[Feature Request] Add support for restoring global state in sgadmin tool

duhang · December 31, 2019, 8:28am

Continuing the discussion from curator - no permissions for cluster:admin/snapshot/restore:

“User curator with ssl client authentication and run it with an admin certificate (like sgadmin) but we had seen problems with this approach: https://github.com/floragunncom/search-guard/issues/196”

We can’t access github issue #196 any more. I’m wondering what kind of issue we will be facing with the above approach. Could SG devs please shed some light on it?

SearchGuard docs had stated that “Restoring the Search Guard configuration index from a snapshot is only allowed if an admin certificate is used.”
(See details in https://docs.search-guard.com/latest/snapshot-restore#snapshot-and-restore-search-guard-index).

I’m wondering, would it be possible to add a new flag/option in sgadmin tool to restore global state using admin certs, something like --restore-global-state or in short --rgs .

sh /usr/share/elasticsearch/plugins/search-guard-7/tools/sgadmin.sh \
-cacert /usr/share/elasticsearch/config/root-ca.pem \
-cert /usr/share/elasticsearch/config/admin.pem \
-key /usr/share/elasticsearch/config/admin.key \
-keypass <hidden> \
-cd /usr/share/elasticsearch/plugins/search-guard-7/sgconfig \
-icl \
-nhnv \
-nrhn \
-rgs snapshot-id index-to-restore

Thanks for taking a look at my feature request. SearchGuard 7 had been running flawlessly in our K8s environment, and this “not being able to restore global state” issue is the only complaint that I had so far.

hsaly · January 1, 2020, 3:00am

hsaly · January 5, 2020, 1:17pm

Thats a good idea and we will consider it. Meanwhile you can use the ES snapshot/restore api together with an admin certificate to make it work for the REST layer at least:

curl -XPOST --cert /usr/share/elasticsearch/config/admin.pem --key /usr/share/elasticsearch/config/admin.key --cacert /usr/share/elasticsearch/config/root-ca.pem https://localhost:9200/_snapshot/my_backup/snapshot_1/_restore?pretty

See also https://docs.search-guard.com/latest/troubleshooting-tls#fixing-curl if curl is not behaving like expected.

duhang · January 5, 2020, 9:10am

Many thanks to @hsaly for the handy advice, tip and tricks. Yeah, I’m aware of all kinds of “curl” quirkiness, especially in a refrained container environment.

However, in our setup, the TLS session terminates on NGINX, and we kept 9200 port HTTP/unencrypted.

So “curl” is not really going to work for us, and we still desperately need this “–restore-global-state” flag to be added into sgadmin tool (AFAIK, sgadmin tool will talk to 9300 port which has TLS enabled by default.)

Is it possible to expedite the implementation of this “–rgs” flag?

Thanks for helping!

system · January 26, 2020, 8:39am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.