Basically, you are right. The idea behind sgadmin is that you maintain your settings in the config files, e.g. on your local machine, and then upload it to the cluster. This will overwrite/replace the current settings in the SG index.
The REST API (or the config GUI for that matter) writes to the SG index directly without the need to keep settings in config files.
The question what approach is best really depends on your use case. A typical use case is: The administrator responsible for setting up ES / SG applies a default configuration via sgadmin during provisioning, e.g. via Puppet, Chef, Ansible etc. This could include an admin role which has access to the REST API / Config GUI, so changes in the roles and permission settings are possible after the initial install. The ES backup process already in place is extended to also include the SG settings: You can dump the current config settings from the SG index to files by using the -r/–retrieve switch of sgadmin. These files can then be re-applied to the same or any other cluster running SG via sgadmin again.
Can you tell us a bit more about your use case so we can advise?
On Friday, February 16, 2018 at 10:26:09 AM UTC+1, email@example.com wrote:
Hello, I am running ElasticSearch 6.1.3, with SearchGuard 6.1.3-20.
At the moment I have Ansible creating the entire setup, this installs some default users and roles.
Now my question is, if I go and create some roles via the GUI (API). If I then go and run sgadmin.sh with the existing config files will I lose the new roles I just created in the GUI?
How do other users balance out the two?