Unable to run securityadmin.sh

lisa5 · November 14, 2022, 6:22pm

I have an existing ElasticSearch 7.7.0 cluster with OpenDistro Security 1.8.0.0 – I am enabling a new authentication method and needed to update securityconfig/config.yml

I cannot, however, get securityadmin.sh to run and load the new config. I can mis-configure ES so things fail in expected ways – With the certificate DN not in elasticsearch.yml opendistro_security.authcz.admin_dn, attempting to run the script tells me I am not an admin user

Connected as CN=REDACTED,O=OrgName\, LLC,ST=Statename,C=US
ERR: CN=REDACTED,O=OrgName\, LLC,ST=Statename,C=US is not an admin user
Seems you use a client certificate but this one is not registered as admin_dn

I have opendistro_security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”] – without the user mapped to all_access, I am told I lack permission to check the cluster health status:

ElasticsearchSecurityException[no permissions for [cluster:monitor/health] and User [name=CN=REDACTED,O=OrgName\, LLC,ST=Statename,C=US, backend_roles=[], requestedTenant=null]]

But when I run the script with what should be the proper configuration (certificate name is a listed admin_dn, name is mapped to all_access, cluster is GREEN and happy), I get an inexplicable error that I don’t have permission to what looks like a null set

Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: REDACTED-elk
Clusterstate: GREEN
Number of nodes: 12
Number of data nodes: 6
.opendistro_security index already exists, so we do not need to create one.
Populate config from /opt/elk/elasticsearch/plugins/opendistro_security
Force type: config
Will update '_doc/config' with ./securityconfig/config.yml
   FAIL: Configuration for 'config' failed because of ElasticsearchSecurityException[no permissions for [] and User [name=CN=REDACTED,O=OrgName\, LLC,ST=Statename,C=US, backend_roles=[], requestedTenant=null]]
ERR: cannot upload configuration, see errors above

The --diagnose output indicates that I’m authenticated and an admin

{
  "whoami" : {
    "dn" : "CN=REDACTED,O=OrgName\\, LLC,ST=Statename,C=US",
    "is_admin" : true,
    "is_authenticated" : true,
    "is_node_certificate_request" : false
  }
}

Then it shows a ClusterHealthRequest, a very long NodesInfoResponse, and nothing else. Nothing shows up in the elasticsearch log either. Any ideas how to get permission to [] so I can load this config.yml?

Edited to add – I see three records in the security-auditlog index – two one WhoAmI request and two IndexRequest and nothing that looks like a failure.

lisa5 · November 28, 2022, 5:04am

Seem to have figured out a solution – I added the admin_dn to all of the servers in the ES cluster. Once the certificate’s record was added to each of the servers, I was able to run the securityadmin.sh script without error.

Topic		Replies	Views
Can't start 1.0.0 securityadmin.sh fails Security	6	5693	July 12, 2019
Built new cluster, still says to run securityadmin.sh after it has been run Security	3	961	February 11, 2021
Trouble configuring OpenDistro Security Index Security	1	1865	May 21, 2021
After securityadmin.sh opendistro_security index does not exist Security	1	1426	February 25, 2020
Securityadmin.bat Security	9	661	March 26, 2021

Unable to run securityadmin.sh

Related Topics