Login/Register
Opensearch disable ssl/https but not SecurityPlugin
Asked Answered
opensearch
T

1

8

it is possible now disable ssl/https but not SecurityPlugin itself?

Previously, in docker-compose, I could do this simply by disabling "plugins.security.ssl.http.enabled=false". Now I install using helm and it doesn't work. OpenSearch wants aalways certificate.

I've been trying different options for a few hours now. "DISABLE_SECURITY_PLUGIN=true" - Disabling security completely is not an option for me.

I get always following error.

Likely root cause: OpenSearchException[plugins.security.ssl.transport.keystore_filepath or plugins.security.ssl.transport.server.pemcert_filepath and plugins.security.ssl.transport.client.pemcert_filepath must be set if transport ssl is requested.]

My

  opensearch.yml: |
    cluster.name: opensearch-cluster
    network.host: 0.0.0.0
    plugins:
      security:
        ssl:
          transport:
            enabled: false
            enforce_hostname_verification: false
          http:
            enabled: false
        allow_unsafe_democertificates: false
        allow_default_init_securityindex: true
        audit.type: internal_opensearch
        enable_snapshot_restore_privilege: true
        check_snapshot_restore_write_privileges: true
        restapi:
          roles_enabled: ["all_access", "security_rest_api_access"]
        system_indices:
          enabled: true
          indices:
            [
              ".opendistro-alerting-config",
              ".opendistro-alerting-alert*",
              ".opendistro-anomaly-results*",
              ".opendistro-anomaly-detector*",
              ".opendistro-anomaly-checkpoints",
              ".opendistro-anomaly-detection-state",
              ".opendistro-reports-*",
              ".opendistro-notifications-*",
              ".opendistro-notebooks",
              ".opendistro-asynchronous-search-response*",
            ]
Tarbox answered 9/10, 2022 at 10:31 Comment(2)
Have you seen opensearch.org/docs/latest/install-and-configure/… ?Milson
Hi. Thanks. Not. But this is not more relevant. I will not use OpenSearch.Tarbox
L
3

According to the documentation, there is no plugins.security.ssl.transport.enable option and TLS is mandatory for the transport layer. So you can copy values from helm chart. In this case you need also set option plugins.security.ssl.allow_unsafe_democertificates to true for the default certificates to work. The final config looks like the following:

  opensearch.yml: |
    cluster.name: opensearch-cluster
    network.host: 0.0.0.0
    plugins:
      security:
        ssl:
          transport:
            pemcert_filepath: esnode.pem
            pemkey_filepath: esnode-key.pem
            pemtrustedcas_filepath: root-ca.pem
            enforce_hostname_verification: false
          http:
            enabled: false
        allow_unsafe_democertificates: true
Luisaluise answered 28/2, 2023 at 21:45 Comment(5)
Thanks for the answer. I'm not using opensearch/elasticsearch anymore. Too much inconvinient things and troubles with configurations.Tarbox
@Tarbox what else did you change it for?Pub
FWIW, there's plugins.security.ssl.transport.enabled but it ... must be set to 'true' (as per startup error).Pub
how would you set these using a docker-compose.yml? is it possible?Noon
is it plugins.security.ssl.allow_unsafe_democertificates or plugins.security.allow_unsafe_democertificates?Noon

© 2022 - 2024 — McMap. All rights reserved.