Hi,
5.6.2
Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:
“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”
According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS
I manage to push the configuration with sgadmin.sh (done with success) into the ES
What is wrong?
Best Regads
Jozsef
You’re looking at the wrong attribute. The one you mentioned lists the backend roles, i.e. the roles coming from an LDAP server for example. Yes, we should rename this to backendroles 
There’s a separate sg_roles key in the JSON, this lists the Search Guard roles after the request has been mapped via sg_role_mapping.yml.
On Monday, January 22, 2018 at 9:03:35 AM UTC+1, JozsefB wrote:
Hi,
5.6.2
Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:
“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”
According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS
I manage to push the configuration with sgadmin.sh (done with success) into the ES
What is wrong?
Best Regads
Jozsef
Thanks
On Monday, January 22, 2018 at 9:03:35 AM UTC+1, JozsefB wrote:
Hi,
5.6.2
Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:
“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”
According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS
I manage to push the configuration with sgadmin.sh (done with success) into the ES
What is wrong?
Best Regads
Jozsef
Hi Jochen
Now I have a roles for the user (not the backend roles :-)) Yet I cannot restore a snapshot.
sg_roles.yml
sg_restore:
cluster:
- MANAGE_SNAPSHOTS
- indices:admin/create
- indices:data/write/index
indices:
‘':
'’:
- INDICES_ALL
elasticsearch.yml:
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: false
During the restore I excluded the global state.
On Monday, January 22, 2018 at 9:03:35 AM UTC+1, JozsefB wrote:
Hi,
5.6.2
Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:
“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”
According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS
I manage to push the configuration with sgadmin.sh (done with success) into the ES
What is wrong?
Best Regads
Jozsef
The role definition should work, although the indices:admin/create and indices:data/write/index are index-level permissions. You can remove them from the cluster section. The role we ship with SG for snapshot/restore is:
sg_manage_snapshots:
cluster:
- MANAGE_SNAPSHOTS
indices:
‘':
'’:
- “indices:data/write/index”
- “indices:admin/create”
``
Are you sure your user is mapped to sg_restore? Please post the full output in the elasticsearch logs when you try to restore the snapshot.
On Monday, January 22, 2018 at 11:25:35 AM UTC+1, JozsefB wrote:
Hi Jochen
Now I have a roles for the user (not the backend roles :-)) Yet I cannot restore a snapshot.
sg_roles.yml
sg_restore:
cluster:
- MANAGE_SNAPSHOTS
- indices:admin/create
- indices:data/write/index
indices:
‘':
'’:
- INDICES_ALL
elasticsearch.yml:
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: false
During the restore I excluded the global state.
On Monday, January 22, 2018 at 9:03:35 AM UTC+1, JozsefB wrote:
Hi,
5.6.2
Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:
“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”
According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS
I manage to push the configuration with sgadmin.sh (done with success) into the ES
What is wrong?
Best Regads
Jozsef
Hi
I completely missed the out-of-the-box sg_manage_snapshots role.
Is there any good docs about the sg_roles.yml, sg_roles_mapping.yml and sg_actions.yml.
I am a little bit confused about the options
Thanks
Yes, it’s all in the docs:
On Monday, January 22, 2018 at 12:15:24 PM UTC+1, JozsefB wrote:
Hi
I completely missed the out-of-the-box sg_manage_snapshots role.
Is there any good docs about the sg_roles.yml, sg_roles_mapping.yml and sg_actions.yml.
I am a little bit confused about the options
Thanks
Hi ,
Can you please help me on below error
security_exception",“reason”:"no permissions for cluster:admin/snapshot/restore
Please find my setting
in sg_action_groups.yml
MANAGE_SNAPSHOTS:
permissions:
“cluster:admin/snapshot/*”
“cluster:admin/repository/*”
in sg_roles.yml
sg_manage_restore:
cluster:
indices:
‘*’:
‘*’:
“indices:data/write/index”
“indices:admin/create”
in sg_roles_mapping.yml
sg_manage_restore:
users:
backendroles:
Thanks
Ashok
On Monday, January 22, 2018 at 1:33:35 PM UTC+5:30, JozsefB wrote:
Hi,
5.6.2
Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:
“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”
According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS
I manage to push the configuration with sgadmin.sh (done with success) into the ES
What is wrong?
Best Regads
Jozsef
Hi Ashok,
I have the same configuration and I managed to restore a snapshot.
But my user also has the sg_all_access role. Now I become uncertain which roles permit me to do the restore?
I am going to check it now and will come back.
Best Regards
Jozsef
On Thursday, February 8, 2018 at 8:03:47 AM UTC+1, priyadarshi bal wrote:
Hi ,
Can you please help me on below error
security_exception",“reason”:"no permissions for cluster:admin/snapshot/restore
Please find my setting
in sg_action_groups.yml
MANAGE_SNAPSHOTS:
permissions:
- “cluster:admin/snapshot/*”
- “cluster:admin/repository/*”
in sg_roles.yml
sg_manage_restore:
cluster:
- MANAGE_SNAPSHOTS
indices:
‘*’:
‘*’:
- “indices:data/write/index”
- “indices:admin/create”
in sg_roles_mapping.yml
sg_manage_restore:
users:
- admin
backendroles:
- admin
Thanks
Ashok
On Monday, January 22, 2018 at 1:33:35 PM UTC+5:30, JozsefB wrote:
Hi,
5.6.2
Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:
“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”
According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS
I manage to push the configuration with sgadmin.sh (done with success) into the ES
What is wrong?
Best Regads
Jozsef
I am using below curl
curl -XPOST -u admin:xxxxx --insecure ‘https://HOSTNAME:9641/_snapshot/demotest/snapshot_1/_restore’ -d’
{
“indices”: “demotest-*”,
“include_global_state”: false
}’
Result
====
{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}],“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}
Can you please check , is this correct way for restore ?
Thanks
Ashok
On Thursday, February 8, 2018 at 2:12:59 PM UTC+5:30, JozsefB wrote:
Hi Ashok,
I have the same configuration and I managed to restore a snapshot.
But my user also has the sg_all_access role. Now I become uncertain which roles permit me to do the restore?
I am going to check it now and will come back.
Best Regards
Jozsef
On Thursday, February 8, 2018 at 8:03:47 AM UTC+1, priyadarshi bal wrote:
Hi ,
Can you please help me on below error
security_exception",“reason”:"no permissions for cluster:admin/snapshot/restore
Please find my setting
in sg_action_groups.yml
MANAGE_SNAPSHOTS:
permissions:
- “cluster:admin/snapshot/*”
- “cluster:admin/repository/*”
in sg_roles.yml
sg_manage_restore:
cluster:
- MANAGE_SNAPSHOTS
indices:
‘*’:
‘*’:
- “indices:data/write/index”
- “indices:admin/create”
in sg_roles_mapping.yml
sg_manage_restore:
users:
- admin
backendroles:
- admin
Thanks
Ashok
On Monday, January 22, 2018 at 1:33:35 PM UTC+5:30, JozsefB wrote:
Hi,
5.6.2
Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:
“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”
According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS
I manage to push the configuration with sgadmin.sh (done with success) into the ES
What is wrong?
Best Regads
Jozsef
Please refer to the documentation for snapshot/restore and make sure you have enabled snapshot/restore for regular users:
http://docs.search-guard.com/latest/snapshot-restore
There is also a pre-defined role int the demo configuration:
http://docs.search-guard.com/latest/demo-users-roles
On Thursday, February 8, 2018 at 9:58:31 AM UTC+1, priyadarshi bal wrote:
I am using below curl
curl -XPOST -u admin:xxxxx --insecure ‘https://HOSTNAME:9641/_snapshot/demotest/snapshot_1/_restore’ -d’
{
“indices”: “demotest-*”,
“include_global_state”: false
}’
Result
====
{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}],“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}
Can you please check , is this correct way for restore ?
Thanks
Ashok
On Thursday, February 8, 2018 at 2:12:59 PM UTC+5:30, JozsefB wrote:
Hi Ashok,
I have the same configuration and I managed to restore a snapshot.
But my user also has the sg_all_access role. Now I become uncertain which roles permit me to do the restore?
I am going to check it now and will come back.
Best Regards
Jozsef
On Thursday, February 8, 2018 at 8:03:47 AM UTC+1, priyadarshi bal wrote:
Hi ,
Can you please help me on below error
security_exception",“reason”:"no permissions for cluster:admin/snapshot/restore
Please find my setting
in sg_action_groups.yml
MANAGE_SNAPSHOTS:
permissions:
- “cluster:admin/snapshot/*”
- “cluster:admin/repository/*”
in sg_roles.yml
sg_manage_restore:
cluster:
- MANAGE_SNAPSHOTS
indices:
‘*’:
‘*’:
- “indices:data/write/index”
- “indices:admin/create”
in sg_roles_mapping.yml
sg_manage_restore:
users:
- admin
backendroles:
- admin
Thanks
Ashok
On Monday, January 22, 2018 at 1:33:35 PM UTC+5:30, JozsefB wrote:
Hi,
5.6.2
Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:
“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”
According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS
I manage to push the configuration with sgadmin.sh (done with success) into the ES
What is wrong?
Best Regads
Jozsef
Yes , i am using both the doc but no luck
error in elastic search log
cluster:admin/snapshot/restore is not allowed for a regular user
Thanks
Ashok
On Thursday, February 8, 2018 at 2:30:41 PM UTC+5:30, Jochen Kressin wrote:
Please refer to the documentation for snapshot/restore:
There is also a pre-defined role int the demo configuration:
http://docs.search-guard.com/latest/demo-users-roles
On Thursday, February 8, 2018 at 9:58:31 AM UTC+1, priyadarshi bal wrote:
I am using below curl
curl -XPOST -u admin:xxxxx --insecure ‘https://HOSTNAME:9641/_snapshot/demotest/snapshot_1/_restore’ -d’
{
“indices”: “demotest-*”,
“include_global_state”: false
}’
Result
====
{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}],“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}
Can you please check , is this correct way for restore ?
Thanks
Ashok
On Thursday, February 8, 2018 at 2:12:59 PM UTC+5:30, JozsefB wrote:
Hi Ashok,
I have the same configuration and I managed to restore a snapshot.
But my user also has the sg_all_access role. Now I become uncertain which roles permit me to do the restore?
I am going to check it now and will come back.
Best Regards
Jozsef
On Thursday, February 8, 2018 at 8:03:47 AM UTC+1, priyadarshi bal wrote:
Hi ,
Can you please help me on below error
security_exception",“reason”:"no permissions for cluster:admin/snapshot/restore
Please find my setting
in sg_action_groups.yml
MANAGE_SNAPSHOTS:
permissions:
- “cluster:admin/snapshot/*”
- “cluster:admin/repository/*”
in sg_roles.yml
sg_manage_restore:
cluster:
- MANAGE_SNAPSHOTS
indices:
‘*’:
‘*’:
- “indices:data/write/index”
- “indices:admin/create”
in sg_roles_mapping.yml
sg_manage_restore:
users:
- admin
backendroles:
- admin
Thanks
Ashok
On Monday, January 22, 2018 at 1:33:35 PM UTC+5:30, JozsefB wrote:
Hi,
5.6.2
Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:
“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”
According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS
I manage to push the configuration with sgadmin.sh (done with success) into the ES
What is wrong?
Best Regads
Jozsef
You have not enabled snapshot and restore for regular users, that is exactly what the error message says. Please enable this in elasticsearch.yml or post your elasticsearch.yml here.
On Thursday, February 8, 2018 at 10:04:01 AM UTC+1, priyadarshi bal wrote:
Yes , i am using both the doc but no luck
error in elastic search log
cluster:admin/snapshot/restore is not allowed for a regular user
Thanks
Ashok
On Thursday, February 8, 2018 at 2:30:41 PM UTC+5:30, Jochen Kressin wrote:
Please refer to the documentation for snapshot/restore:
There is also a pre-defined role int the demo configuration:
http://docs.search-guard.com/latest/demo-users-roles
On Thursday, February 8, 2018 at 9:58:31 AM UTC+1, priyadarshi bal wrote:
I am using below curl
curl -XPOST -u admin:xxxxx --insecure ‘https://HOSTNAME:9641/_snapshot/demotest/snapshot_1/_restore’ -d’
{
“indices”: “demotest-*”,
“include_global_state”: false
}’
Result
====
{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}],“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}
Can you please check , is this correct way for restore ?
Thanks
Ashok
On Thursday, February 8, 2018 at 2:12:59 PM UTC+5:30, JozsefB wrote:
Hi Ashok,
I have the same configuration and I managed to restore a snapshot.
But my user also has the sg_all_access role. Now I become uncertain which roles permit me to do the restore?
I am going to check it now and will come back.
Best Regards
Jozsef
On Thursday, February 8, 2018 at 8:03:47 AM UTC+1, priyadarshi bal wrote:
Hi ,
Can you please help me on below error
security_exception",“reason”:"no permissions for cluster:admin/snapshot/restore
Please find my setting
in sg_action_groups.yml
MANAGE_SNAPSHOTS:
permissions:
- “cluster:admin/snapshot/*”
- “cluster:admin/repository/*”
in sg_roles.yml
sg_manage_restore:
cluster:
- MANAGE_SNAPSHOTS
indices:
‘*’:
‘*’:
- “indices:data/write/index”
- “indices:admin/create”
in sg_roles_mapping.yml
sg_manage_restore:
users:
- admin
backendroles:
- admin
Thanks
Ashok
On Monday, January 22, 2018 at 1:33:35 PM UTC+5:30, JozsefB wrote:
Hi,
5.6.2
Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:
“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”
According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS
I manage to push the configuration with sgadmin.sh (done with success) into the ES
What is wrong?
Best Regads
Jozsef
Yes , i have enabled snapshot and restore for regular users but no luck
Please find the elasticsearch.yml below
cluster.name: essreport123
node.name: “XXX.XX-essr1”
network.host: “XXX.XX-essr1”
transport.tcp.port: 9741
http.port: 9641
discovery.zen.ping.unicast.hosts: [“XXX.XX-essr1”]
path.data: /data/elasticsearch
path.logs: /logs/elasticsearch
path.repo: /data/elasticsearch-backup
#index.mapper.dynamic: false
index.refresh_interval: 180s
transport.netty.worker_count: 3
action.destructive_requires_name: true
index.query.bool.max_clause_count: 8192
searchguard.ssl.transport.keystore_filepath: node123-keystore.jks
searchguard.ssl.transport.keystore_password: xxxxx
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: xxxxxxx
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.enabled: true
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: node123-keystore.jks
searchguard.ssl.http.keystore_password: xxxxxx
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: changeit
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.authcz.admin_dn:
Thanks
Ashok
On Thursday, February 8, 2018 at 2:37:08 PM UTC+5:30, Jochen Kressin wrote:
You have not enabled snapshot and restore for regular users, that is exactly what the error message says. Please enable this in elasticsearch.yml or post your elasticsearch.yml here.
On Thursday, February 8, 2018 at 10:04:01 AM UTC+1, priyadarshi bal wrote:
Yes , i am using both the doc but no luck
error in elastic search log
cluster:admin/snapshot/restore is not allowed for a regular user
Thanks
Ashok
On Thursday, February 8, 2018 at 2:30:41 PM UTC+5:30, Jochen Kressin wrote:
Please refer to the documentation for snapshot/restore:
There is also a pre-defined role int the demo configuration:
http://docs.search-guard.com/latest/demo-users-roles
On Thursday, February 8, 2018 at 9:58:31 AM UTC+1, priyadarshi bal wrote:
I am using below curl
curl -XPOST -u admin:xxxxx --insecure ‘https://HOSTNAME:9641/_snapshot/demotest/snapshot_1/_restore’ -d’
{
“indices”: “demotest-*”,
“include_global_state”: false
}’
Result
====
{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}],“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}
Can you please check , is this correct way for restore ?
Thanks
Ashok
On Thursday, February 8, 2018 at 2:12:59 PM UTC+5:30, JozsefB wrote:
Hi Ashok,
I have the same configuration and I managed to restore a snapshot.
But my user also has the sg_all_access role. Now I become uncertain which roles permit me to do the restore?
I am going to check it now and will come back.
Best Regards
Jozsef
On Thursday, February 8, 2018 at 8:03:47 AM UTC+1, priyadarshi bal wrote:
Hi ,
Can you please help me on below error
security_exception",“reason”:"no permissions for cluster:admin/snapshot/restore
Please find my setting
in sg_action_groups.yml
MANAGE_SNAPSHOTS:
permissions:
- “cluster:admin/snapshot/*”
- “cluster:admin/repository/*”
in sg_roles.yml
sg_manage_restore:
cluster:
- MANAGE_SNAPSHOTS
indices:
‘*’:
‘*’:
- “indices:data/write/index”
- “indices:admin/create”
in sg_roles_mapping.yml
sg_manage_restore:
users:
- admin
backendroles:
- admin
Thanks
Ashok
On Monday, January 22, 2018 at 1:33:35 PM UTC+5:30, JozsefB wrote:
Hi,
5.6.2
Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:
“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”
According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS
I manage to push the configuration with sgadmin.sh (done with success) into the ES
What is wrong?
Best Regads
Jozsef
Can you please give some suggestion
Thanks
Ashok
On Thursday, February 8, 2018 at 2:37:08 PM UTC+5:30, Jochen Kressin wrote:
You have not enabled snapshot and restore for regular users, that is exactly what the error message says. Please enable this in elasticsearch.yml or post your elasticsearch.yml here.
On Thursday, February 8, 2018 at 10:04:01 AM UTC+1, priyadarshi bal wrote:
Yes , i am using both the doc but no luck
error in elastic search log
cluster:admin/snapshot/restore is not allowed for a regular user
Thanks
Ashok
On Thursday, February 8, 2018 at 2:30:41 PM UTC+5:30, Jochen Kressin wrote:
Please refer to the documentation for snapshot/restore:
There is also a pre-defined role int the demo configuration:
http://docs.search-guard.com/latest/demo-users-roles
On Thursday, February 8, 2018 at 9:58:31 AM UTC+1, priyadarshi bal wrote:
I am using below curl
curl -XPOST -u admin:xxxxx --insecure ‘https://HOSTNAME:9641/_snapshot/demotest/snapshot_1/_restore’ -d’
{
“indices”: “demotest-*”,
“include_global_state”: false
}’
Result
====
{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}],“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}
Can you please check , is this correct way for restore ?
Thanks
Ashok
On Thursday, February 8, 2018 at 2:12:59 PM UTC+5:30, JozsefB wrote:
Hi Ashok,
I have the same configuration and I managed to restore a snapshot.
But my user also has the sg_all_access role. Now I become uncertain which roles permit me to do the restore?
I am going to check it now and will come back.
Best Regards
Jozsef
On Thursday, February 8, 2018 at 8:03:47 AM UTC+1, priyadarshi bal wrote:
Hi ,
Can you please help me on below error
security_exception",“reason”:"no permissions for cluster:admin/snapshot/restore
Please find my setting
in sg_action_groups.yml
MANAGE_SNAPSHOTS:
permissions:
- “cluster:admin/snapshot/*”
- “cluster:admin/repository/*”
in sg_roles.yml
sg_manage_restore:
cluster:
- MANAGE_SNAPSHOTS
indices:
‘*’:
‘*’:
- “indices:data/write/index”
- “indices:admin/create”
in sg_roles_mapping.yml
sg_manage_restore:
users:
- admin
backendroles:
- admin
Thanks
Ashok
On Monday, January 22, 2018 at 1:33:35 PM UTC+5:30, JozsefB wrote:
Hi,
5.6.2
Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:
“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”
According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS
I manage to push the configuration with sgadmin.sh (done with success) into the ES
What is wrong?
Best Regads
Jozsef
At the moment the only suggestion is to check if you have set the restore privilege on all nodes to true, and check that you actually restarted the node. According to the code the entry in the logfile can only occur when this config key is set to false, not present at all in the elasticsearch.yml or the node has not been restarted.
On Thursday, February 8, 2018 at 6:26:39 PM UTC+1, priyadarshi bal wrote:
Can you please give some suggestion
Thanks
Ashok
On Thursday, February 8, 2018 at 2:37:08 PM UTC+5:30, Jochen Kressin wrote:
You have not enabled snapshot and restore for regular users, that is exactly what the error message says. Please enable this in elasticsearch.yml or post your elasticsearch.yml here.
On Thursday, February 8, 2018 at 10:04:01 AM UTC+1, priyadarshi bal wrote:
Yes , i am using both the doc but no luck
error in elastic search log
cluster:admin/snapshot/restore is not allowed for a regular user
Thanks
Ashok
On Thursday, February 8, 2018 at 2:30:41 PM UTC+5:30, Jochen Kressin wrote:
Please refer to the documentation for snapshot/restore:
There is also a pre-defined role int the demo configuration:
http://docs.search-guard.com/latest/demo-users-roles
On Thursday, February 8, 2018 at 9:58:31 AM UTC+1, priyadarshi bal wrote:
I am using below curl
curl -XPOST -u admin:xxxxx --insecure ‘https://HOSTNAME:9641/_snapshot/demotest/snapshot_1/_restore’ -d’
{
“indices”: “demotest-*”,
“include_global_state”: false
}’
Result
====
{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}],“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}
Can you please check , is this correct way for restore ?
Thanks
Ashok
On Thursday, February 8, 2018 at 2:12:59 PM UTC+5:30, JozsefB wrote:
Hi Ashok,
I have the same configuration and I managed to restore a snapshot.
But my user also has the sg_all_access role. Now I become uncertain which roles permit me to do the restore?
I am going to check it now and will come back.
Best Regards
Jozsef
On Thursday, February 8, 2018 at 8:03:47 AM UTC+1, priyadarshi bal wrote:
Hi ,
Can you please help me on below error
security_exception",“reason”:"no permissions for cluster:admin/snapshot/restore
Please find my setting
in sg_action_groups.yml
MANAGE_SNAPSHOTS:
permissions:
- “cluster:admin/snapshot/*”
- “cluster:admin/repository/*”
in sg_roles.yml
sg_manage_restore:
cluster:
- MANAGE_SNAPSHOTS
indices:
‘*’:
‘*’:
- “indices:data/write/index”
- “indices:admin/create”
in sg_roles_mapping.yml
sg_manage_restore:
users:
- admin
backendroles:
- admin
Thanks
Ashok
On Monday, January 22, 2018 at 1:33:35 PM UTC+5:30, JozsefB wrote:
Hi,
5.6.2
Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:
“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”
According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS
I manage to push the configuration with sgadmin.sh (done with success) into the ES
What is wrong?
Best Regads
Jozsef
Hi,
I set the searchguard.check_snapshot_restore_write_privileges option to false in my elasticsearch.yml. That is the only difference from your settings
Best Regards
Jozsef
On Thursday, February 8, 2018 at 10:22:22 AM UTC+1, priyadarshi bal wrote:
Yes , i have enabled snapshot and restore for regular users but no luck
Please find the elasticsearch.yml below
cluster.name: essreport123
node.name: “XXX.XX-essr1”
network.host: “XXX.XX-essr1”
transport.tcp.port: 9741
http.port: 9641
discovery.zen.ping.unicast.hosts: [“XXX.XX-essr1”]
path.data: /data/elasticsearch
path.logs: /logs/elasticsearch
path.repo: /data/elasticsearch-backup
#index.mapper.dynamic: false
index.refresh_interval: 180s
transport.netty.worker_count: 3
action.destructive_requires_name: true
index.query.bool.max_clause_count: 8192
searchguard.ssl.transport.keystore_filepath: node123-keystore.jks
searchguard.ssl.transport.keystore_password: xxxxx
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: xxxxxxx
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.enabled: true
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: node123-keystore.jks
searchguard.ssl.http.keystore_password: xxxxxx
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: changeit
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.authcz.admin_dn:
- cn=admin,ou=Test,ou=ou,dc=company,dc=com
Thanks
Ashok
On Thursday, February 8, 2018 at 2:37:08 PM UTC+5:30, Jochen Kressin wrote:
You have not enabled snapshot and restore for regular users, that is exactly what the error message says. Please enable this in elasticsearch.yml or post your elasticsearch.yml here.
On Thursday, February 8, 2018 at 10:04:01 AM UTC+1, priyadarshi bal wrote:
Yes , i am using both the doc but no luck
error in elastic search log
cluster:admin/snapshot/restore is not allowed for a regular user
Thanks
Ashok
On Thursday, February 8, 2018 at 2:30:41 PM UTC+5:30, Jochen Kressin wrote:
Please refer to the documentation for snapshot/restore:
There is also a pre-defined role int the demo configuration:
http://docs.search-guard.com/latest/demo-users-roles
On Thursday, February 8, 2018 at 9:58:31 AM UTC+1, priyadarshi bal wrote:
I am using below curl
curl -XPOST -u admin:xxxxx --insecure ‘https://HOSTNAME:9641/_snapshot/demotest/snapshot_1/_restore’ -d’
{
“indices”: “demotest-*”,
“include_global_state”: false
}’
Result
====
{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}],“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}
Can you please check , is this correct way for restore ?
Thanks
Ashok
On Thursday, February 8, 2018 at 2:12:59 PM UTC+5:30, JozsefB wrote:
Hi Ashok,
I have the same configuration and I managed to restore a snapshot.
But my user also has the sg_all_access role. Now I become uncertain which roles permit me to do the restore?
I am going to check it now and will come back.
Best Regards
Jozsef
On Thursday, February 8, 2018 at 8:03:47 AM UTC+1, priyadarshi bal wrote:
Hi ,
Can you please help me on below error
security_exception",“reason”:"no permissions for cluster:admin/snapshot/restore
Please find my setting
in sg_action_groups.yml
MANAGE_SNAPSHOTS:
permissions:
- “cluster:admin/snapshot/*”
- “cluster:admin/repository/*”
in sg_roles.yml
sg_manage_restore:
cluster:
- MANAGE_SNAPSHOTS
indices:
‘*’:
‘*’:
- “indices:data/write/index”
- “indices:admin/create”
in sg_roles_mapping.yml
sg_manage_restore:
users:
- admin
backendroles:
- admin
Thanks
Ashok
On Monday, January 22, 2018 at 1:33:35 PM UTC+5:30, JozsefB wrote:
Hi,
5.6.2
Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:
“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”
According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS
I manage to push the configuration with sgadmin.sh (done with success) into the ES
What is wrong?
Best Regads
Jozsef