OpenSearch "no permissions for [cluster:monitor]" / TLS on 9200 in CI
By default OpenSearch enables the Security plugin with a demo configuration that serves HTTPS on 9200 and requires authentication. A test that connects over plain HTTP or with no credentials fails with a TLS or authorization error such as "no permissions for [cluster:monitor/...]". For CI you disable the plugin or connect over HTTPS with the admin user.
What this error means
Plain HTTP requests to 9200 fail (the port speaks TLS), or authenticated calls return "no permissions for [cluster:monitor/health]" because the wrong user or no user was supplied.
{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for
[cluster:monitor/health] and User [name=anonymous, ...]"}],"type":"security_exception"},"status":403}Common causes
The demo security config requires HTTPS and auth
Out of the box OpenSearch serves TLS on 9200 and rejects anonymous or wrong-user requests, so plain HTTP or no credentials fail.
Tests assume an open HTTP cluster
Code written for a security-disabled cluster connects over http:// with no user, which the demo config refuses.
How to fix it
Disable the security plugin for CI
- Set
DISABLE_SECURITY_PLUGIN=trueso 9200 serves plain HTTP with no auth. - Connect over
http://localhost:9200from the tests. - Keep this only for ephemeral test clusters.
env:
discovery.type: single-node
DISABLE_SECURITY_PLUGIN: "true"Or connect over HTTPS with the admin user
Keep security on and use https:// with the admin credentials, allowing the self-signed certificate for the test cluster.
curl -k -u admin:admin "https://localhost:9200/_cluster/health"How to prevent it
- Pick one model for CI: security off over HTTP, or security on over HTTPS with admin creds.
- Keep the client scheme and credentials aligned with the container config.
- Do not send anonymous requests to a security-enabled OpenSearch cluster.