curator - no permissions for cluster:admin/snapshot/restore

Am 01.03.2017 um 11:44 schrieb Patrick Monnoire <pmonnoire@gmail.com>:

Hi,

We are currently evaluating Search Guard to replace Shield.
We still have one blocking point:

We are able to generate some snapshots using curator.
We are able to restore from these snapshots using a CURL request.
But, we are not able to restore using curator. It always fail with the following error:

2017-03-01 09:53:38,206 INFO Preparing Action ID: 1, "restore"
2017-03-01 09:53:38,295 INFO Trying Action ID: 1, "restore": Restore all indices in the most recent snapshot-* snapshot with state SUCCESS. Wait for the restore to complete before continuing. Do not skip the repository filesystem access check. Use the other options to define the index/shard settings for the restore.
2017-03-01 09:53:38,515 INFO Restoring indices "['.kibana', 'searchguard']" from snapshot: snapshot-20170301090739
2017-03-01 09:53:38,532 ERROR Failed to complete action: restore. <class 'curator.exceptions.FailedExecution'>: Exception encountered. Rerun with loglevel DEBUG and/or check Elasticsearch logs for more information. Exception: TransportError(403, 'security_exception', 'no permissions for cluster:admin/snapshot/restore')

We are using:
- ES 2.3.3
- search-guard-2 2.3.3.11
- search-guard-ssl 2.3.3.20

We have used example PKI scripts to generate keys & self signed certificate

Using curl to restore is working:
cat /data/elasticsearch/cert/admin.crt.pem /data/elasticsearch/cert/ca/chain-ca.pem > /tmp/ch.pem
curl -Ss --insecure -XPOST -E /tmp/ch.pem --key /data/elasticsearch/cert/admin.key.pem 'https://dev-ct-elasticsearch01:9200/_snapshot/backup_repository/snapshot-20170223104445/_restore?pretty&#39;

But curator fails to do the same:
curator --config /tmp/curator.yml /etc/curator.restore.yml
2017-03-01 09:53:38,532 ERROR Failed to complete action: restore. <class 'curator.exceptions.FailedExecution'>: Exception encountered. Rerun with loglevel DEBUG and/or check Elasticsearch logs for more information. Exception: TransportError(403, 'security_exception', 'no permissions for cluster:admin/snapshot/restore')

How can I get ride of this error?
What did I miss in curator config?

Here are the curator yml files:

curator.yml:
client:
  hosts: [dev-ct-elasticsearch04]
  port: 9200
  url_prefix:
  use_ssl: true
  certificate:
  client_cert: /tmp/ch.pem
  client_key:
  aws_key:
  aws_secret_key:
  aws_region:
  ssl_no_validate: true
  http_auth: admin:Superuser
  timeout:
  master_only: False
logging:
  loglevel: INFO
  logfile: /var/log/curator.log
  logformat: default
  blacklist: ['elasticsearch', 'urllib3']

curator.restore.yml:
actions:
  1:
    action: restore
    description: >-
      Restore all indices
    options:
      repository: backup_repository
      name:
      indices:
      include_aliases: False
      ignore_unavailable: False
      include_global_state: True
      partial: False
      rename_pattern:
      rename_replacement:
      extra_settings:
      wait_for_completion: True
      skip_repo_fs_check: False
      timeout_override:
      continue_if_exception: False
      disable_action: false
    filters:
    - filtertype: pattern
      kind: prefix
      value: snapshot-
      exclude:
    - filtertype: state
      state: SUCCESS
      exclude:

Any help will be appreciated.

Thanks in advance,
Patrick

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9238b352-3c53-4e92-ad16-67f6f4f0f007%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.