-
Notifications
You must be signed in to change notification settings - Fork 500
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Securityadmin error: Not a valid protocol version: This is not an HTTP port. #695
Comments
@prudhvigodithi The 2.0.x documentation has been updated with the correct port. https://opensearch.org/docs/latest/security-plugin/configuration/security-admin/#basic-usage |
Hey @pawelw1, https://opensearch.org/docs/latest/security-plugin/configuration/security-admin/#opensearch-settings, I see as 9300 as transport port?, but ya basic usage shows 9200, should we consider changing the doc that says ? |
Hi "javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?" |
@prudhvigodithi I know that cross-cluster replication and search still using port 9300. |
Hi @Naarcha-AWS |
Looking in to this. The security script invokes https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/tools/SecurityAdmin.java which seems to indicate that the default port is 9200. @pratikshavyas this issue is filed against the documentation. Can you please help me understand what you mean when you ask "can you please share plan on fixing this and what is the way moving forward?" |
Hi @JeffH-AWS |
@pratikshavyas The reason why securityadmin.sh fails is the fact that you must use it with admin TLS certificates defined in That's why you must enable SSL on HTTP by setting The mentioned option allows you to disable SSL on HTTP, however |
In security plugin, the transport port should be changed to http port |
@cliu123 I think the documentation is correct. This regards the OpenSearch service and not securityadmin.sh. |
You're right. If the documentation is not specific for security admin tool, then it's good. |
@cliu123 I think the documentation is missing a statement that would explain exactly what was deprecated in terms of the transport layer.
|
SecurityAdmin for OpenSearch |
Correct!
I don't think the authN and authZ in transport layer have been deprecated. Only TransportClient has been removed and has replaced with HighLevelRestClient. |
@cliu123 TransportClient authentication and authorization according to opensearch-project/security#1701 |
@pratikshavyas Version 1.x is still using TransportClient and port 9200. This change was introduced in version 2.0.0 |
It sounds like we had a few different topics conflated here.
Regarding item 1, it sounds like this has been cleared up. Does anything further need answered here? If we're all good on that front, what needs adjusted in the docs and for what specific version(s)? |
Putting this on the backlog until someone is able to chime in about my previous question. |
What is the bug?
Running
/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh
on port9300
throws errorCaused by: org.apache.http.ParseException: Not a valid protocol version: This is not an HTTP port
Full Error log:
From 2.0 release notes I see Transport client is deprecated, however the documentation still says for
-p
-p | OpenSearch port. Default is 9300—not the HTTP port.
How can one reproduce the bug?
Executing
/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh
on port9300
What is the expected behavior?
For 1.3.3, this error wont show up and
securityadmin.sh
executes without any error, connects to cluster and creates a security index, works as expected.What is your host/environment?
Do you have any additional context?
Following the issue
opensearch-project/security#1578, I see the
TransportClient
is deprecated, so ideally the expected port is rest http port, could be even 9200 for OpenSearch 2.0.1, but however the documentation still says to use Default 9300 port.This issue is raised to help OpenSearch Kubernetes Operator compatible with 2.0.0 series of OpenSearch.
opensearch-project/opensearch-k8s-operator#176
The text was updated successfully, but these errors were encountered: