Reputation: 2551
Opensearch disable ssl/https but not SecurityPlugin
it is possible now disable ssl/https but not SecurityPlugin itself?
Previously, in docker-compose, I could do this simply by disabling "plugins.security.ssl.http.enabled=false". Now I install using helm and it doesn't work. OpenSearch wants aalways certificate.
I've been trying different options for a few hours now.
"DISABLE_SECURITY_PLUGIN=true" - Disabling security completely is not an option for me.
I get always following error.
Likely root cause: OpenSearchException[plugins.security.ssl.transport.keystore_filepath or plugins.security.ssl.transport.server.pemcert_filepath and plugins.security.ssl.transport.client.pemcert_filepath must be set if transport ssl is requested.]
My
opensearch.yml: |
cluster.name: opensearch-cluster
network.host: 0.0.0.0
plugins:
security:
ssl:
transport:
enabled: false
enforce_hostname_verification: false
http:
enabled: false
allow_unsafe_democertificates: false
allow_default_init_securityindex: true
audit.type: internal_opensearch
enable_snapshot_restore_privilege: true
check_snapshot_restore_write_privileges: true
restapi:
roles_enabled: ["all_access", "security_rest_api_access"]
system_indices:
enabled: true
indices:
[
".opendistro-alerting-config",
".opendistro-alerting-alert*",
".opendistro-anomaly-results*",
".opendistro-anomaly-detector*",
".opendistro-anomaly-checkpoints",
".opendistro-anomaly-detection-state",
".opendistro-reports-*",
".opendistro-notifications-*",
".opendistro-notebooks",
".opendistro-asynchronous-search-response*",
]
Upvotes: 10
Views: 14029
Answers (1)
Reputation: 150
According to the documentation, there is no plugins.security.ssl.transport.enable option and TLS is mandatory for the transport layer. So you can copy values from helm chart. In this case you need also set option plugins.security.ssl.allow_unsafe_democertificates to true for the default certificates to work. The final config looks like the following:
opensearch.yml: |
cluster.name: opensearch-cluster
network.host: 0.0.0.0
plugins:
security:
ssl:
transport:
pemcert_filepath: esnode.pem
pemkey_filepath: esnode-key.pem
pemtrustedcas_filepath: root-ca.pem
enforce_hostname_verification: false
http:
enabled: false
allow_unsafe_democertificates: true
Upvotes: 3
Related Questions
- Transport SSL must be enabled if security is enabled on a [basic] license
- Ignore SSL certificate verfication while connecting to elasticsearch from SPRING BOOT via high level rest client
- OpenSearch docker instance only allowing HTTPS connections
- How to enable SSL in sonarqube
- searchguard for SSL communication in ELK
- Is it possible to disable ssl for https?
- How do I get Open Search Server to use SSL & HTTPS?
- How to tell a search engine to only search in secure sites for results
- Fiddler how to remove HTTPS extensions?
- Is there a way I can disable HTTPS in Google via the URL?