[Backport 2.x] Improve error message when a node with an incorrectly …

…configured certificate attempts to connect (#4819) Signed-off-by: Abdul Muneer Kolarkunnu <muneer.kolarkunnu@netapp.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
opensearch-project · Oct 18, 2024 · 5902191 · 5902191
1 parent fec977a
commit 5902191
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 4 deletions.
diff --git a/src/main/java/org/opensearch/security/ssl/util/ExceptionUtils.java b/src/main/java/org/opensearch/security/ssl/util/ExceptionUtils.java
@@ -76,7 +76,13 @@ public static OpenSearchException createJwkCreationException(Throwable cause) {
         return new OpenSearchException("An error occurred during the creation of Jwk: {}", cause, cause.getMessage());
     }
 
-    public static OpenSearchException createTransportClientNoLongerSupportedException() {
-        return new OpenSearchException("Transport client authentication no longer supported.");
+    public static OpenSearchException clusterWrongNodeCertConfigException(String sslPrincipal) {
+        return new OpenSearchException(
+            "Node presenting certificate with SSL Principal {"
+                + sslPrincipal
+                + "} could"
+                + " not securely connect to the cluster. Please ensure the principal is correct and present in the"
+                + " nodes_dn list."
+        );
     }
 }
diff --git a/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java b/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java
@@ -291,7 +291,7 @@ protected void messageReceivedDecorate(
                     || HeaderHelper.isTrustedClusterRequest(getThreadContext())
                     || HeaderHelper.isExtensionRequest(getThreadContext()))) {
                     // CS-ENFORCE-SINGLE
-                    final OpenSearchException exception = ExceptionUtils.createTransportClientNoLongerSupportedException();
+                    final OpenSearchException exception = ExceptionUtils.clusterWrongNodeCertConfigException(principal);
                     log.error(exception.toString());
                     transportChannel.sendResponse(exception);
                     return;

diff --git a/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java b/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java
@@ -1355,7 +1355,14 @@ public void testCcsWithDiffCertsWithNoNodesDnUpdate() throws Exception {
         String uri = "cross_cluster_two:twitter/_search?pretty";
         HttpResponse ccs = rh1.executeGetRequest(uri, encodeBasicHeader("twitter", "nagilum"));
         assertThat(ccs.getStatusCode(), equalTo(HttpStatus.SC_INTERNAL_SERVER_ERROR));
-        assertThat(ccs.getBody(), containsString("Transport client authentication no longer supported"));
+        assertThat(
+            ccs.getBody(),
+            containsString(
+                "Node presenting certificate with SSL Principal "
+                    + "{CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE} could not securely connect to the cluster. Please"
+                    + " ensure the principal is correct and present in the nodes_dn list."
+            )
+        );
     }
 
     @Test