CODEWITHSUNDEEP
elasticsearchrestoresnapshotsearch-guard
endrec
endrec

Reputation: 467

Elasticsearch 7.1 with Search Guard does not let me to restore snapshots

We recently upgraded our Elasticsearch from 6.4.3 to 7.1.1. I migrated the searchguard index and config to the new format.

Before the upgrade, I was able to create or restore snapshots, now, after the upgrade, I still can create snapshots, but I'm unable to restore them:

{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "no permissions for [] and User [name=admin, roles=[admin], requestedTenant=null]"
      }
    ],
    "type": "security_exception",
    "reason": "no permissions for [] and User [name=admin, roles=[admin], requestedTenant=null]"
  },
  "status": 403
}

If I turn on the debug logging for SG, it tells me that my request is allowed:

[2019-07-22T13:11:24,063][DEBUG][c.f.s.a.BackendRegistry  ] [client-elasticsearch-cluster-0] Check authdomain for rest internal/0 or 2 in total
[2019-07-22T13:11:24,063][DEBUG][c.f.s.a.BackendRegistry  ] [client-elasticsearch-cluster-0] Rest user 'User [name=admin, roles=[admin], requestedTenant=null]' is authenticated
[2019-07-22T13:11:24,063][DEBUG][c.f.s.a.BackendRegistry  ] [client-elasticsearch-cluster-0] sgtenant 'null'
[2019-07-22T13:11:24,064][DEBUG][c.f.s.p.PrivilegesEvaluator] [client-elasticsearch-cluster-0] ### evaluate permissions for User [name=admin, roles=[admin], requestedTenant=null] on client-elasticsearch-cluster-0
[2019-07-22T13:11:24,064][DEBUG][c.f.s.p.PrivilegesEvaluator] [client-elasticsearch-cluster-0] action: cluster:admin/snapshot/restore (RestoreSnapshotRequest)
[2019-07-22T13:11:24,064][DEBUG][c.f.s.r.IndexResolverReplacer] [client-elasticsearch-cluster-0] Resolve aliases, indices and types from RestoreSnapshotRequest
[2019-07-22T13:11:24,064][DEBUG][c.f.s.p.PrivilegesEvaluator] [client-elasticsearch-cluster-0] requestedResolved : Resolved [aliases=[*], indices=[*], allIndices=[*], types=[*], originalRequested=[], remoteIndices=[]]
[2019-07-22T13:11:24,064][DEBUG][c.f.s.f.SearchGuardFilter] [client-elasticsearch-cluster-0] PrivEvalResponse [allowed=true, missingPrivileges=[], allowedFlsFields=null, maskedFields=null, queries=null]

What do I need to do to allow restore snapshots on ES 7? What has changed since 6.4?

Upvotes: 0

Views: 785

Answers (1)

endrec
endrec

Reputation: 467

It turned out that both elasticsearch and myself are stupid...

If I try to restore a nonexistent snapshot, and send some parameters in the POST payload, ES complains about missing rights. As soon as I remove the payload, it tells me that the snapshot is missing...

Upvotes: 1

Related Questions