Error : cluster:admin/snapshot/restore is not allowed for a regular user

Hi,

I want to use “snapshot and restore” system from elasticsearch with SG2 but this error happen :

Error : cluster:admin/snapshot/restore is not allowed for a regular user

Looking in the code i’v found : https://github.com/floragunncom/search-guard/blob/master/src/main/java/com/floragunn/searchguard/configuration/PrivilegesEvaluator.java#L132

How can I manage to use restore system with SG by rest http user ?

Regards,
Lucas

Currently it's not possible to restore a snapshot via HTTP/REST (only through java api).
But we are aware of this so that a client cert authenticated will be available to do this with the next SG release.

···

Am 22.06.2016 um 18:13 schrieb ll@ooworx.com:

Hi,

I want to use "snapshot and restore" system from elasticsearch with SG2 but this error happen :

Error : cluster:admin/snapshot/restore is not allowed for a regular user

Looking in the code i'v found : https://github.com/floragunncom/search-guard/blob/master/src/main/java/com/floragunn/searchguard/configuration/PrivilegesEvaluator.java#L132

How can I manage to use restore system with SG by rest http user ?

Regards,
Lucas

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/1499617b-6542-4c49-95fd-cb390b7479f8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Is there a timeline for when this feature will become available? Currently it’s breaking us to the point where we won’t be able to use search-guard-2.

···

On Wednesday, June 22, 2016 at 12:13:27 PM UTC-4, l...@ooworx.com wrote:

Hi,

I want to use “snapshot and restore” system from elasticsearch with SG2 but this error happen :

Error : cluster:admin/snapshot/restore is not allowed for a regular user

Looking in the code i’v found : https://github.com/floragunncom/search-guard/blob/master/src/main/java/com/floragunn/searchguard/configuration/PrivilegesEvaluator.java#L132

How can I manage to use restore system with SG by rest http user ?

Regards,
Lucas

There is no fixed timeline yet, but it is one of the top features in our backlog, and we already have outlined an implementation strategy. But given all the other things we have on the plate at the moment, expect at least another 4-6 weeks. Since opening the REST layer for SG index manipulation can introduce potential security holes, we need to audit and test the code thoroughly before we release it.

···

On Wednesday, 17 August 2016 20:26:45 UTC+2, Sam Mingolelli wrote:

Is there a timeline for when this feature will become available? Currently it’s breaking us to the point where we won’t be able to use search-guard-2.

On Wednesday, June 22, 2016 at 12:13:27 PM UTC-4, l...@ooworx.com wrote:

Hi,

I want to use “snapshot and restore” system from elasticsearch with SG2 but this error happen :

Error : cluster:admin/snapshot/restore is not allowed for a regular user

Looking in the code i’v found : https://github.com/floragunncom/search-guard/blob/master/src/main/java/com/floragunn/searchguard/configuration/PrivilegesEvaluator.java#L132

How can I manage to use restore system with SG by rest http user ?

Regards,
Lucas

Should be possible now with the latest snapshot:
https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/search-guard-2/2.3.5.6-SNAPSHOT/search-guard-2-2.3.5.6-20160819.103812-1.zip

Use it like:
cat example-pki-scripts/kirk.crt.pem example-pki-scripts/ca/chain-ca.pem > ch.pem
curl -Ss --insecure -XPOST 'https://localhost:9200/_snapshot/my_backup/snapshot_1/_restore' -E ch.pem --key example-pki-scripts/kirk.key.pem

Make sure:
* You have SSL activated for HTTP
* Kirk DN is listed as admin in elasticsearch.yml

···

Am 17.08.2016 um 21:39 schrieb info@search-guard.com:

There is no fixed timeline yet, but it is one of the top features in our backlog, and we already have outlined an implementation strategy. But given all the other things we have on the plate at the moment, expect at least another 4-6 weeks. Since opening the REST layer for SG index manipulation can introduce potential security holes, we need to audit and test the code thoroughly before we release it.

On Wednesday, 17 August 2016 20:26:45 UTC+2, Sam Mingolelli wrote:
Is there a timeline for when this feature will become available? Currently it's breaking us to the point where we won't be able to use search-guard-2.

On Wednesday, June 22, 2016 at 12:13:27 PM UTC-4, l...@ooworx.com wrote:
Hi,

I want to use "snapshot and restore" system from elasticsearch with SG2 but this error happen :

Error : cluster:admin/snapshot/restore is not allowed for a regular user

Looking in the code i'v found : https://github.com/floragunncom/search-guard/blob/master/src/main/java/com/floragunn/searchguard/configuration/PrivilegesEvaluator.java#L132

How can I manage to use restore system with SG by rest http user ?

Regards,
Lucas

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/dda69483-2f82-458e-9ed3-967541836f14%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Getting the following error after applying the snapshot. The user is defined in sg_internal_users.yml, and has the role sg_all_access. I added the user to the list of searchguard.authcz.admin_dn in elasticsearch.yml. Does it support a user defined like this?

[2016-08-22 13:02:13,785][DEBUG][rest.suppressed ] path: /_snapshot/my_backup/boa-test7s235q_1471885332038/_restore, params: {wait_for_completion=true, repository=my_backup, snapshot=boa-test7s235q_1471885332038}

ElasticsearchSecurityException[no permissions for cluster:admin/snapshot/restore]

at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:164)

at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)

at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:144)
···

On Friday, August 19, 2016 at 6:41:34 AM UTC-4, SG wrote:

Should be possible now with the latest snapshot:
https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/search-guard-2/2.3.5.6-SNAPSHOT/search-guard-2-2.3.5.6-20160819.103812-1.zip

Use it like:

cat example-pki-scripts/kirk.crt.pem example-pki-scripts/ca/chain-ca.pem > ch.pem

curl -Ss --insecure -XPOST ‘https://localhost:9200/_snapshot/my_backup/snapshot_1/_restore’ -E ch.pem --key example-pki-scripts/kirk.key.pem

Make sure:

  • You have SSL activated for HTTP

  • Kirk DN is listed as admin in elasticsearch.yml

Am 17.08.2016 um 21:39 schrieb in...@search-guard.com:

There is no fixed timeline yet, but it is one of the top features in our backlog, and we already have outlined an implementation strategy. But given all the other things we have on the plate at the moment, expect at least another 4-6 weeks. Since opening the REST layer for SG index manipulation can introduce potential security holes, we need to audit and test the code thoroughly before we release it.

On Wednesday, 17 August 2016 20:26:45 UTC+2, Sam Mingolelli wrote:

Is there a timeline for when this feature will become available? Currently it’s breaking us to the point where we won’t be able to use search-guard-2.

On Wednesday, June 22, 2016 at 12:13:27 PM UTC-4, l...@ooworx.com wrote:

Hi,

I want to use “snapshot and restore” system from elasticsearch with SG2 but this error happen :

Error : cluster:admin/snapshot/restore is not allowed for a regular user

Looking in the code i’v found : https://github.com/floragunncom/search-guard/blob/master/src/main/java/com/floragunn/searchguard/configuration/PrivilegesEvaluator.java#L132

How can I manage to use restore system with SG by rest http user ?

Regards,

Lucas


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/dda69483-2f82-458e-9ed3-967541836f14%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

are you sure you supplied a client certificate?

How do you call the restore command? Make sure its like:

cat example-pki-scripts/kirk.crt.pem example-pki-scripts/ca/chain-ca.pem > ch.pem
curl -Ss --insecure -XPOST ‘https://localhost:9200/_snapshot/my_backup/snapshot_1/_restore’ -E ch.pem --key example-pki-scripts/kirk.key.pem

Otherwise it wont work! You do not need to configure a user in the config or roles except in “searchguard.authcz.admin_dn”. Its the same procedure as with sgadmin.

···

On Monday, 22 August 2016 19:33:05 UTC+2, myin2000 wrote:

Getting the following error after applying the snapshot. The user is defined in sg_internal_users.yml, and has the role sg_all_access. I added the user to the list of searchguard.authcz.admin_dn in elasticsearch.yml. Does it support a user defined like this?

[2016-08-22 13:02:13,785][DEBUG][rest.suppressed ] path: /_snapshot/my_backup/boa-test7s235q_1471885332038/_restore, params: {wait_for_completion=true, repository=my_backup, snapshot=boa-test7s235q_1471885332038}

ElasticsearchSecurityException[no permissions for cluster:admin/snapshot/restore]

at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:164)

at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)

at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:144)

On Friday, August 19, 2016 at 6:41:34 AM UTC-4, SG wrote:

Should be possible now with the latest snapshot:
https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/search-guard-2/2.3.5.6-SNAPSHOT/search-guard-2-2.3.5.6-20160819.103812-1.zip

Use it like:

cat example-pki-scripts/kirk.crt.pem example-pki-scripts/ca/chain-ca.pem > ch.pem

curl -Ss --insecure -XPOST ‘https://localhost:9200/_snapshot/my_backup/snapshot_1/_restore’ -E ch.pem --key example-pki-scripts/kirk.key.pem

Make sure:

  • You have SSL activated for HTTP

  • Kirk DN is listed as admin in elasticsearch.yml

Am 17.08.2016 um 21:39 schrieb in...@search-guard.com:

There is no fixed timeline yet, but it is one of the top features in our backlog, and we already have outlined an implementation strategy. But given all the other things we have on the plate at the moment, expect at least another 4-6 weeks. Since opening the REST layer for SG index manipulation can introduce potential security holes, we need to audit and test the code thoroughly before we release it.

On Wednesday, 17 August 2016 20:26:45 UTC+2, Sam Mingolelli wrote:

Is there a timeline for when this feature will become available? Currently it’s breaking us to the point where we won’t be able to use search-guard-2.

On Wednesday, June 22, 2016 at 12:13:27 PM UTC-4, l...@ooworx.com wrote:

Hi,

I want to use “snapshot and restore” system from elasticsearch with SG2 but this error happen :

Error : cluster:admin/snapshot/restore is not allowed for a regular user

Looking in the code i’v found : https://github.com/floragunncom/search-guard/blob/master/src/main/java/com/floragunn/searchguard/configuration/PrivilegesEvaluator.java#L132

How can I manage to use restore system with SG by rest http user ?

Regards,

Lucas


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/dda69483-2f82-458e-9ed3-967541836f14%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Does searchguard 5.0.2 support have this patch?

···

On Friday, August 19, 2016 at 10:41:34 PM UTC+12, Search Guard wrote:

Should be possible now with the latest snapshot:
https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/search-guard-2/2.3.5.6-SNAPSHOT/search-guard-2-2.3.5.6-20160819.103812-1.zip

Use it like:

cat example-pki-scripts/kirk.crt.pem example-pki-scripts/ca/chain-ca.pem > ch.pem

curl -Ss --insecure -XPOST ‘https://localhost:9200/_snapshot/my_backup/snapshot_1/_restore’ -E ch.pem --key example-pki-scripts/kirk.key.pem

Make sure:

  • You have SSL activated for HTTP

  • Kirk DN is listed as admin in elasticsearch.yml

Am 17.08.2016 um 21:39 schrieb in...@search-guard.com:

There is no fixed timeline yet, but it is one of the top features in our backlog, and we already have outlined an implementation strategy. But given all the other things we have on the plate at the moment, expect at least another 4-6 weeks. Since opening the REST layer for SG index manipulation can introduce potential security holes, we need to audit and test the code thoroughly before we release it.

On Wednesday, 17 August 2016 20:26:45 UTC+2, Sam Mingolelli wrote:

Is there a timeline for when this feature will become available? Currently it’s breaking us to the point where we won’t be able to use search-guard-2.

On Wednesday, June 22, 2016 at 12:13:27 PM UTC-4, l...@ooworx.com wrote:

Hi,

I want to use “snapshot and restore” system from elasticsearch with SG2 but this error happen :

Error : cluster:admin/snapshot/restore is not allowed for a regular user

Looking in the code i’v found : https://github.com/floragunncom/search-guard/blob/master/src/main/java/com/floragunn/searchguard/configuration/PrivilegesEvaluator.java#L132

How can I manage to use restore system with SG by rest http user ?

Regards,

Lucas


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/dda69483-2f82-458e-9ed3-967541836f14%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

yes

···

On Monday, 9 January 2017 03:54:50 UTC+1, Enzo Wang wrote:

Does searchguard 5.0.2 support have this patch?

On Friday, August 19, 2016 at 10:41:34 PM UTC+12, Search Guard wrote:

Should be possible now with the latest snapshot:
https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/search-guard-2/2.3.5.6-SNAPSHOT/search-guard-2-2.3.5.6-20160819.103812-1.zip

Use it like:

cat example-pki-scripts/kirk.crt.pem example-pki-scripts/ca/chain-ca.pem > ch.pem

curl -Ss --insecure -XPOST ‘https://localhost:9200/_snapshot/my_backup/snapshot_1/_restore’ -E ch.pem --key example-pki-scripts/kirk.key.pem

Make sure:

  • You have SSL activated for HTTP

  • Kirk DN is listed as admin in elasticsearch.yml

Am 17.08.2016 um 21:39 schrieb in...@search-guard.com:

There is no fixed timeline yet, but it is one of the top features in our backlog, and we already have outlined an implementation strategy. But given all the other things we have on the plate at the moment, expect at least another 4-6 weeks. Since opening the REST layer for SG index manipulation can introduce potential security holes, we need to audit and test the code thoroughly before we release it.

On Wednesday, 17 August 2016 20:26:45 UTC+2, Sam Mingolelli wrote:

Is there a timeline for when this feature will become available? Currently it’s breaking us to the point where we won’t be able to use search-guard-2.

On Wednesday, June 22, 2016 at 12:13:27 PM UTC-4, l...@ooworx.com wrote:

Hi,

I want to use “snapshot and restore” system from elasticsearch with SG2 but this error happen :

Error : cluster:admin/snapshot/restore is not allowed for a regular user

Looking in the code i’v found : https://github.com/floragunncom/search-guard/blob/master/src/main/java/com/floragunn/searchguard/configuration/PrivilegesEvaluator.java#L132

How can I manage to use restore system with SG by rest http user ?

Regards,

Lucas


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/dda69483-2f82-458e-9ed3-967541836f14%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.