Skip to content

Commit 63013ee

Browse files
opensearch-trigger-bot[bot]opensearch-trigger-bot[bot]
authored
Additing error details and escape method to nodes_dn #7681 (#7703) (#7825)
1 parent e8d96cc commit 63013ee

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

_install-and-configure/configuring-opensearch/security-settings.md

+2-1
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ The following sections describe security-related settings in `opensearch.yml`. T
1515

1616
The Security plugin supports the following common settings:
1717

18-
- `plugins.security.nodes_dn` (Static): Specifies a list of distinguished names (DNs) that denote the other nodes in the cluster. This setting supports wildcards and regular expressions. The list of DNs are also read from the security index **in addition** to the YAML configuration when `plugins.security.nodes_dn_dynamic_config_enabled` is `true`.
18+
- `plugins.security.nodes_dn` (Static): Specifies a list of distinguished names (DNs) that denote the other nodes in the cluster. This setting supports wildcards and regular expressions. The list of DNs are also read from the security index **in addition** to the YAML configuration when `plugins.security.nodes_dn_dynamic_config_enabled` is `true`. If this setting is not configured correctly, the cluster will fail to form as the nodes will not be able to trust each other and will result in the following error: `Transport client authentication no longer supported`.
1919

2020
- `plugins.security.nodes_dn_dynamic_config_enabled` (Static): Relevant for `cross_cluster` use cases where there is a need to manage the allow listed `nodes_dn` without having to restart the nodes every time a new `cross_cluster` remote is configured.
2121
Setting `nodes_dn_dynamic_config_enabled` to `true` enables **super-admin callable** Distinguished Names APIs, which provide means to update or retrieve `nodes_dn` dynamically. This setting only has effect if `plugins.security.cert.intercluster_request_evaluator_class` is not set. Default is `false`.
@@ -357,6 +357,7 @@ The Security plugin supports the following transport layer security settings:
357357
plugins.security.nodes_dn:
358358
- "CN=*.example.com, OU=SSL, O=Test, L=Test, C=DE"
359359
- "CN=node.other.com, OU=SSL, O=Test, L=Test, C=DE"
360+
- "CN=node.example.com, OU=SSL\, Inc., L=Test, C=DE" # escape additional comma with `\`
360361
plugins.security.authcz.admin_dn:
361362
- CN=kirk,OU=client,O=client,L=test, C=de
362363
plugins.security.roles_mapping_resolution: MAPPING_ONLY

0 commit comments

Comments
 (0)