Make permission for cluster:admin/snapshot/restore configurable

Hello

I’m aware of the topics https://groups.google.com/forum/#!searchin/search-guard/snapshot|sort:relevance/search-guard/dQ3S5RGvAIo/Yikmky-BCAAJ and https://groups.google.com/forum/#!searchin/search-guard/snapshot|sort:relevance/search-guard/ZhdoSEtnSi8/5JF97v-EBgAJ and I do understand the reasons for this limitation. Securely store backups and prohibit unauthorized access is a hard topic.

Nevertheless I would like to request to possibility to change the current behavior (cluster:admin/snapshot/restore not allowed for a regular user) via elasticsearch.yml configuration file. Would this be possible?

An other possible solution might be to restrict the restore functionality only for the SearchGuard-Index.

Regards,

Lucas

this is solved for SG version 6
just use curl (or your browser) with an admin ssl certificate

···

Am 21.09.2016 um 10:29 schrieb Lucas Bremgartner <lucas.bremgartner@gmail.com>:

Hello

I'm aware of the topics https://groups.google.com/forum/#!searchin/search-guard/snapshot|sort:relevance/search-guard/dQ3S5RGvAIo/Yikmky-BCAAJ and https://groups.google.com/forum/#!searchin/search-guard/snapshot|sort:relevance/search-guard/ZhdoSEtnSi8/5JF97v-EBgAJ and I do understand the reasons for this limitation. Securely store backups and prohibit unauthorized access is a hard topic.

Nevertheless I would like to request to possibility to change the current behavior (cluster:admin/snapshot/restore not allowed for a regular user) via elasticsearch.yml configuration file. Would this be possible?

An other possible solution might be to restrict the restore functionality only for the SearchGuard-Index.

Regards,
Lucas

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f6592cd3-e86a-41a5-b988-d12fed58be38%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Any idea why following these instructions do not work?

We are on SearchGuard 2.4.

I’ve set this:

searchguard.enable_snapshot_restore_privilege: true

And added this:

  sg_snapshot_restore:
cluster:
- cluster:admin/repository/put
- cluster:admin/repository/get
- cluster:admin/snapshot/status
- cluster:admin/snapshot/get
- cluster:admin/snapshot/create
- cluster:admin/snapshot/restore
- cluster:admin/snapshot/delete
indices:
'*':
'*':
- indices:data/write/index
- indices:admin/create

Restores are

···

On Thursday, September 22, 2016 at 1:55:24 PM UTC-5, Search Guard wrote:

this is solved for SG version 6

just use curl (or your browser) with an admin ssl certificate

Am 21.09.2016 um 10:29 schrieb Lucas Bremgartner lucas.br...@gmail.com:

Hello

I’m aware of the topics https://groups.google.com/forum/#!searchin/search-guard/snapshot|sort:relevance/search-guard/dQ3S5RGvAIo/Yikmky-BCAAJ and https://groups.google.com/forum/#!searchin/search-guard/snapshot|sort:relevance/search-guard/ZhdoSEtnSi8/5JF97v-EBgAJ and I do understand the reasons for this limitation. Securely store backups and prohibit unauthorized access is a hard topic.

Nevertheless I would like to request to possibility to change the current behavior (cluster:admin/snapshot/restore not allowed for a regular user) via elasticsearch.yml configuration file. Would this be possible?

An other possible solution might be to restrict the restore functionality only for the SearchGuard-Index.

Regards,

Lucas


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f6592cd3-e86a-41a5-b988-d12fed58be38%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Restores are still failing for me.

···

On Thursday, June 15, 2017 at 12:46:44 PM UTC-5, Melanie Zamora wrote:

Any idea why following these instructions do not work?
http://floragunncom.github.io/search-guard-docs/snapshots.html

We are on SearchGuard 2.4.

I’ve set this:

searchguard.enable_snapshot_restore_privilege: true

And added this:

  sg_snapshot_restore:
cluster:
- cluster:admin/repository/put
- cluster:admin/repository/get
- cluster:admin/snapshot/status
- cluster:admin/snapshot/get
- cluster:admin/snapshot/create
- cluster:admin/snapshot/restore
- cluster:admin/snapshot/delete
indices:
'*':
'*':
- indices:data/write/index
- indices:admin/create

Restores are

On Thursday, September 22, 2016 at 1:55:24 PM UTC-5, Search Guard wrote:

this is solved for SG version 6

just use curl (or your browser) with an admin ssl certificate

Am 21.09.2016 um 10:29 schrieb Lucas Bremgartner lucas.br...@gmail.com:

Hello

I’m aware of the topics https://groups.google.com/forum/#!searchin/search-guard/snapshot|sort:relevance/search-guard/dQ3S5RGvAIo/Yikmky-BCAAJ and https://groups.google.com/forum/#!searchin/search-guard/snapshot|sort:relevance/search-guard/ZhdoSEtnSi8/5JF97v-EBgAJ and I do understand the reasons for this limitation. Securely store backups and prohibit unauthorized access is a hard topic.

Nevertheless I would like to request to possibility to change the current behavior (cluster:admin/snapshot/restore not allowed for a regular user) via elasticsearch.yml configuration file. Would this be possible?

An other possible solution might be to restrict the restore functionality only for the SearchGuard-Index.

Regards,

Lucas


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f6592cd3-e86a-41a5-b988-d12fed58be38%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

  • Did you map a user to this role, and are you sure you use that user in your curl calls?
  • Do you exclude global state and the Search Guard index when you restore?

Post the config, the curl call and the curl result please.

···

On Thursday, June 15, 2017 at 7:47:10 PM UTC+2, Melanie Zamora wrote:

Restores are still failing for me.

On Thursday, June 15, 2017 at 12:46:44 PM UTC-5, Melanie Zamora wrote:

Any idea why following these instructions do not work?
http://floragunncom.github.io/search-guard-docs/snapshots.html

We are on SearchGuard 2.4.

I’ve set this:

searchguard.enable_snapshot_restore_privilege: true

And added this:

  sg_snapshot_restore:
cluster:
- cluster:admin/repository/put
- cluster:admin/repository/get
- cluster:admin/snapshot/status
- cluster:admin/snapshot/get
- cluster:admin/snapshot/create
- cluster:admin/snapshot/restore
- cluster:admin/snapshot/delete
indices:
'*':
'*':
- indices:data/write/index
- indices:admin/create

Restores are

On Thursday, September 22, 2016 at 1:55:24 PM UTC-5, Search Guard wrote:

this is solved for SG version 6

just use curl (or your browser) with an admin ssl certificate

Am 21.09.2016 um 10:29 schrieb Lucas Bremgartner lucas.br...@gmail.com:

Hello

I’m aware of the topics https://groups.google.com/forum/#!searchin/search-guard/snapshot|sort:relevance/search-guard/dQ3S5RGvAIo/Yikmky-BCAAJ and https://groups.google.com/forum/#!searchin/search-guard/snapshot|sort:relevance/search-guard/ZhdoSEtnSi8/5JF97v-EBgAJ and I do understand the reasons for this limitation. Securely store backups and prohibit unauthorized access is a hard topic.

Nevertheless I would like to request to possibility to change the current behavior (cluster:admin/snapshot/restore not allowed for a regular user) via elasticsearch.yml configuration file. Would this be possible?

An other possible solution might be to restrict the restore functionality only for the SearchGuard-Index.

Regards,

Lucas


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f6592cd3-e86a-41a5-b988-d12fed58be38%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Also, could you send the complete logs on debug level from one node, from node start to the point where you get the restore error?

···

On Saturday, June 17, 2017 at 10:49:12 AM UTC+2, Jochen Kressin wrote:

  • Did you map a user to this role, and are you sure you use that user in your curl calls?
  • Do you exclude global state and the Search Guard index when you restore?

Post the config, the curl call and the curl result please.

On Thursday, June 15, 2017 at 7:47:10 PM UTC+2, Melanie Zamora wrote:

Restores are still failing for me.

On Thursday, June 15, 2017 at 12:46:44 PM UTC-5, Melanie Zamora wrote:

Any idea why following these instructions do not work?
http://floragunncom.github.io/search-guard-docs/snapshots.html

We are on SearchGuard 2.4.

I’ve set this:

searchguard.enable_snapshot_restore_privilege: true

And added this:

  sg_snapshot_restore:
cluster:
- cluster:admin/repository/put
- cluster:admin/repository/get
- cluster:admin/snapshot/status
- cluster:admin/snapshot/get
- cluster:admin/snapshot/create
- cluster:admin/snapshot/restore
- cluster:admin/snapshot/delete
indices:
'*':
'*':
- indices:data/write/index
- indices:admin/create

Restores are

On Thursday, September 22, 2016 at 1:55:24 PM UTC-5, Search Guard wrote:

this is solved for SG version 6

just use curl (or your browser) with an admin ssl certificate

Am 21.09.2016 um 10:29 schrieb Lucas Bremgartner lucas.br...@gmail.com:

Hello

I’m aware of the topics https://groups.google.com/forum/#!searchin/search-guard/snapshot|sort:relevance/search-guard/dQ3S5RGvAIo/Yikmky-BCAAJ and https://groups.google.com/forum/#!searchin/search-guard/snapshot|sort:relevance/search-guard/ZhdoSEtnSi8/5JF97v-EBgAJ and I do understand the reasons for this limitation. Securely store backups and prohibit unauthorized access is a hard topic.

Nevertheless I would like to request to possibility to change the current behavior (cluster:admin/snapshot/restore not allowed for a regular user) via elasticsearch.yml configuration file. Would this be possible?

An other possible solution might be to restrict the restore functionality only for the SearchGuard-Index.

Regards,

Lucas


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f6592cd3-e86a-41a5-b988-d12fed58be38%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

If I remember correctly, this feature was only added to Search Guard 5 for usage with Elasticsearch version 5.x. So you first need to update your installation.

···

On Thursday, June 15, 2017 at 7:46:44 PM UTC+2, Melanie Zamora wrote:

Any idea why following these instructions do not work?
http://floragunncom.github.io/search-guard-docs/snapshots.html

We are on SearchGuard 2.4.

I’ve set this:

searchguard.enable_snapshot_restore_privilege: true

And added this:

  sg_snapshot_restore:
cluster:
- cluster:admin/repository/put
- cluster:admin/repository/get
- cluster:admin/snapshot/status
- cluster:admin/snapshot/get
- cluster:admin/snapshot/create
- cluster:admin/snapshot/restore
- cluster:admin/snapshot/delete
indices:
'*':
'*':
- indices:data/write/index
- indices:admin/create

Restores are

On Thursday, September 22, 2016 at 1:55:24 PM UTC-5, Search Guard wrote:

this is solved for SG version 6

just use curl (or your browser) with an admin ssl certificate

Am 21.09.2016 um 10:29 schrieb Lucas Bremgartner lucas.br...@gmail.com:

Hello

I’m aware of the topics https://groups.google.com/forum/#!searchin/search-guard/snapshot|sort:relevance/search-guard/dQ3S5RGvAIo/Yikmky-BCAAJ and https://groups.google.com/forum/#!searchin/search-guard/snapshot|sort:relevance/search-guard/ZhdoSEtnSi8/5JF97v-EBgAJ and I do understand the reasons for this limitation. Securely store backups and prohibit unauthorized access is a hard topic.

Nevertheless I would like to request to possibility to change the current behavior (cluster:admin/snapshot/restore not allowed for a regular user) via elasticsearch.yml configuration file. Would this be possible?

An other possible solution might be to restrict the restore functionality only for the SearchGuard-Index.

Regards,

Lucas


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f6592cd3-e86a-41a5-b988-d12fed58be38%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

You’re right, I overlooked that we’re talking about ES 2.x here. Updated the docs accordingly as well. So, for SG 2.x you need restore the snapshot by using an admin certificate.

···

On Monday, June 19, 2017 at 8:16:54 AM UTC+2, Lucas Bremgartner wrote:

If I remember correctly, this feature was only added to Search Guard 5 for usage with Elasticsearch version 5.x. So you first need to update your installation.

On Thursday, June 15, 2017 at 7:46:44 PM UTC+2, Melanie Zamora wrote:

Any idea why following these instructions do not work?
http://floragunncom.github.io/search-guard-docs/snapshots.html

We are on SearchGuard 2.4.

I’ve set this:

searchguard.enable_snapshot_restore_privilege: true

And added this:

  sg_snapshot_restore:
cluster:
- cluster:admin/repository/put
- cluster:admin/repository/get
- cluster:admin/snapshot/status
- cluster:admin/snapshot/get
- cluster:admin/snapshot/create
- cluster:admin/snapshot/restore
- cluster:admin/snapshot/delete
indices:
'*':
'*':
- indices:data/write/index
- indices:admin/create

Restores are

On Thursday, September 22, 2016 at 1:55:24 PM UTC-5, Search Guard wrote:

this is solved for SG version 6

just use curl (or your browser) with an admin ssl certificate

Am 21.09.2016 um 10:29 schrieb Lucas Bremgartner lucas.br...@gmail.com:

Hello

I’m aware of the topics https://groups.google.com/forum/#!searchin/search-guard/snapshot|sort:relevance/search-guard/dQ3S5RGvAIo/Yikmky-BCAAJ and https://groups.google.com/forum/#!searchin/search-guard/snapshot|sort:relevance/search-guard/ZhdoSEtnSi8/5JF97v-EBgAJ and I do understand the reasons for this limitation. Securely store backups and prohibit unauthorized access is a hard topic.

Nevertheless I would like to request to possibility to change the current behavior (cluster:admin/snapshot/restore not allowed for a regular user) via elasticsearch.yml configuration file. Would this be possible?

An other possible solution might be to restrict the restore functionality only for the SearchGuard-Index.

Regards,

Lucas


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f6592cd3-e86a-41a5-b988-d12fed58be38%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.