Opensearch Version: 2.19.1
I’m unable to run ./securityadmin.sh, i get error as:
Security Admin v7
Will connect to CCCC.fmr.com:9200 ... done
ERR: An unexpected ResponseException occured: method [GET], host [https://XXXX.XXX.com:9200], URI [/_plugins/_security/whoami], status line [HTTP/1.1 403 Forbidden]
{"error":"GET /_plugins/_security/whoami API not whitelisted","status":"FORBIDDEN"}
# curl -k --cert /etc/opensearch/openssl/admin.pem --key /etc/opensearch/openssl/admin-key.pem https://XX.XX.com:9200/_plugins/_security/authinfo?pretty
{
"user" : "User [name=CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA, backend_roles=[], requestedTenant=null]",
"user_name" : "CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA",
"user_requested_tenant" : null,
"remote_address" : null,
"backend_roles" : [ ],
"custom_attribute_names" : [ ],
"roles" : [
"own_index"
],
"tenants" : {
"CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA" : true
},
"principal" : "CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA",
"peer_certificates" : "2",
"sso_logout_url" : null
}
plugins.security.authcz.admin_dn:
- ‘CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA’
# openssl x509 -text -noout -in /etc/opensearch/openssl/admin.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
XX:XX:XX:XX:XX:X:XX:X:X:X:XX:XX:XX
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = State, L = City, O = Organization, OU = Unit, CN = RootCA
Validity
Not Before: Apr 23 13:28:02 2025 GMT
Not After : Apr 23 13:28:02 2026 GMT
Subject: C = CA, ST = ONTARIO, L = TORONTO, O = ORG, OU = UNIT, CN = A
Hi @rehanpfmr ,
Can you share your /config/opensearch.yml and /config/opensearch-security/allowlist.yml ?
opensearch.yml
cluster.name: opensearch-dev
node.name: XXXX.XX.com
path.data: /var/lib/opensearch
path.logs: /var/log/opensearch
network.host: XX.XX.XX.XX
http.port: 9200
discovery.seed_hosts: [“XX.XX.XX.XX”]
cluster.initial_cluster_manager_nodes: [“opensearch-cluster_manager”]
#================================= New certificates ======================
plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/openssl/node.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/certs/ssl.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/openssl/root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
#-------------------------------------------------------------------------
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/openssl/node.pem
plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/certs/ssl.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/openssl/root-ca.pem
plugins.security.ssl.http.clientauth_mode: OPTIONAL
#-------------------------------------------------------------------------
plugins.security.ssl_cert_reload_enabled: true
plugins.security.allow_unsafe_democertificates: false
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
allowlist.yml
---
_meta:
type: "allowlist"
config_version: 2
config:
enabled: true
requests:
/_cluster/settings:
- GET
/_cat/nodes:
- GET
/:
- GET
Could you please share the command you used to run securityadmin.sh, including all parameters?
OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk ./securityadmin.sh -cd ../config/ -icl -key /etc/opensearch/openssl/admin-key.pem -cert /etc/opensearch/openssl/admin.pem -cacert /etc/opensearch/openssl/root-ca.pem -nhnv -h XXXXX
Security Admin v7
Will connect to XXX.fmr.com:9200 … done
ERR: An unexpected ResponseException occured: method [GET], host [https://XXX.fmr.com:9200], URI [/_plugins/_security/whoami], status line [HTTP/1.1 403 Forbidden]
{“error”:“GET /_plugins/_security/whoami API not whitelisted”,“status”:“FORBIDDEN”}
Trace:
org.opensearch.client.ResponseException: method [GET], host [https://XXX.fmr.com:9200], URI [/_plugins/_security/whoami], status line [HTTP/1.1 403 Forbidden]
{“error”:“GET /_plugins/_security/whoami API not whitelisted”,“status”:“FORBIDDEN”}
at org.opensearch.client.RestClient.convertResponse(RestClient.java:479)
at org.opensearch.client.RestClient.performRequest(RestClient.java:371)
at org.opensearch.client.RestClient.performRequest(RestClient.java:346)
at org.opensearch.security.tools.SecurityAdmin.execute(SecurityAdmin.java:575)
at org.opensearch.security.tools.SecurityAdmin.main(SecurityAdmin.java:165)
This is not resolving, my node certificates are connecting successfully and returning cat/nodes however i’m unable to set my admin password.
> Blockquote
ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name
10.136.66.59 6 85 3 0.07 0.11 0.09 dimr cluster_manager,data,ingest,remote_cluster_client * XXXX.fmr.com
Blockquote
https://XXXX.fmr.com:9200/
{
“error”: “GET / API not whitelisted”,
“status”: “FORBIDDEN”
}
Please try running the following command:
curl --insecure --cert ./config/kirk.pem --key ./config/kirk-key.pem -XPUT "https://localhost:9200/_plugins/_security/api/allowlist" -H 'Content-Type: application/json' -d'
{
"enabled": true,
"requests": {
"/_cluster/settings": ["GET"],
"/_cat/nodes": ["GET"],
"/_plugins/_security/whoami": ["GET"]
}
}
'
Please change the certificate paths to your super admin certificate path. You might also need to change the hostname.