Setting up security for OpenSearch

Hi,
I am setting a new OpenSearch 1.2.4 cluster using the tarball, with security plugin enabled. The docs are little confusing and want some clarity on how to set up security for Production environments.

I have followed the step 1 through 5 as per Configuration - OpenSearch documentation.

Step 6 to execute securityadmin.sh fails since the cluster is not started yet!

Then I try Step 7 to start the OpenSearch cluster; the cluster startup fails since it the security index is not initialized yet.

2022-02-12T02:21:12,090 Thread-7 [E] ec.con.ConfigurationLoaderSecurity7 - [UID=] - Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, AUDIT] (index=.opendistro_security)

It is a deadlock situation.

So I end up using plugins.security.allow_default_init_securityindex: true in opensearch.yml (the default config yamls under were already updated as per Production requirements). There is no explanation about this parameter in the docs, except for the note in the sample opensearch.yml file - security/opensearch.yml.example at 1.2 · opensearch-project/security · GitHub.

  1. am i missing something obvious here?
  2. is this ok to use allow_default_init_securityindex to initialize the cluster?
  3. will allow_default_init_securityindex automatically reinitialize the cluster at any later point? Or should this config be removed after the first initialization?

moving to the ‘Security’ category

I recently setup an Openstack cluster and was wondering the same thing. I do recall reading somewhere that the security index will only be initialized if it is not already created.

I have restarted the cluster 7 times and the security index remains in place with that setting. If it gives you a peace of mind it might be worth commenting out that configuration option once the security index has been initialized.

1 Like

@elmidwill Could you tell if you used an example docker-compose.yml from the first step or your own one?