ElasticsearchSecurityException No user found for cluster:monitor/nodes/info

Hi,

I am trying to configure SSL with open distro security on a three-node cluster. encountered below error while running securityadmin.sh

ElasticsearchSecurityException[No user found for cluster:monitor/nodes/info]

And also observed below warning message. got stuck with this any help would be appreciated.

[2020-10-20T05:54:01,135][WARN ][c.a.o.s.c.ConfigurationLoaderSecurity7] [hotnode- 
es.laas.neustar.biz] No data for rolesmapping while retrieving configuration for 
[INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS,  
NODESDN, WHITELIST, AUDIT]  (index=.opendistro_security and type=null)


Thanks
Shiva Vikas

@vikasgurlinka I noticed this error at the top of you screen capture:

ERR: Seems you use a node certificate which is also an admin certificate
         That may have worked with older Open Distro Security versions but it indicates
         a configuration error and is therefore forbidden now.

I don’t know if that is causing the problems you are asking about but I think it is a problem you should probably fix. This error message appears to indicate that your Elasticsearch cluster is not configured properly which may be causing the other problems.

In your elastic config file (elasticsearch.yml) there should be a couple of lines like this:

opendistro_security.nodes_dn:
- "CN=myCommonName2,OU=myOrgUnitName,O=Default Company,L=Default City,C=XX"
opendistro_security.authcz.admin_dn:
- "CN=adminCommonName,OU=adminOrgUnit,O=Default Company,L=Default City,C=XX"

Based on the error message, you used the same OID information for both properties. As the message indicates, you need to have 2 different values for these properties. AND you need to use a cert associated defined with the OID specified in the 2nd property.

You can use openssl to confirm/determine what OID is contained within your TLS certs (as shown below).

bash-4.2$ openssl x509 -subject -nameopt RFC2253 -noout -in adminTLS.pem
  subject= CN=adminCommonName,OU=adminOrgUnit,O=Default Company Ltd,L=Default City,C=XX

Everything after the “subject=” should match the value you’ve specified in the appropriate line in your elasticsearch.yml file. Double-check the value you have specified for opendistro_security.authcz.admin_dn with the value from your admin TLS cert.