What is the bug?
every time the cluster starts the following warning is printed to the log:
{"type": "server", "timestamp": "2026-04-22T13:53:45,361+0000", "level": "WARN", "component": "o.o.s.c.Salt", "cluster.name": "test-opensearch", "node.name": "test-opensearch-0", "message": "If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes" }
{"type": "server", "timestamp": "2026-04-22T13:53:45,361+0000", "level": "WARN", "component": "o.o.s.c.Salt", "cluster.name": "test-opensearch", "node.name": "test-opensearch-0", "message": "If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes" }
{"type": "server", "timestamp": "2026-04-22T13:53:45,588+0000", "level": "WARN", "component": "o.o.s.c.Salt", "cluster.name": "test-opensearch", "node.name": "test-opensearch-0", "message": "If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes" }note that the salt given is the default salt (though this is not obvious from the message):
|
public static final String SECURITY_COMPLIANCE_SALT_DEFAULT = "e1ukloTsQlOgPquJ";// 16 chars |
the warning comes from here:
|
if (saltAsString.equals(ConfigConstants.SECURITY_COMPLIANCE_SALT_DEFAULT)) { |
|
log.warn( |
|
"If you plan to use field masking pls configure compliance salt {} to be a random string of 16 chars length identical on all nodes", |
|
saltAsString |
|
); |
|
} |
this happens, because we do not define the salt as we're not using FLS and thus have no need for it.
How can one reproduce the bug?
start a fresh cluster where the salt for FLS is not explicitly defined.
What is the expected behavior?
if FLS is not used there should be no need to define a salt for it and thus there should be no warning for it
What is your host/environment?
- OS: linux
- Version OpenSearch 3.6.0
- Plugins security
Do you have any screenshots?
n/a
Do you have any additional context?
the cluster still works, the warning can be ignored.
What is the bug?
every time the cluster starts the following warning is printed to the log:
{"type": "server", "timestamp": "2026-04-22T13:53:45,361+0000", "level": "WARN", "component": "o.o.s.c.Salt", "cluster.name": "test-opensearch", "node.name": "test-opensearch-0", "message": "If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes" } {"type": "server", "timestamp": "2026-04-22T13:53:45,361+0000", "level": "WARN", "component": "o.o.s.c.Salt", "cluster.name": "test-opensearch", "node.name": "test-opensearch-0", "message": "If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes" } {"type": "server", "timestamp": "2026-04-22T13:53:45,588+0000", "level": "WARN", "component": "o.o.s.c.Salt", "cluster.name": "test-opensearch", "node.name": "test-opensearch-0", "message": "If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes" }note that the salt given is the default salt (though this is not obvious from the message):
security/src/main/java/org/opensearch/security/support/ConfigConstants.java
Line 323 in 4893418
the warning comes from here:
security/src/main/java/org/opensearch/security/configuration/Salt.java
Lines 47 to 52 in 4893418
this happens, because we do not define the salt as we're not using FLS and thus have no need for it.
How can one reproduce the bug?
start a fresh cluster where the salt for FLS is not explicitly defined.
What is the expected behavior?
if FLS is not used there should be no need to define a salt for it and thus there should be no warning for it
What is your host/environment?
Do you have any screenshots?
n/a
Do you have any additional context?
the cluster still works, the warning can be ignored.