Hi
I am getting an error when I run the secirityadmin.sh (option -cd) script to deploy a modification that I created in roles.yml
here is the output of the command along with the error
Open Distro Security Admin v7
Will connect to localhost:9300 … done
Connected as CN=kirk,OU=client,O=client,L=test,C=de
Elasticsearch Version: 7.10.2
Open Distro Security Version: 1.13.1.0
Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …
Clustername: elasticsearch
Clusterstate: YELLOW
Number of nodes: 3
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/
Will update ‘_doc/config’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml
SUCC: Configuration for ‘config’ created or updatedERR: Seems /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml is not in Open Distro Security 7 format: com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot deserialize instance of
java.lang.String
out of START_ARRAY token
at [Source: (String)“{”_meta":{“type”:“roles”,“config_version”:2},“kibana_read_only”:{“reserved”:true},“security_rest_api_access”:{“reserved”:true},“alerting_read_access”:{“reserved”:true,"cluster_permissions":[“cluster:admin/opendistro/alerting/alerts/get”,“cluster:admin/opendistro/alerting/destination/get”,“cluster:admin/opendistro/alerting/monitor/get”,“cluster:admin/opendistro/alerting/monitor/search”]},“alerting_ack_alerts”:{“reserved”:true,“cluster_permissions”:[“cluster:admin/opendistro/alerting/alerts/*”]},“”[truncated 5181 chars]; line: 1, column: 3308] (through reference chain: com.amazon.opendistroforelasticsearch.security.securityconf.impl.SecurityDynamicConfiguration[“SYSTEME_ABC-XYZ”]->com.amazon.opendistroforelasticsearch.security.securityconf.impl.v7.RoleV7[“index_permissions”]->java.util.ArrayList[0]->com.amazon.opendistroforelasticsearch.security.securityconf.impl.v7.RoleV7$Index[“dls”])
Will update ‘_doc/rolesmapping’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml
SUCC: Configuration for ‘rolesmapping’ created or updated
Will update ‘_doc/internalusers’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
SUCC: Configuration for ‘internalusers’ created or updated
Will update ‘_doc/actiongroups’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/action_groups.yml
SUCC: Configuration for ‘actiongroups’ created or updated
Will update ‘_doc/tenants’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/tenants.yml
SUCC: Configuration for ‘tenants’ created or updated
Will update ‘_doc/nodesdn’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/nodes_dn.yml
SUCC: Configuration for ‘nodesdn’ created or updated
Will update ‘_doc/whitelist’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/whitelist.yml
SUCC: Configuration for ‘whitelist’ created or updated
Will update ‘_doc/audit’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/audit.yml
SUCC: Configuration for ‘audit’ created or updated
ERR: cannot upload configuration, see errors above
command terminated with exit code 255
And here is the roles.yml configuration that I want to deploy
##### automated generated for roles.yml #####
SYSTEME_ABC-XYZ:
reserved: false
hidden: false
cluster_permissions:
- 'cluster_composite_ops'
index_permissions:
- index_patterns:
- 'abc*logs-socles*'
dls: []
fls: []
masked_fields: []
allowed_actions:
- 'read'
- 'kibana_all_read'
- index_patterns:
- 'abc*logs-2*'
dls: []
fls: []
masked_fields: []
allowed_actions:
- 'read'
- 'kibana_all_read'
- index_patterns:
- '.kibana'
dls: []
fls: []
masked_fields: []
allowed_actions:
- 'read'
- 'kibana_all_read'
My guess is that the script do not detect the list of permissions well, given that there are 3 index patterns declared in my config.
Am I right or do I missing another aspect of the roles.yml syntax ?