Continuing the discussion from curator - no permissions for cluster:admin/snapshot/restore:
“User curator with ssl client authentication and run it with an admin certificate (like sgadmin) but we had seen problems with this approach: https://github.com/floragunncom/search-guard/issues/196”
We can’t access github issue #196 any more. I’m wondering what kind of issue we will be facing with the above approach. Could SG devs please shed some light on it?
SearchGuard docs had stated that “Restoring the Search Guard configuration index from a snapshot is only allowed if an admin certificate is used.”
(See details in https://docs.search-guard.com/latest/snapshot-restore#snapshot-and-restore-search-guard-index).
I’m wondering, would it be possible to add a new flag/option in sgadmin tool to restore global state using admin certs, something like --restore-global-state or in short --rgs .
sh /usr/share/elasticsearch/plugins/search-guard-7/tools/sgadmin.sh \ -cacert /usr/share/elasticsearch/config/root-ca.pem \ -cert /usr/share/elasticsearch/config/admin.pem \ -key /usr/share/elasticsearch/config/admin.key \ -keypass <hidden> \ -cd /usr/share/elasticsearch/plugins/search-guard-7/sgconfig \ -icl \ -nhnv \ -nrhn \ -rgs snapshot-id index-to-restore
Thanks for taking a look at my feature request. SearchGuard 7 had been running flawlessly in our K8s environment, and this “not being able to restore global state” issue is the only complaint that I had so far.