Graylog Datanode: admin access using client certification

Hi,
I use the graylog datanode 6.1.1 and I have deployed it with the docker composer. Everything works fine. To get admin access to the opensearch API I create all the client certification files, which are needed to handle this. When I use CURL for the query I got always an authentifcation failure (401 Unauthorized). Here my command line:
curl -v -s “https://localhost:9200/_cluster/health?pretty” --cert /etc/graylog/certs/client.crt --key /etc/graylog/certs/client.key --cacert /etc/graylog/certs/CA.crt

I attached a bash to the container to get inside. I found that the following option is missing
plugins.security.authcz.admin_dn
…,inside the opensearch.yml file, which is required to get admin access to the opensearch API.

Under 6.0.x I was able to add this option to the YAML file, killing the opensearch java process. After that the datanode restarts the process immediately, without overwriting the configs. At that moment my CURL commands works fine. I was able to handle all admin things directly to the OpenSearch API. Under 6.1.x after killing the OpenSearch process the datanode will now overwrite the configs everytime before restarting the engine.

Is it possible to add this option as a docker environment entry to the compose file ?

The best way is to implemented it into the datanode, to open the opensearch API for 3rd party tools - dashboards, etc.

Hey Michael,
I think you should be able to configure the option yourself with the current version. Try putting it as an env property in the docker compose file, prefixing it with opensearch., so opensearch.plugins.security.authcz.admin_dn. Datanode should recognize this property and pass it to the underlying opensearch process.

To verify that the option is actually applied, look for “Detected pass-through opensearch property” log line in the datanode logs (info level).

I will forward your request and discuss if and how should we support that directly in the datanode.

Best regards,
Tomas

Hey Tomas,

very nice. It works fine. Thx a lot.

BR

Michael

1 Like