Adding Subject Entries to OpenSearch
For proper authentication and authorization in OpenSearch, you need to configure subject entries including:
-
node_dn(Node Distinguished Names) -
admin_dn(Administrator Distinguished Name)
1. Extracting Node Subjects
Execute the following command to obtain node certificate subject:
openssl x509 -in $PATH_NEW_NODE_CERT/admin-cert.pem -subject -nameopt RFC2253 -noout
Add the obtained DNs to the ${OS_HOME}/config/opensearch.yml file in the plugins.security.nodes_dn parameter:
plugins.security.nodes_dn:
- "CN=smos-node-00,O=Old Org,L=Old Dubai,ST=Old Dubai,C=AE"
- "CN=smos-node-00,O=New Org,L=Dubai,ST=Dubai,C=AE"
- "CN=smos-node-01,O=New Org,L=Dubai,ST=Dubai,C=AE"
For nodes sharing common prefixes/suffixes in their CN, you can use wildcards
plugins.security.nodes_dn:
- "CN=smos-*,O=Old Org,L=Dubai,ST=Dubai,C=AE"
- "CN=smos-*,O=New Org,L=Dubai,ST=Dubai,C=AE"
2. Extracting Administrator Subject
Execute the same command for the administrator certificate:
openssl x509 -in $PATH_NEW_NODE_CERT/node-cert.pem -subject -nameopt RFC2253 -noout
Add the administrator DN to ${OS_HOME}/config/opensearch.yml in the plugins.security.authcz.admin_dn parameter:
plugins.security.authcz.admin_dn:
- "CN=admin,O=Old Org,L=Old Dubai,ST=Old Dubai,C=AE"
- "CN=admin,O=New Org,L=Dubai,ST=Dubai,AE"