Open mabahre opened 7 months ago
Hi! The same problem:
Detected OpenSearch Version: 2.12.0 Detected OpenSearch Security Version: 2.12.0.0 Admin password set successfully. Exception updating the admin password : Unable to update the internal users file with the hashed password.
In libsonnet: securityConfig+: { enabled: true, path: "/usr/share/opensearch/config/opensearch-security", config+:{ securityConfigSecret: "", dataComplete: true, data+:{ 'internal_users.yml': |||
I think you need to set DISABLE_INSTALL_DEMO_CONFIG=true
to use a custom security config.
Thank you, maybe it is the right way. But the env application of DISABLE_INSTALL_DEMO_CONFIG=true itself resulted in another problem:
Defaulted container "opensearch" out of: opensearch, fsgroup-volume (init), configfile (init), sysctl (init)
Enabling OpenSearch Security Plugin
Disabling execution of install_demo_configuration.sh for OpenSearch Security Plugin
Enabling execution of OPENSEARCH_HOME/bin/opensearch-performance-analyzer/performance-analyzer-agent-cli for OpenSearch Performance Analyzer Plugin
WARNING: Using incubator modules: jdk.incubator.vector
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/opensearch/lib/opensearch-2.12.0.jar)
WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
WARNING: System::setSecurityManager will be removed in a future release
Feb 26, 2024 1:51:24 PM sun.util.locale.provider.LocaleProviderAdapter
I can cofirm the Problem of @mike858585: After setting the env "DISABLE_INSTALL_DEMO_CONFIG", I get the same Error
Hi Team, any update or workaround for this issue
it seems when setting up the "OPENSEARCH_INITIAL_ADMIN_PASSWORD" and securityConfig
together leads to error.
for example if I setup an internal_users.yml
under the securityConfig it gives the error
exception updating the admin password : /usr/share/opensearch/config/opensearch-security/internal_users.yml: device or resource busy
Did you mount the cert into the pod as per the error message?
Caused by: org.opensearch.OpenSearchSecurityException: Error while initializing transport SSL layer from PEM: OpenSearchException[Unable to read /usr/share/opensearch/config/esnode.pem (/usr/share/opensearch/config/esnode.pem). Please make sure this files exists and is readable regarding to permissions. Property: plugins.security.ssl.transport.pemcert_filepath]
@smlx the same configuration works, just set the appVersion: "2.11.0" and the certificates are mounted correctly, for version 2.12.0 I have to set securityConfig+: { enabled: false,
Next, I will control it via API.
If I wanted to mount something manually, I don't have to use the helm-charts, but only the manifests :-)
@smlx I never mounted the mentioned Certificate and it works fine in Previous Versions. I only mount the root CA for LDAP
@smlx Thank you very much!
name: 'DISABLE_INSTALL_DEMO_CONFIG',
value: 'true',
and
using default cert settings helped me :-) https://opensearch.org/docs/2.12/security/configuration/generate-certificates/
$ kubectl exec -it opensearch-cluster-master-0 -n opensearch -- /bin/bash -c "./plugins/opensearch-security/tools/securityadmin.sh -cd config/opensearch-security -icl -nhnv -cacert /usr/share/opensearch/config/certificates/root-ca.pem -cert /usr/share/opensearch/config/certificates/client.pem -key /usr/share/opensearch/config/certificates/client-key.pem"
Security Admin v7
Will connect to localhost:9200 ... done
Connected as "CN=client.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA"
OpenSearch Version: 2.12.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: opensearch-cluster
Clusterstate: GREEN
Number of nodes: 3
Number of data nodes: 3
.opendistro_security index already exists, so we do not need to create one.
Populate config from /usr/share/opensearch/config/opensearch-security
Will update '/config' with config/opensearch-security/config.yml
SUCC: Configuration for 'config' created or updated
Will update '/roles' with config/opensearch-security/roles.yml
SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with config/opensearch-security/roles_mapping.yml
SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with config/opensearch-security/internal_users.yml
SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with config/opensearch-security/action_groups.yml
SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with config/opensearch-security/tenants.yml
SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with config/opensearch-security/nodes_dn.yml
SUCC: Configuration for 'nodesdn' created or updated
Will update '/whitelist' with config/opensearch-security/whitelist.yml
SUCC: Configuration for 'whitelist' created or updated
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
Done with success
But this seems not like a valid Solution to me, because I don't need a Certificate Inside the Containers, as I use a Ingress.
@mabahre I will not test with ingress in the near future, I use it in internal network. However, you should still use certificates to secure transport layer communication between OpenSearch cluster nodes I think. Hard to say.
Hello, I'm seeing this as well when I install using this command helm install opensearch opensearch/opensearch --namespace opensearch
K8s version: v1.30.2
Charts: v2.23.0
Describe the bug When deploying the helm Chart to a Kubernetes Cluster with setting the default Admin Password via the Environment Variable "OPENSEARCH_INITIAL_ADMIN_PASSWORD" and setting a custom securityConfig the Deployment fails with the following Error:
No custom admin password found. Please provide a password via the environment variable OPENSEARCH_INITIAL_ADMIN_PASSWORD.
Deploying the Chart without setting a custom securityConfig works fine, but is not the desired Goal because I need to Deploy a LDAP Connection via that config.
To Reproduce Steps to reproduce the behavior:
Expected behavior The Deployment should be able to set the Admin Password even if a custom securityConfig is provided-
Chart Name opensearch Version 2.18.0
Host/Environment (please complete the following information):
Complete Logs