maplelabs / opensearch-scaling-manager

0 stars 11 forks source link

Opendistro security nodes dn configuration issue #504

Open meghana-rajashekar opened 1 year ago

meghana-rajashekar commented 1 year ago

Is your feature request related to a problem? Please describe.

With the current expectation of nodes security CN across the cluster as one of the prerequisite, all nodes are accepting a wildcard * for nodes_dn Also, the new node configuration would add this in similar way

plugins.security.nodes_dn:
- CN=*.domain.com,OU=Ops,O=domain.com\, Inc.,DC=domain.com
plugins.security.authcz.admin_dn:
- CN=admin.domain.com,OU=Ops,O=domain.com\, Inc.,DC=domain.com

When secuirtyadmin.sh is run to update opendistro_security configurations with this setting, it fails with an error since admin also matches the nodes_dn due to wildcard:

Security Admin v7
Will connect to localhost:9300 ... done
Connected as CN=admin.domain.com,OU=Ops,O=domain.com\, Inc.,DC=domain.com
ERR: Seems you use a node certificate which is also an admin certificate
     That may have worked with older OpenSearch Security versions but it indicates
     a configuration error and is therefore forbidden now.
Unable to check whether cluster is sane

Describe the solution you'd like Instead of wildcard acceptance in node CN's, update individual node CN while scaling up the cluster This config file update should happen on all the nodes currently present in the cluster and restart all nodes. Similarly, while scaling down, once the node is removed, update opensearch.yml to remove the node CN and restart the nodes.

Expected drawback The restart on all the nodes while scaling up or scaling down would cause some rebalancing in the system if the restart isn't complete within the index.unassigned.node_left.delayed_timeout setting on the cluster.