[BUG] Ignore cluster name option for Security Admin does not work

[cwperks]

What is the bug?

Since the removal of the TransportClient in OpenSearch 2.0 (See https://github.com/opensearch-project/security/pull/1638) the -icl and -cn options of the securityadmin.sh tool have not been working.

This flag used to add a setting to the TransportClient called client.transport.ignore_cluster_name (See PR where Transport Client was removed) which would check the cluster name from the info on each node to ensure the node was part of the intended cluster. See PR that introduced the concept: https://github.com/opensearch-project/OpenSearch/commit/0219471c00f1c4f8ab86e4693cd69940b4444b9f

Since the tool mentions the existence of these options for the script, as a user I would expect the option to work as advertised.

This affects OS >= 2.0.

[peternied]

[Triage] Thanks for filing @cwperks

[AdrianMPCodes]

I will be giving this issue a shot as my first issue.

[prabhask5]

@cwperks @peternied @scrawfor99 I'm confused on the expected behavior by ignoring the cluster name, will the admin find any valid working cluster to apply changes to or will the script find every single cluster and apply the changes to it? It seems like this logic was in the TransportClient and the code for that is not available anymore.

[cwperks]

@prabhask5 When invoked, security admin will look for OpenSearch running on port 9200 of the machine that the script is executed on. When -icl is set, it will not verify the name of the cluster before applying the configuration changes. When -cn (clustername) is set as an option, it will first check to see that the local node is part of the expected cluster before applying changes. If there is a mismatch it should abort before applying changes.

Edit: Its also possible to execute securityadmin remotely by passing both -h (host) and -p (port) as options. The -cn option should first validate that the target node is part of the expected cluster and abort if not.