Is your feature request related to a problem? Please describe.
With the current expectation of nodes security CN across the cluster as one of the prerequisite, all nodes are accepting a wildcard * for nodes_dn
Also, the new node configuration would add this in similar way
When secuirtyadmin.sh is run to update opendistro_security configurations with this setting, it fails with an error since admin also matches the nodes_dn due to wildcard:
Security Admin v7
Will connect to localhost:9300 ... done
Connected as CN=admin.domain.com,OU=Ops,O=domain.com\, Inc.,DC=domain.com
ERR: Seems you use a node certificate which is also an admin certificate
That may have worked with older OpenSearch Security versions but it indicates
a configuration error and is therefore forbidden now.
Unable to check whether cluster is sane
Describe the solution you'd like
Instead of wildcard acceptance in node CN's, update individual node CN while scaling up the cluster
This config file update should happen on all the nodes currently present in the cluster and restart all nodes.
Similarly, while scaling down, once the node is removed, update opensearch.yml to remove the node CN and restart the nodes.
Expected drawback
The restart on all the nodes while scaling up or scaling down would cause some rebalancing in the system if the restart isn't complete within the index.unassigned.node_left.delayed_timeout setting on the cluster.
Is your feature request related to a problem? Please describe.
With the current expectation of nodes security CN across the cluster as one of the prerequisite, all nodes are accepting a wildcard * for nodes_dn Also, the new node configuration would add this in similar way
When secuirtyadmin.sh is run to update opendistro_security configurations with this setting, it fails with an error since admin also matches the nodes_dn due to wildcard:
Describe the solution you'd like Instead of wildcard acceptance in node CN's, update individual node CN while scaling up the cluster This config file update should happen on all the nodes currently present in the cluster and restart all nodes. Similarly, while scaling down, once the node is removed, update opensearch.yml to remove the node CN and restart the nodes.
Expected drawback The restart on all the nodes while scaling up or scaling down would cause some rebalancing in the system if the restart isn't complete within the
index.unassigned.node_left.delayed_timeout
setting on the cluster.