Unable to run securityadmin.sh

I have an existing ElasticSearch 7.7.0 cluster with OpenDistro Security – I am enabling a new authentication method and needed to update securityconfig/config.yml

I cannot, however, get securityadmin.sh to run and load the new config. I can mis-configure ES so things fail in expected ways – With the certificate DN not in elasticsearch.yml opendistro_security.authcz.admin_dn, attempting to run the script tells me I am not an admin user

Connected as CN=REDACTED,O=OrgName\, LLC,ST=Statename,C=US
ERR: CN=REDACTED,O=OrgName\, LLC,ST=Statename,C=US is not an admin user
Seems you use a client certificate but this one is not registered as admin_dn

I have opendistro_security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”] – without the user mapped to all_access, I am told I lack permission to check the cluster health status:

ElasticsearchSecurityException[no permissions for [cluster:monitor/health] and User [name=CN=REDACTED,O=OrgName\, LLC,ST=Statename,C=US, backend_roles=[], requestedTenant=null]]

But when I run the script with what should be the proper configuration (certificate name is a listed admin_dn, name is mapped to all_access, cluster is GREEN and happy), I get an inexplicable error that I don’t have permission to what looks like a null set

Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: REDACTED-elk
Clusterstate: GREEN
Number of nodes: 12
Number of data nodes: 6
.opendistro_security index already exists, so we do not need to create one.
Populate config from /opt/elk/elasticsearch/plugins/opendistro_security
Force type: config
Will update '_doc/config' with ./securityconfig/config.yml
   FAIL: Configuration for 'config' failed because of ElasticsearchSecurityException[no permissions for [] and User [name=CN=REDACTED,O=OrgName\, LLC,ST=Statename,C=US, backend_roles=[], requestedTenant=null]]
ERR: cannot upload configuration, see errors above

The --diagnose output indicates that I’m authenticated and an admin

  "whoami" : {
    "dn" : "CN=REDACTED,O=OrgName\\, LLC,ST=Statename,C=US",
    "is_admin" : true,
    "is_authenticated" : true,
    "is_node_certificate_request" : false

Then it shows a ClusterHealthRequest, a very long NodesInfoResponse, and nothing else. Nothing shows up in the elasticsearch log either. Any ideas how to get permission to [] so I can load this config.yml?

Edited to add – I see three records in the security-auditlog index – two one WhoAmI request and two IndexRequest and nothing that looks like a failure.

Seem to have figured out a solution – I added the admin_dn to all of the servers in the ES cluster. Once the certificate’s record was added to each of the servers, I was able to run the securityadmin.sh script without error.