Securityadmin.sh no permissions

maxim · July 10, 2023, 1:48pm

hello, how to give rights to the administrator certificate?
when trying to run the securityadmin.sh script
an error occurs

WARNING: nor OPENSEARCH_JAVA_HOME nor JAVA_HOME is set, will use /bin/java
Security Admin v7
Will connect to hostname:9200 ... done
Connected as "CN=hostname,OU=00,O=Example,C=RU"
OpenSearch Version: 2.8.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Cannot retrieve cluster state due to: OpenSearch exception [type=security_exception, reason=no permissions for [cluster:monitor/health] and User [name=CN=hostname,OU=00,O=Example,C=RU, backend_roles=[], requestedTenant=null]]. This is not an error, will keep on trying ...
  Root cause: OpenSearchStatusException[OpenSearch exception [type=security_exception, reason=no permissions for [cluster:monitor/health] and User [name=name=CN=hostname,OU=00,O=Example,C=RU, backend_roles=[], requestedTenant=null]]] (org.opensearch.OpenSearchStatusException/org.opensearch.OpenSearchStatusException)
   * Try running securityadmin.sh with -icl (but no -cl) and -nhnv (If that works you need to check your clustername as well as hostnames in your TLS certificates)
   * Make sure that your keystore or PEM certificate is a client certificate (not a node certificate) and configured properly in opensearch.yml
   * If this is not working, try running securityadmin.sh with --diagnose and see diagnose trace log file)
   * Add --accept-red-cluster to allow securityadmin to operate on a red cluster.

opensearch.yml

plugins.security.authcz.admin_dn:
  - CN=hostname,OU=00,O=Example,C=RU
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]

client certificate issued by our CA
did I miss something?

maxim · July 11, 2023, 9:30am

I tried to change the permissions with a request to the api

curl --insecure --location --request PUT 'https://admin:admin@localhost:9200/_plugins/_security/api/rolesmapping/all_access' \
--header 'Content-Type: application/json' \
  --data-raw '{
"backend_roles" : ["admin"],
"users" : ["CN-CERTIFICATE"]
}'

return

{"status":"FORBIDDEN","message":"Resource 'all_access' is read-only."}

pablo · July 11, 2023, 12:22pm

@maxim Please share full securityadmin.sh command.

Could you share the output of the below command?

openssl x509 -in <admin_certificate> -text -noout

Please also share role mapping of all_access role.

GET https://localhost:9200/_plugins/_security/api/rolesmapping/all_access?pretty

maxim · July 11, 2023, 12:53pm

@pablo thanks for the answer here is the result
certificate admin.pem:

Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number:
      ************
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C = RU, O = Example of Example, CN = *****CA Test ***
    Validity
    Not Before: Jul 10 10:37:49 2023 GMT
    Not After : Jul  9 12:03:44 2026 GMT
    Subject: C = RU, O = ExampleoftheExample, OU = Example, CN = nameSTANDtechnicalaccountname
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        RSA Public-Key: (2048 bit)
        Modulus:
          a5:*******:6a
        Exponent: 65537 (0x10001)
    X509v3 extensions:
      X509v3 Basic Constraints:
        CA:FALSE
      X509v3 Subject Key Identifier:
        ******************
      X509v3 Authority Key Identifier:
        keyid:*********
        DirName:/C=RU/O=Example of Example/CN=*****CA Test ***
        serial:********

      Authority Information Access:
        CA Issuers - URI:********
        OCSP - URI:**********

      X509v3 Subject Alternative Name:
        DNS:hostname.node1.domain, IP Address:10.0.0.1
      X509v3 Key Usage:
        Digital Signature, Key Encipherment, Key Agreement
      X509v3 Extended Key Usage:
        TLS Web Client Authentication
      X509v3 CRL Distribution Points:

        Full Name:
          URI:*******
          URI:*******
          URI:*******

  Signature Algorithm: sha256WithRSAEncryption
    **********

command:

./securityadmin.sh -cd /etc/opensearch/opensearch-security/  -icl -nhnv  -cert /etc/opensearch/admin.pem -cacert /etc/opensearch/root.pem -key /etc/opensearch/admin-key.pem -t config -h hostname01node

api response:

{
  "all_access" : {
    "hosts" : [ ],
    "users" : [
      "ldapusername1",
      "ldapusername2",
      "ldapusername3",
      "ldapusername4",
      "ldapusername4"
    ],
    "reserved" : true,
    "hidden" : false,
    "backend_roles" : [
      "admin"
    ],
    "and_backend_roles" : [ ]
  }
}

there is no user in this role who appears in the error, probably that’s the problem, but I don’t understand how to add it without running .sh

no permissions for [cluster:monitor/health] and User [name=CN=hostname…

maxim · July 11, 2023, 12:59pm

when issuing a client certificate in cn, I indicated that security is required, alt_name indicates dns the name of 1 node and its ip on which I run sh

pablo · July 11, 2023, 5:16pm

@maxim Something is not right in here.
Your securityadmin.sh states that you’ve connected as:

However in your admin.pem this is a SAN value and not a DN. If you would use this certificate then the plugin would use a DN of the cert. Which is:

Did you share the correct certificate?
Also, please share your config.yml file.

Regarding the second issue.

This is caused by setting all_access mapping as reserved.

Once the reserved option is enabled, the only way to update this mapping is securityadmin.sh.

You don’t need to change any permissions or role mapping of all_access role as this role has no effect on securityadmin.sh.
The only users allowed to modify the security plugin configuration with securityadmin.sh are the ones defined in plugins.security.authcz.admin_dn:

maxim · July 11, 2023, 5:58pm

@pablo to avoid confusion, I went this way again

start .sh

./securityadmin.sh -cd /etc/opensearch/opensearch-security/ -icl  -cert /etc/opensearch/admin.pem -cacert /etc/opensearch/root.pem -key /etc/opensearch/admin-key.pem -t config -h hostname.node1
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
WARNING: nor OPENSEARCH_JAVA_HOME nor JAVA_HOME is set, will use /bin/java
Security Admin v7
Will connect to hostname.node1:9200 ... done
Connected as "CN=nameSTANDtechnicalaccountname,OU=example,O=ExampleExample,C=RU"
OpenSearch Version: 2.8.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Cannot retrieve cluster state due to: OpenSearch exception [type=security_exception, reason=no permissions for [cluster:monitor/health] and User [name=CN=nameSTANDtechnicalaccountname,OU=example,O=ExampleExample,C=RU, backend_roles=[], requestedTenant=null]]. This is not an error, will keep on trying ...
Root cause: OpenSearchStatusException[OpenSearch exception [type=security_exception, reason=no permissions for [cluster:monitor/health] and User [name=CN=nameSTANDtechnicalaccountname,OU=example,O=ExampleExample,C=RU, backend_roles=[], requestedTenant=null]]] (org.opensearch.OpenSearchStatusException/org.opensearch.OpenSearchStatusException)
  * Try running securityadmin.sh with -icl (but no -cl) and -nhnv (If that works you need to check your clustername as well as hostnames in your TLS certificates)
  * Make sure that your keystore or PEM certificate is a client certificate (not a node certificate) and configured properly in opensearch.yml
  * If this is not working, try running securityadmin.sh with --diagnose and see diagnose trace log file)
  * Add --accept-red-cluster to allow securityadmin to operate on a red cluster.

openssl output

Certificate:
Data:
  Version: 3 (0x2)
  Serial Number:
    ***
  Signature Algorithm: sha256WithRSAEncryption
  Issuer: C = RU, O = Example of Example, CN = Example Example Example
  Validity
  Not Before: Jul 10 12:57:45 2023 GMT
  Not After : Jul  9 13:02:45 2026 GMT
  Subject: C = RU, O = ExampleExample, OU = example, CN = nameSTANDtechnicalaccountname
  Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
      RSA Public-Key: (2048 bit)
      Modulus:
        ***
      Exponent: 65537 (0x10001)
  X509v3 extensions:
    X509v3 Basic Constraints:
      CA:FALSE
    X509v3 Subject Key Identifier:
      ****
    X509v3 Authority Key Identifier:
      keyid:***
      DirName:/C=RU/O=Example of Example/CN=Example Example Example
      serial:***

    Authority Information Access:
      ****
    X509v3 Subject Alternative Name:
      DNS:hostname.node1, IP Address:ip.node1
    X509v3 Key Usage:
      Digital Signature, Key Encipherment, Key Agreement
    X509v3 Extended Key Usage:
      TLS Web Client Authentication
    X509v3 CRL Distribution Points:

      Full Name:
        URI:*****

Signature Algorithm: sha256WithRSAEncryption

config.yml

_meta:
type: "config"
config_version: 2

config:
dynamic:
  http:
    anonymous_auth_enabled: false
    xff:
      enabled: false
      internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
      #internalProxies: '.*' # trust all internal proxies, regex pattern
      #remoteIpHeader:  'x-forwarded-for'
      ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
      ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
      ###### and here https://tools.ietf.org/html/rfc7239
      ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
  authc:
    kerberos_auth_domain:
      http_enabled: false
      transport_enabled: false
      order: 6
      http_authenticator:
        type: kerberos
        challenge: true
        config:
          # If true a lot of kerberos/security related debugging output will be logged to standard out
          krb_debug: false
          # If true then the realm will be stripped from the user name
          strip_realm_from_principal: true
      authentication_backend:
        type: noop
    basic_internal_auth_domain:
      description: "Authenticate via HTTP Basic against internal users database"
      http_enabled: true
      transport_enabled: true
      order: 4
      http_authenticator:
        type: basic
        challenge: true
      authentication_backend:
        type: intern
    proxy_auth_domain:
      description: "Authenticate via proxy"
      http_enabled: false
      transport_enabled: false
      order: 3
      http_authenticator:
        type: proxy
        challenge: false
        config:
          user_header: "x-proxy-user"
          roles_header: "x-proxy-roles"
      authentication_backend:
        type: noop
    jwt_auth_domain:
      description: "Authenticate via Json Web Token"
      http_enabled: false
      transport_enabled: false
      order: 2
      http_authenticator:
        type: jwt
        challenge: false
        config:
          signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"
          jwt_header: "Authorization"
          jwt_url_parameter: null
          jwt_clock_skew_tolerance_seconds: 30
          roles_key: null
          subject_key: null
      authentication_backend:
        type: noop
    clientcert_auth_domain:
      description: "Authenticate via SSL client certificates"
      http_enabled: false
      transport_enabled: false
      order: 5
      http_authenticator:
        type: clientcert
        config:
          username_attribute: cn #optional, if omitted DN becomes username
        challenge: false
      authentication_backend:
        type: noop
    ldap:
      description: "Authenticate via LDAP or Active Directory"
      http_enabled: true
      transport_enabled: true
      order: 1
      http_authenticator:
        type: basic
        challenge: false
      authentication_backend:
        # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
        type: ldap
        config:
          # enable ldaps
          enable_ssl: false
          # enable start tls, enable_ssl should be false
          enable_start_tls: false
          # send client certificate
          enable_ssl_client_auth: false
          # verify ldap hostname
          verify_hostnames: true
          hosts:
            - server1ldap:389
            - server2ldap:389
          bind_dn: 'CN=ldapusername,OU=,DC=,DC=,DC=ru'
          password: 'passwd'
          userbase: 'OU=,DC=,DC=,DC=ru'
          # Filter to search for users (currently in the whole subtree beneath userbase)
          # {0} is substituted with the username
          #usersearch: '(sAMAccountName={0})'
          usersearch: '(sAMAccountName={0})'
          # Use this attribute from the user as username (if not set then DN is used)
          username_attribute: cn
  authz:
    roles_from_myldap:
      description: "Authorize via LDAP or Active Directory"
      http_enabled: true
      transport_enabled: true
      authorization_backend:
        # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
        type: ldap
        config:
          # enable ldaps
          enable_ssl: false
          # enable start tls, enable_ssl should be false
          enable_start_tls: false
          # send client certificate
          enable_ssl_client_auth: false
          # verify ldap hostname
          verify_hostnames: false
          hosts:
            - server1ldap:389
            - server2ldap:389
          bind_dn: 'CN=ldapusername,OU=,DC=,DC=,DC=ru'
          password: "passwd"
          rolebase: 'OU=,DC=,DC=,DC=ru'
          # Filter to search for roles (currently in the whole subtree beneath rolebase)
          # {0} is substituted with the DN of the user
          # {1} is substituted with the username
          # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
          rolesearch: "(member={0})"
          # Specify the name of the attribute which value should be substituted with {2} above
          userroleattribute: null
          # Roles as an attribute of the user entry
          userrolename: disabled
          #userrolename: memberOf
          # The attribute in a role entry containing the name of that role, Default is "name".
          # Can also be "dn" to use the full DN as rolename.
          rolename: cn
          # Resolve nested roles transitive (roles which are members of other roles and so on ...)
          resolve_nested_roles: false
          userbase: "OU=,DC=,DC=,DC=ru"
          # Filter to search for users (currently in the whole subtree beneath userbase)
          # {0} is substituted with the username
          usersearch: '(uid={0})'

maxim · July 12, 2023, 11:10am

@pablo in short, the only way out in this situation is to start the setup again? having created the user in advance and further to change the certificate?

maxim · July 12, 2023, 12:29pm

now it is even more unclear why there are no rights if this is an admin

 ./securityadmin.sh -cd /etc/opensearch/opensearch-security/ -icl  -cert /etc/opensearch/admin.pem -cacert /c/opensearch/root.pem -key /etc/opensearch/admin-key.pem -t config -h hostname.node1 -w
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
WARNING: nor OPENSEARCH_JAVA_HOME nor JAVA_HOME is set, will use /bin/java
Security Admin v7
Will connect to hostname.node1:9200 ... done
Connected as "CN=nameSTANDtechnicalaccountname,OU=example,O=ExampleExample,C=RU"
OpenSearch Version: 2.8.0
{
  "dn" : "CN=nameSTANDtechnicalaccountname,OU=example,O=ExampleExample,C=RU",
  "is_admin" : true,
  "is_node_certificate_request" : false
}

maxim · July 12, 2023, 1:07pm

@pablo I was able to solve this problem as follows…
I logged into os-dashboard as an admin user and created a copy of the all_access role because I didn’t have rights to edit it. added a user with the same name as in the error message. added the server role “administrator” and all the rights that could be “*” + client administrator. after that, I was able to run the script with this certificate. and then, by the method of exclusion, I began to reduce the user’s rights until only the launch rights remained securityadmin.sh . I want to add that in order for this to work, you need to specify the certificate dn on each node of the cluster, regardless of which node you are trying to connect to, local or remote node. sorry for my English, I hope I will help someone with this in the future thank you for your help!

pablo · July 12, 2023, 8:23pm

@maxim Thank you for sharing the solution. I kept trying to reproduce your scenario but I couldn’t get the same errors.

You should either see if the DN is matching the admin_dn or not when executing securityadmin.sh.
As far as I know, admin certificates don’t rely on the roles created in the security config. Otherwise, securityadmin.sh would fail to initiate the security config where no users, roles or permission are set.

Anyway, you’re correct. The admin_dn, and all remaining security configurations, must be the same in all the nodes in the same cluster.

Topic		Replies	Views
Securityadmin.sh can't read subject from certificate Security	18	2513	August 12, 2022
Open Search Security Not Initialized Security troubleshoot	22	7266	November 3, 2024
Error securityadmin.sh execution Security	2	28	July 23, 2024
Securityadmin.sh ERR....is not an admin user Security troubleshoot , configure , security-issue	4	743	March 28, 2023
Securityadmin.sh returning permission error for [cluster:monitor/health] Security	10	1144	October 6, 2021

Securityadmin.sh no permissions

Related topics