Skip to content
Latchkey

OpenSearch "no permissions for [cluster:monitor]" / TLS on 9200 in CI

By default OpenSearch enables the Security plugin with a demo configuration that serves HTTPS on 9200 and requires authentication. A test that connects over plain HTTP or with no credentials fails with a TLS or authorization error such as "no permissions for [cluster:monitor/...]". For CI you disable the plugin or connect over HTTPS with the admin user.

What this error means

Plain HTTP requests to 9200 fail (the port speaks TLS), or authenticated calls return "no permissions for [cluster:monitor/health]" because the wrong user or no user was supplied.

opensearch
{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for
[cluster:monitor/health] and User [name=anonymous, ...]"}],"type":"security_exception"},"status":403}

Common causes

The demo security config requires HTTPS and auth

Out of the box OpenSearch serves TLS on 9200 and rejects anonymous or wrong-user requests, so plain HTTP or no credentials fail.

Tests assume an open HTTP cluster

Code written for a security-disabled cluster connects over http:// with no user, which the demo config refuses.

How to fix it

Disable the security plugin for CI

  1. Set DISABLE_SECURITY_PLUGIN=true so 9200 serves plain HTTP with no auth.
  2. Connect over http://localhost:9200 from the tests.
  3. Keep this only for ephemeral test clusters.
.github/workflows/ci.yml
env:
  discovery.type: single-node
  DISABLE_SECURITY_PLUGIN: "true"

Or connect over HTTPS with the admin user

Keep security on and use https:// with the admin credentials, allowing the self-signed certificate for the test cluster.

Terminal
curl -k -u admin:admin "https://localhost:9200/_cluster/health"

How to prevent it

  • Pick one model for CI: security off over HTTP, or security on over HTTPS with admin creds.
  • Keep the client scheme and credentials aligned with the container config.
  • Do not send anonymous requests to a security-enabled OpenSearch cluster.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →