A few notes/questions on the opensearch tech preview

Hi,

Thanks a bunch for the hard work and releasing the tech preview for opensearch !
Here are a few notes/questions:

  • Quickly migrating older SG authentication configuration | Security for Elasticsearch | Search Guard
    links to https://docs.search-guard.com/tech-preview/kibana_authentication_52migration_production.md
    but that ends up as an 404

  • The documentation states how to upgrade from existing installations, but how do we migrate from ES 7.10.2/sg7 to Opensearch1.0.0/sgtp ? Should we first upgrade searchguard, and then migrate to Opensearch?

  • In the sgctl migrate-config help text it is stated in step 1 to “Update the Search Guard plugin for Elasticsearch on all nodes of your cluster”. It is however not stated to restart all nodes. Is that necessary ?

  • [EDIT] On the last point apparently it’s not possible to upgrade SG first, as it requires ES 7.14.1. We stayed at 7.10.2 to be sure to not run into issues once we would switch to opensearch

  • [EDIT] I installed opensearch 1.0.1 and sg plugin, and now I get the following error on startup : [2021-09-23T16:57:17,988][ERROR][o.o.b.OpenSearchUncaughtExceptionHandler] [foo] uncaught exception in thread [main] org.opensearch.bootstrap.StartupException: java.lang.IllegalArgumentException: Cannot have more than one plugin implementing a REST wrapper

So I manged to solve the last point by installing opensearch-minimal-1.0.0. I guess one of the maximal plugins was interfering with search-guard.

Hi!

Thank you for the feedback!

The link should refer to this page: Migrating older SG authentication configuration with minimal outage | Security for Elasticsearch | Search Guard

We will fix that soon.

It should be possible to migrate to OpenSearch and the new Search Guard version at the same time. The Search Guard version for OS will also work with the old configuration.

Yes, that is necessary.

We will later also provide Search Guard tech preview versions for 7.10.2.

However, the migration should be possible to run from any version. The process will be:

  • Update Search Guard (and optionally ES or migrate to OS at the same time)
  • Search Guard runs with the old-style configuration
  • Update the Search Guard configuration

Still, please keep in mind that the tech preview is not intended for production systems.

Yes. It should also work with the non-min version if you delete opensearch-security directory from the plugins directory.

Thanks for your quick reply.
About the last point : we did disable the OS security plugin in the config, to no avail. Maybe another plugin was interfering.

What kind of configuration did you use to disable the OS security plugin?

I just tested installing Search Guard in the non-min OS versions after having removed the OpenSearch security plugin directories. So, for OpenSearch, you need to do rm -r plugins/opensearch-security and for Dashboards, you need to do rm -r plugins/securityDashboards. (Using bin/opensearch-dashboards-plugin remove securityDashboards should also work)

You can now get the tech preview also for ES 7.10.2:

1 Like

Thanks a lot. I succesfully installed the tp2 on one of the nodes, I now have a mixed environment with es 7.10.2, os 1.0.0 tp1 and tp2 and they all happily interoperate:

node00489.example.fr search-guard-7 7.10.2-51.0.0
node00405.example.fr search-guard-7 7.10.2-51.0.0
node00394.example.fr search-guard-7 7.10.2-51.0.0
node00309.example.fr search-guard-7 tp2-es-7.10.2
node00350.example.fr search-guard-7 7.10.2-51.0.0
node00298.example.fr search-guard   tp1-os-1.0.0
1 Like