Warning messages on opensearch logs

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.16

Describe the issue:
We are seeing lot of warning messages on opensearch startup logs, most of them are about permission issue on the folder and file level.

please find the below logs for the same.

WARNING: Using incubator modules: jdk.incubator.vector
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/opensearch/lib/opensearch-2.16.0.jar)
WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
WARNING: System::setSecurityManager will be removed in a future release
Sep 02, 2024 11:05:50 AM sun.util.locale.provider.LocaleProviderAdapter
WARNING: COMPAT locale provider will be removed in a future release
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/opensearch/lib/opensearch-2.16.0.jar)
WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
WARNING: System::setSecurityManager will be removed in a future release
[2024-09-02T11:05:51,338][INFO ][o.o.n.Node ] [dmf-opensearch-master-0] version[2.16.0], pid[1], build[tar/f84a26e76807ea67a69822c37b1a1d89e7177d9b/2024-08-06T20:30:45.209655408Z], OS[Linux/5.15.146+/amd64], JVM[Eclipse Adoptium/OpenJDK 64-Bit Server VM/21.0.3/21.0.3+9-LTS]
[2024-09-02T11:05:53,154][INFO ][o.o.s.s.DefaultSecurityKeyStore] [dmf-opensearch-master-0] Enabled TLS protocols for transport layer : [TLSv1.3, TLSv1.2]
[2024-09-02T11:05:53,154][INFO ][o.o.s.s.DefaultSecurityKeyStore] [dmf-opensearch-master-0] Enabled TLS protocols for HTTP layer : [TLSv1.3, TLSv1.2]
[2024-09-02T11:05:53,207][INFO ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] Clustername: dmf-opensearch
[2024-09-02T11:05:53,220][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] Directory /usr/share/opensearch/config has insecure file permissions (should be 0700)
[2024-09-02T11:05:53,220][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] Directory /usr/share/opensearch/config/opensearch-security has insecure file permissions (should be 0700)
[2024-09-02T11:05:53,220][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] File /usr/share/opensearch/config/opensearch-security/roles.yml has insecure file permissions (should be 0600)
[2024-09-02T11:05:53,221][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] File /usr/share/opensearch/config/opensearch-security/config.yml has insecure file permissions (should be 0600)
[2024-09-02T11:05:53,221][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] File /usr/share/opensearch/config/opensearch-security/action_groups.yml has insecure file permissions (should be 0600)
[2024-09-02T11:05:53,221][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] File /usr/share/opensearch/config/opensearch-security/whitelist.yml has insecure file permissions (should be 0600)
[2024-09-02T11:05:53,221][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] File /usr/share/opensearch/config/opensearch-security/roles_mapping.yml has insecure file permissions (should be 0600)
[2024-09-02T11:05:53,221][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] File /usr/share/opensearch/config/opensearch-security/internal_users.yml has insecure file permissions (should be 0600)
[2024-09-02T11:05:53,222][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] File /usr/share/opensearch/config/opensearch-security/allowlist.yml has insecure file permissions (should be 0600)
[2024-09-02T11:05:53,222][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] File /usr/share/opensearch/config/opensearch-security/nodes_dn.yml has insecure file permissions (should be 0600)
[2024-09-02T11:05:53,222][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] File /usr/share/opensearch/config/opensearch-security/tenants.yml has insecure file permissions (should be 0600)
[2024-09-02T11:05:53,222][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] File /usr/share/opensearch/config/opensearch-security/…data has insecure file permissions (should be 0600)
[2024-09-02T11:05:53,222][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] Directory /usr/share/opensearch/config/opensearch-security/…2024_09_02_11_05_34.3597497429 has insecure file permissions (should be 0700)
[2024-09-02T11:05:53,223][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] File /usr/share/opensearch/config/opensearch-security/…2024_09_02_11_05_34.3597497429/tenants.yml has insecure file permissions (should be 0600)
[2024-09-02T11:05:53,223][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] File /usr/share/opensearch/config/opensearch-security/…2024_09_02_11_05_34.3597497429/internal_users.yml has insecure file permissions (should be 0600)
[2024-09-02T11:05:53,223][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] File /usr/share/opensearch/config/opensearch-security/…2024_09_02_11_05_34.3597497429/allowlist.yml has insecure file permissions (should be 0600)
[2024-09-02T11:05:53,223][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] File /usr/share/opensearch/config/opensearch-security/…2024_09_02_11_05_34.3597497429/nodes_dn.yml has insecure file permissions (should be 0600)
[2024-09-02T11:05:53,223][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] File /usr/share/opensearch/config/opensearch-security/…2024_09_02_11_05_34.3597497429/whitelist.yml has insecure file permissions (should be 0600)
[2024-09-02T11:05:53,223][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] File /usr/share/opensearch/config/opensearch-security/…2024_09_02_11_05_34.3597497429/roles_mapping.yml has insecure file permissions (should be 0600)
[2024-09-02T11:05:53,224][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] File /usr/share/opensearch/config/opensearch-security/…2024_09_02_11_05_34.3597497429/roles.yml has insecure file permissions (should be 0600)
[2024-09-02T11:05:53,224][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] File /usr/share/opensearch/config/opensearch-security/…2024_09_02_11_05_34.3597497429/config.yml has insecure file permissions (should be 0600)
[2024-09-02T11:05:53,224][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] File /usr/share/opensearch/config/opensearch-security/…2024_09_02_11_05_34.3597497429/action_groups.yml has insecure file permissions (should be 0600)
[2024-09-02T11:05:53,224][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] File /usr/share/opensearch/config/opensearch.yml has insecure file permissions (should be 0600)
[2024-09-02T11:05:53,224][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] Directory /usr/share/opensearch/config/certs has insecure file permissions (should be 0700)
[2024-09-02T11:05:53,225][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] File /usr/share/opensearch/config/certs/tls.key has insecure file permissions (should be 0600)
[2024-09-02T11:05:53,225][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] File /usr/share/opensearch/config/certs/tls.crt has insecure file permissions (should be 0600)
[2024-09-02T11:05:53,225][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] File /usr/share/opensearch/config/certs/…data has insecure file permissions (should be 0600)
[2024-09-02T11:05:53,225][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] Directory /usr/share/opensearch/config/certs/…2024_09_02_11_05_34.1633639832 has insecure file permissions (should be 0700)
[2024-09-02T11:05:53,225][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] Directory /usr/share/opensearch/config/certs/node has insecure file permissions (should be 0700)
[2024-09-02T11:05:53,225][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] File /usr/share/opensearch/config/certs/node/tls.crt has insecure file permissions (should be 0600)
[2024-09-02T11:05:53,226][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] File /usr/share/opensearch/config/certs/node/tls.key has insecure file permissions (should be 0600)
[2024-09-02T11:05:53,226][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] File /usr/share/opensearch/config/certs/node/…data has insecure file permissions (should be 0600)
[2024-09-02T11:05:53,226][WARN ][o.o.s.OpenSearchSecurityPlugin] [dmf-opensearch-master-0] Directory /usr/share/opensearch/config/certs/node/…2024_09_02_11_05_34.3529337012 has insecure file permissions (should be 0700)
[2024-09-02T11:05:53,951][INFO ][o.o.p.c.c.PluginSettings ] [dmf-opensearch-master-0] Config: metricsLocation: /dev/shm/performanceanalyzer/, metricsDeletionInterval: 1, httpsEnabled: false, cleanup-metrics-db-files: true, batch-metrics-retention-period-minutes: 7, rpc-port: 9650, webservice-port 9600

kindly let me know is there any setting to be enabled for this.

Hi @arun_udaiyar,

Looks like you have your permissions a bit looser than the system would like, If you would like more details please run the below and share the output:

ls -l /usr/share/opensearch/config/certs/node/

best,
mj

Hi @Mantas
Thanks for the quick response, please find the below details

[opensearch@dmf-opensearch-master-0 ~]$ ls -l /usr/share/opensearch/config/certs/node/
total 0
lrwxrwxrwx 1 root opensearch 14 Sep 4 19:05 tls.crt → …data/tls.crt
lrwxrwxrwx 1 root opensearch 14 Sep 4 19:05 tls.key → …data/tls.key

Looks like you have Read/write/Execute (777) on your certs for all, this is not safe and that’s why you see the warnings:

You can adjust that with the command chmod:

i.e.:
chmd 0600 /usr/share/opensearch/config/certs/node/tls.crt

Please see more on Linux permissions here: chmod - Wikipedia
The numerical permissions section will explain what numbers mean, here is a more visual approach: https://chmod-calculator.com/

best,
mj