, I tested snapshot are being created. So no issues there.

`plugins.security.disabled: true would indicate disabled security plugin, otherwise it’s enabled

Oh gotcha,

I see a lot of time outs with accessing your config/role files

FAIL: Configuration for ‘config’ failed because of java.net.SocketTimeoutException:

Will update ‘/roles’ with /opt/opensearch-2.6.0-alpha/config/opensearch-security/roles.yml

FAIL: Configuration for ‘rolesmapping’

You stated this was a cluster but your only working on one node. if so was this node always “localhost” host?

https://localhost:9200/

Looks like different names.

discovery.seed_hosts: ["nodem02.example.pvt"]
cluster.initial_cluster_manager_nodes: ["nodem02.example.pvt-alpha"]

Correct me if I’m wrong. From my understanding, you had a cluster, then a issue occurred, so I think you isolated one node but still using the cluster settings?

If this is true and only one node you should have this set

discovery.type: single-node

Did you execute something like this?

OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk ./securityadmin.sh -cd /etc/opensearch/opensearch-security/ -cacert /etc/opensearch/root-ca.pem -cert /etc/opensearch/admin.pem -key /etc/opensearch/admin-key.pem -icl -nhnv

Im trying to wrap my head around this, if the above statement is true I can see permission issues occurring. The API call i see there isnt a security index nor replica.
EDIT: I forgot to mention you cuold try add this to your securityadmin.sh

Add --accept-red-cluster to allow securityadmin.sh to operate on a red cluster.

That is found here.

@Gsmitt actually I disabled the security plugin, cleared the data folder and restarted opensearch, it looks like it is still having a problem allocating the index

sudo curl -XGET http://localhost:9200/_cat/shards
.opensearch-observability 0 p UNASSIGNED    

sudo curl -GET http://localhost:9200/_cluster/allocation/explain?pretty
{
“index” : “.opensearch-observability”,
“shard” : 0,
“primary” : true,
“current_state” : “unassigned”,
“unassigned_info” : {
“reason” : “INDEX_CREATED”,
“at” : “2023-05-25T02:24:07.943Z”,
“last_allocation_status” : “no”
},
“can_allocate” : “no”,
“allocate_explanation” : “cannot allocate because allocation is not permitted to any of the nodes”
}

Hey @stecino

Yeah, that might not be good. Did you try those other suggestions before you wiped the data directory?

I have disabled the security plugin, so I don’t think it’s the security plugin itself. Something is set not to allow allocation on the nodes.

Still havent answered my question.

Ok, I think I know what happened. So it’s not allowing to write index to master nodes. It only allocates the index, once a data node comes up. I just configured 3 master and 1 data node cluster and index turned green. I am going to enable the security plugin now and see what happens

Got it working!!

sudo curl -k -GET --key config/opensearch_admin_key.pem --cert config/opensearch_admin_cert.pem https://localhost:9200/_cat/nodes
10.5.106.34 26 96 3 0.20 0.20 0.18 m cluster_manager * nodem02.example.pvt-alpha
10.5.112.41 2 10 0 0.04 0.29 0.25 d data - noded02.example.pvt-alpha
10.5.112.40 2 9 0 0.00 0.02 0.03 d data - noded01.example.pvt-alpha
10.5.106.33 9 97 6 0.39 0.32 0.24 m cluster_manager - nodem01.example.pvt-alpha
10.5.106.35 14 97 3 0.11 0.22 0.23 m cluster_manager - nodem03.example.pvt-alpha
10.5.112.42 2 10 0 0.00 0.11 0.17 d data - noded03.example.pvt-alpha
sudo curl -k -GET --key config/opensearch_admin_key.pem --cert config/opensearch_admin_cert.pem https://localhost:9200/_cat/shards
.opensearch-observability 0 p STARTED 0 208b 10.5.112.40 noded01.example.pvt-alpha
.opensearch-observability 0 r STARTED 0 208b 10.5.112.41 noded02.example.pvt-alpha
.opensearch-observability 0 r STARTED 0 208b 10.5.112.42 noded03.example.pvt-alpha
.opendistro_security 0 p STARTED 10 71.8kb 10.5.112.40 noded01.example.pvt-alpha
.opendistro_security 0 r STARTED 10 46.1kb 10.5.112.41 noded02.example.pvt-alpha
.opendistro_security 0 r STARTED 10 45.4kb 10.5.112.42 noded03.example.pvt-alpha

Why so many replicas though? It feels like every time I am adding a data node, it’s adding additional replica shard.

This is why I’ve asked you about the cluster configuration as I’ve noticed that you were running a single node with only a master role and no data nodes.

This is related to the auto_expand_replicas setting in the settings of .opendistro_security and .opensearch-observability indices

GET .opendistro_security/_settings

GET .opensearch-observability/_settings

@pablo thanks for the info. I also wanted to share some of the details on what I needed to fix. When I ran securityadmin script, it actually corrected the CN definition that I needed to put in my config. I needed to escape special characters, which I thought I was doing but I was missing extra
In addition, given that I had domain, Intermediate and Root cert for

plugins.security.ssl.transport.pemcert_filepath I used the domain cert pem
plugins.security.ssl.transport.pemtrustedcas_filepath I used the Intermediate cert pem

It was suggested initially to combine domain and intermediate certs into one pem, and use the root cert pem.

I also tested running nodes without plugins.security.nodes_dn value, and things are working fine.
Otherwise, using a single line for nodes_dn

plugins.security.nodes_dn:

• “O=Exmaplev\, Inc,OU=Enterprise SSL,CN=opensearch.example.pvt”

did suffice. I didn’t have to insert a CN line for each of the nodes. I have 3 masters, 10 data and 2 coordinator nodes.