no roles for the user

Hi,

5.6.2

Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:

“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”

According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS

I manage to push the configuration with sgadmin.sh (done with success) into the ES

What is wrong?

Best Regads

Jozsef

You’re looking at the wrong attribute. The one you mentioned lists the backend roles, i.e. the roles coming from an LDAP server for example. Yes, we should rename this to backendroles :wink:

There’s a separate sg_roles key in the JSON, this lists the Search Guard roles after the request has been mapped via sg_role_mapping.yml.

···

On Monday, January 22, 2018 at 9:03:35 AM UTC+1, JozsefB wrote:

Hi,

5.6.2

Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:

“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”

According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS

I manage to push the configuration with sgadmin.sh (done with success) into the ES

What is wrong?

Best Regads

Jozsef

Thanks

···

On Monday, January 22, 2018 at 9:03:35 AM UTC+1, JozsefB wrote:

Hi,

5.6.2

Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:

“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”

According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS

I manage to push the configuration with sgadmin.sh (done with success) into the ES

What is wrong?

Best Regads

Jozsef

Hi Jochen

Now I have a roles for the user (not the backend roles :-)) Yet I cannot restore a snapshot.

sg_roles.yml

sg_restore:
cluster:
- MANAGE_SNAPSHOTS
- indices:admin/create
- indices:data/write/index
indices:
’:
'
’:
- INDICES_ALL

elasticsearch.yml:

searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: false

During the restore I excluded the global state.

···

On Monday, January 22, 2018 at 9:03:35 AM UTC+1, JozsefB wrote:

Hi,

5.6.2

Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:

“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”

According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS

I manage to push the configuration with sgadmin.sh (done with success) into the ES

What is wrong?

Best Regads

Jozsef

The role definition should work, although the indices:admin/create and indices:data/write/index are index-level permissions. You can remove them from the cluster section. The role we ship with SG for snapshot/restore is:

sg_manage_snapshots:
cluster:
- MANAGE_SNAPSHOTS
indices:
’:
'
’:
- “indices:data/write/index”
- “indices:admin/create”

``

Are you sure your user is mapped to sg_restore? Please post the full output in the elasticsearch logs when you try to restore the snapshot.

···

On Monday, January 22, 2018 at 11:25:35 AM UTC+1, JozsefB wrote:

Hi Jochen

Now I have a roles for the user (not the backend roles :-)) Yet I cannot restore a snapshot.

sg_roles.yml

sg_restore:
cluster:
- MANAGE_SNAPSHOTS
- indices:admin/create
- indices:data/write/index
indices:
’:
'
’:
- INDICES_ALL

elasticsearch.yml:

searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: false

During the restore I excluded the global state.

On Monday, January 22, 2018 at 9:03:35 AM UTC+1, JozsefB wrote:

Hi,

5.6.2

Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:

“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”

According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS

I manage to push the configuration with sgadmin.sh (done with success) into the ES

What is wrong?

Best Regads

Jozsef

Hi

I completely missed the out-of-the-box sg_manage_snapshots role.

Is there any good docs about the sg_roles.yml, sg_roles_mapping.yml and sg_actions.yml.

I am a little bit confused about the options

Thanks

Yes, it’s all in the docs:

···

On Monday, January 22, 2018 at 12:15:24 PM UTC+1, JozsefB wrote:

Hi

I completely missed the out-of-the-box sg_manage_snapshots role.

Is there any good docs about the sg_roles.yml, sg_roles_mapping.yml and sg_actions.yml.

I am a little bit confused about the options

Thanks

Hi ,

Can you please help me on below error

security_exception",“reason”:"no permissions for cluster:admin/snapshot/restore

Please find my setting

in sg_action_groups.yml

MANAGE_SNAPSHOTS:

permissions:

  • “cluster:admin/snapshot/*”

  • “cluster:admin/repository/*”

in sg_roles.yml

sg_manage_restore:

cluster:

  • MANAGE_SNAPSHOTS

indices:

‘*’:

‘*’:

  • “indices:data/write/index”

  • “indices:admin/create”

in sg_roles_mapping.yml

sg_manage_restore:

users:

  • admin

backendroles:

  • admin

Thanks

Ashok

···

On Monday, January 22, 2018 at 1:33:35 PM UTC+5:30, JozsefB wrote:

Hi,

5.6.2

Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:

“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”

According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS

I manage to push the configuration with sgadmin.sh (done with success) into the ES

What is wrong?

Best Regads

Jozsef

Hi Ashok,

I have the same configuration and I managed to restore a snapshot.

But my user also has the sg_all_access role. Now I become uncertain which roles permit me to do the restore?

I am going to check it now and will come back.

Best Regards

Jozsef

···

On Thursday, February 8, 2018 at 8:03:47 AM UTC+1, priyadarshi bal wrote:

Hi ,

Can you please help me on below error

security_exception",“reason”:"no permissions for cluster:admin/snapshot/restore

Please find my setting

in sg_action_groups.yml

MANAGE_SNAPSHOTS:

permissions:

  • “cluster:admin/snapshot/*”
  • “cluster:admin/repository/*”

in sg_roles.yml

sg_manage_restore:

cluster:

  • MANAGE_SNAPSHOTS

indices:

‘*’:

‘*’:

  • “indices:data/write/index”
  • “indices:admin/create”

in sg_roles_mapping.yml

sg_manage_restore:

users:

  • admin

backendroles:

  • admin

Thanks

Ashok

On Monday, January 22, 2018 at 1:33:35 PM UTC+5:30, JozsefB wrote:

Hi,

5.6.2

Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:

“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”

According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS

I manage to push the configuration with sgadmin.sh (done with success) into the ES

What is wrong?

Best Regads

Jozsef

I am using below curl

curl -XPOST -u admin:xxxxx --insecure ‘https://HOSTNAME:9641/_snapshot/demotest/snapshot_1/_restore’ -d’

{

“indices”: “demotest-*”,

“include_global_state”: false

}’

Result

···

====

{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}],“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}

Can you please check , is this correct way for restore ?

Thanks

Ashok

On Thursday, February 8, 2018 at 2:12:59 PM UTC+5:30, JozsefB wrote:

Hi Ashok,

I have the same configuration and I managed to restore a snapshot.

But my user also has the sg_all_access role. Now I become uncertain which roles permit me to do the restore?

I am going to check it now and will come back.

Best Regards

Jozsef

On Thursday, February 8, 2018 at 8:03:47 AM UTC+1, priyadarshi bal wrote:

Hi ,

Can you please help me on below error

security_exception",“reason”:"no permissions for cluster:admin/snapshot/restore

Please find my setting

in sg_action_groups.yml

MANAGE_SNAPSHOTS:

permissions:

  • “cluster:admin/snapshot/*”
  • “cluster:admin/repository/*”

in sg_roles.yml

sg_manage_restore:

cluster:

  • MANAGE_SNAPSHOTS

indices:

‘*’:

‘*’:

  • “indices:data/write/index”
  • “indices:admin/create”

in sg_roles_mapping.yml

sg_manage_restore:

users:

  • admin

backendroles:

  • admin

Thanks

Ashok

On Monday, January 22, 2018 at 1:33:35 PM UTC+5:30, JozsefB wrote:

Hi,

5.6.2

Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:

“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”

According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS

I manage to push the configuration with sgadmin.sh (done with success) into the ES

What is wrong?

Best Regads

Jozsef

Please refer to the documentation for snapshot/restore and make sure you have enabled snapshot/restore for regular users:

http://docs.search-guard.com/latest/snapshot-restore

There is also a pre-defined role int the demo configuration:

http://docs.search-guard.com/latest/demo-users-roles

···

On Thursday, February 8, 2018 at 9:58:31 AM UTC+1, priyadarshi bal wrote:

I am using below curl

curl -XPOST -u admin:xxxxx --insecure ‘https://HOSTNAME:9641/_snapshot/demotest/snapshot_1/_restore’ -d’

{

“indices”: “demotest-*”,

“include_global_state”: false

}’

Result

====

{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}],“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}

Can you please check , is this correct way for restore ?

Thanks

Ashok

On Thursday, February 8, 2018 at 2:12:59 PM UTC+5:30, JozsefB wrote:

Hi Ashok,

I have the same configuration and I managed to restore a snapshot.

But my user also has the sg_all_access role. Now I become uncertain which roles permit me to do the restore?

I am going to check it now and will come back.

Best Regards

Jozsef

On Thursday, February 8, 2018 at 8:03:47 AM UTC+1, priyadarshi bal wrote:

Hi ,

Can you please help me on below error

security_exception",“reason”:"no permissions for cluster:admin/snapshot/restore

Please find my setting

in sg_action_groups.yml

MANAGE_SNAPSHOTS:

permissions:

  • “cluster:admin/snapshot/*”
  • “cluster:admin/repository/*”

in sg_roles.yml

sg_manage_restore:

cluster:

  • MANAGE_SNAPSHOTS

indices:

‘*’:

‘*’:

  • “indices:data/write/index”
  • “indices:admin/create”

in sg_roles_mapping.yml

sg_manage_restore:

users:

  • admin

backendroles:

  • admin

Thanks

Ashok

On Monday, January 22, 2018 at 1:33:35 PM UTC+5:30, JozsefB wrote:

Hi,

5.6.2

Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:

“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”

According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS

I manage to push the configuration with sgadmin.sh (done with success) into the ES

What is wrong?

Best Regads

Jozsef

Yes , i am using both the doc but no luck

error in elastic search log

cluster:admin/snapshot/restore is not allowed for a regular user

Thanks

Ashok

···

On Thursday, February 8, 2018 at 2:30:41 PM UTC+5:30, Jochen Kressin wrote:

Please refer to the documentation for snapshot/restore:

http://docs.search-guard.com/latest/snapshot-restore

There is also a pre-defined role int the demo configuration:

http://docs.search-guard.com/latest/demo-users-roles

On Thursday, February 8, 2018 at 9:58:31 AM UTC+1, priyadarshi bal wrote:

I am using below curl

curl -XPOST -u admin:xxxxx --insecure ‘https://HOSTNAME:9641/_snapshot/demotest/snapshot_1/_restore’ -d’

{

“indices”: “demotest-*”,

“include_global_state”: false

}’

Result

====

{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}],“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}

Can you please check , is this correct way for restore ?

Thanks

Ashok

On Thursday, February 8, 2018 at 2:12:59 PM UTC+5:30, JozsefB wrote:

Hi Ashok,

I have the same configuration and I managed to restore a snapshot.

But my user also has the sg_all_access role. Now I become uncertain which roles permit me to do the restore?

I am going to check it now and will come back.

Best Regards

Jozsef

On Thursday, February 8, 2018 at 8:03:47 AM UTC+1, priyadarshi bal wrote:

Hi ,

Can you please help me on below error

security_exception",“reason”:"no permissions for cluster:admin/snapshot/restore

Please find my setting

in sg_action_groups.yml

MANAGE_SNAPSHOTS:

permissions:

  • “cluster:admin/snapshot/*”
  • “cluster:admin/repository/*”

in sg_roles.yml

sg_manage_restore:

cluster:

  • MANAGE_SNAPSHOTS

indices:

‘*’:

‘*’:

  • “indices:data/write/index”
  • “indices:admin/create”

in sg_roles_mapping.yml

sg_manage_restore:

users:

  • admin

backendroles:

  • admin

Thanks

Ashok

On Monday, January 22, 2018 at 1:33:35 PM UTC+5:30, JozsefB wrote:

Hi,

5.6.2

Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:

“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”

According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS

I manage to push the configuration with sgadmin.sh (done with success) into the ES

What is wrong?

Best Regads

Jozsef

You have not enabled snapshot and restore for regular users, that is exactly what the error message says. Please enable this in elasticsearch.yml or post your elasticsearch.yml here.

···

On Thursday, February 8, 2018 at 10:04:01 AM UTC+1, priyadarshi bal wrote:

Yes , i am using both the doc but no luck

error in elastic search log

cluster:admin/snapshot/restore is not allowed for a regular user

Thanks

Ashok

On Thursday, February 8, 2018 at 2:30:41 PM UTC+5:30, Jochen Kressin wrote:

Please refer to the documentation for snapshot/restore:

http://docs.search-guard.com/latest/snapshot-restore

There is also a pre-defined role int the demo configuration:

http://docs.search-guard.com/latest/demo-users-roles

On Thursday, February 8, 2018 at 9:58:31 AM UTC+1, priyadarshi bal wrote:

I am using below curl

curl -XPOST -u admin:xxxxx --insecure ‘https://HOSTNAME:9641/_snapshot/demotest/snapshot_1/_restore’ -d’

{

“indices”: “demotest-*”,

“include_global_state”: false

}’

Result

====

{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}],“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}

Can you please check , is this correct way for restore ?

Thanks

Ashok

On Thursday, February 8, 2018 at 2:12:59 PM UTC+5:30, JozsefB wrote:

Hi Ashok,

I have the same configuration and I managed to restore a snapshot.

But my user also has the sg_all_access role. Now I become uncertain which roles permit me to do the restore?

I am going to check it now and will come back.

Best Regards

Jozsef

On Thursday, February 8, 2018 at 8:03:47 AM UTC+1, priyadarshi bal wrote:

Hi ,

Can you please help me on below error

security_exception",“reason”:"no permissions for cluster:admin/snapshot/restore

Please find my setting

in sg_action_groups.yml

MANAGE_SNAPSHOTS:

permissions:

  • “cluster:admin/snapshot/*”
  • “cluster:admin/repository/*”

in sg_roles.yml

sg_manage_restore:

cluster:

  • MANAGE_SNAPSHOTS

indices:

‘*’:

‘*’:

  • “indices:data/write/index”
  • “indices:admin/create”

in sg_roles_mapping.yml

sg_manage_restore:

users:

  • admin

backendroles:

  • admin

Thanks

Ashok

On Monday, January 22, 2018 at 1:33:35 PM UTC+5:30, JozsefB wrote:

Hi,

5.6.2

Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:

“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”

According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS

I manage to push the configuration with sgadmin.sh (done with success) into the ES

What is wrong?

Best Regads

Jozsef

Yes , i have enabled snapshot and restore for regular users but no luck

Please find the elasticsearch.yml below

cluster.name: essreport123

node.name: “XXX.XX-essr1”

network.host: “XXX.XX-essr1”

transport.tcp.port: 9741

http.port: 9641

discovery.zen.ping.unicast.hosts: [“XXX.XX-essr1”]

path.data: /data/elasticsearch

path.logs: /logs/elasticsearch

path.repo: /data/elasticsearch-backup

#index.mapper.dynamic: false

index.refresh_interval: 180s

transport.netty.worker_count: 3

action.destructive_requires_name: true

index.query.bool.max_clause_count: 8192

searchguard.ssl.transport.keystore_filepath: node123-keystore.jks

searchguard.ssl.transport.keystore_password: xxxxx

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: xxxxxxx

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.enabled: true

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: node123-keystore.jks

searchguard.ssl.http.keystore_password: xxxxxx

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.http.truststore_password: changeit

searchguard.enable_snapshot_restore_privilege: true

searchguard.check_snapshot_restore_write_privileges: true

searchguard.authcz.admin_dn:

  • cn=admin,ou=Test,ou=ou,dc=company,dc=com

Thanks

Ashok

···

On Thursday, February 8, 2018 at 2:37:08 PM UTC+5:30, Jochen Kressin wrote:

You have not enabled snapshot and restore for regular users, that is exactly what the error message says. Please enable this in elasticsearch.yml or post your elasticsearch.yml here.

On Thursday, February 8, 2018 at 10:04:01 AM UTC+1, priyadarshi bal wrote:

Yes , i am using both the doc but no luck

error in elastic search log

cluster:admin/snapshot/restore is not allowed for a regular user

Thanks

Ashok

On Thursday, February 8, 2018 at 2:30:41 PM UTC+5:30, Jochen Kressin wrote:

Please refer to the documentation for snapshot/restore:

http://docs.search-guard.com/latest/snapshot-restore

There is also a pre-defined role int the demo configuration:

http://docs.search-guard.com/latest/demo-users-roles

On Thursday, February 8, 2018 at 9:58:31 AM UTC+1, priyadarshi bal wrote:

I am using below curl

curl -XPOST -u admin:xxxxx --insecure ‘https://HOSTNAME:9641/_snapshot/demotest/snapshot_1/_restore’ -d’

{

“indices”: “demotest-*”,

“include_global_state”: false

}’

Result

====

{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}],“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}

Can you please check , is this correct way for restore ?

Thanks

Ashok

On Thursday, February 8, 2018 at 2:12:59 PM UTC+5:30, JozsefB wrote:

Hi Ashok,

I have the same configuration and I managed to restore a snapshot.

But my user also has the sg_all_access role. Now I become uncertain which roles permit me to do the restore?

I am going to check it now and will come back.

Best Regards

Jozsef

On Thursday, February 8, 2018 at 8:03:47 AM UTC+1, priyadarshi bal wrote:

Hi ,

Can you please help me on below error

security_exception",“reason”:"no permissions for cluster:admin/snapshot/restore

Please find my setting

in sg_action_groups.yml

MANAGE_SNAPSHOTS:

permissions:

  • “cluster:admin/snapshot/*”
  • “cluster:admin/repository/*”

in sg_roles.yml

sg_manage_restore:

cluster:

  • MANAGE_SNAPSHOTS

indices:

‘*’:

‘*’:

  • “indices:data/write/index”
  • “indices:admin/create”

in sg_roles_mapping.yml

sg_manage_restore:

users:

  • admin

backendroles:

  • admin

Thanks

Ashok

On Monday, January 22, 2018 at 1:33:35 PM UTC+5:30, JozsefB wrote:

Hi,

5.6.2

Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:

“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”

According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS

I manage to push the configuration with sgadmin.sh (done with success) into the ES

What is wrong?

Best Regads

Jozsef

Can you please give some suggestion

Thanks

Ashok

···

On Thursday, February 8, 2018 at 2:37:08 PM UTC+5:30, Jochen Kressin wrote:

You have not enabled snapshot and restore for regular users, that is exactly what the error message says. Please enable this in elasticsearch.yml or post your elasticsearch.yml here.

On Thursday, February 8, 2018 at 10:04:01 AM UTC+1, priyadarshi bal wrote:

Yes , i am using both the doc but no luck

error in elastic search log

cluster:admin/snapshot/restore is not allowed for a regular user

Thanks

Ashok

On Thursday, February 8, 2018 at 2:30:41 PM UTC+5:30, Jochen Kressin wrote:

Please refer to the documentation for snapshot/restore:

http://docs.search-guard.com/latest/snapshot-restore

There is also a pre-defined role int the demo configuration:

http://docs.search-guard.com/latest/demo-users-roles

On Thursday, February 8, 2018 at 9:58:31 AM UTC+1, priyadarshi bal wrote:

I am using below curl

curl -XPOST -u admin:xxxxx --insecure ‘https://HOSTNAME:9641/_snapshot/demotest/snapshot_1/_restore’ -d’

{

“indices”: “demotest-*”,

“include_global_state”: false

}’

Result

====

{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}],“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}

Can you please check , is this correct way for restore ?

Thanks

Ashok

On Thursday, February 8, 2018 at 2:12:59 PM UTC+5:30, JozsefB wrote:

Hi Ashok,

I have the same configuration and I managed to restore a snapshot.

But my user also has the sg_all_access role. Now I become uncertain which roles permit me to do the restore?

I am going to check it now and will come back.

Best Regards

Jozsef

On Thursday, February 8, 2018 at 8:03:47 AM UTC+1, priyadarshi bal wrote:

Hi ,

Can you please help me on below error

security_exception",“reason”:"no permissions for cluster:admin/snapshot/restore

Please find my setting

in sg_action_groups.yml

MANAGE_SNAPSHOTS:

permissions:

  • “cluster:admin/snapshot/*”
  • “cluster:admin/repository/*”

in sg_roles.yml

sg_manage_restore:

cluster:

  • MANAGE_SNAPSHOTS

indices:

‘*’:

‘*’:

  • “indices:data/write/index”
  • “indices:admin/create”

in sg_roles_mapping.yml

sg_manage_restore:

users:

  • admin

backendroles:

  • admin

Thanks

Ashok

On Monday, January 22, 2018 at 1:33:35 PM UTC+5:30, JozsefB wrote:

Hi,

5.6.2

Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:

“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”

According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS

I manage to push the configuration with sgadmin.sh (done with success) into the ES

What is wrong?

Best Regads

Jozsef

At the moment the only suggestion is to check if you have set the restore privilege on all nodes to true, and check that you actually restarted the node. According to the code the entry in the logfile can only occur when this config key is set to false, not present at all in the elasticsearch.yml or the node has not been restarted.

···

On Thursday, February 8, 2018 at 6:26:39 PM UTC+1, priyadarshi bal wrote:

Can you please give some suggestion

Thanks

Ashok

On Thursday, February 8, 2018 at 2:37:08 PM UTC+5:30, Jochen Kressin wrote:

You have not enabled snapshot and restore for regular users, that is exactly what the error message says. Please enable this in elasticsearch.yml or post your elasticsearch.yml here.

On Thursday, February 8, 2018 at 10:04:01 AM UTC+1, priyadarshi bal wrote:

Yes , i am using both the doc but no luck

error in elastic search log

cluster:admin/snapshot/restore is not allowed for a regular user

Thanks

Ashok

On Thursday, February 8, 2018 at 2:30:41 PM UTC+5:30, Jochen Kressin wrote:

Please refer to the documentation for snapshot/restore:

http://docs.search-guard.com/latest/snapshot-restore

There is also a pre-defined role int the demo configuration:

http://docs.search-guard.com/latest/demo-users-roles

On Thursday, February 8, 2018 at 9:58:31 AM UTC+1, priyadarshi bal wrote:

I am using below curl

curl -XPOST -u admin:xxxxx --insecure ‘https://HOSTNAME:9641/_snapshot/demotest/snapshot_1/_restore’ -d’

{

“indices”: “demotest-*”,

“include_global_state”: false

}’

Result

====

{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}],“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}

Can you please check , is this correct way for restore ?

Thanks

Ashok

On Thursday, February 8, 2018 at 2:12:59 PM UTC+5:30, JozsefB wrote:

Hi Ashok,

I have the same configuration and I managed to restore a snapshot.

But my user also has the sg_all_access role. Now I become uncertain which roles permit me to do the restore?

I am going to check it now and will come back.

Best Regards

Jozsef

On Thursday, February 8, 2018 at 8:03:47 AM UTC+1, priyadarshi bal wrote:

Hi ,

Can you please help me on below error

security_exception",“reason”:"no permissions for cluster:admin/snapshot/restore

Please find my setting

in sg_action_groups.yml

MANAGE_SNAPSHOTS:

permissions:

  • “cluster:admin/snapshot/*”
  • “cluster:admin/repository/*”

in sg_roles.yml

sg_manage_restore:

cluster:

  • MANAGE_SNAPSHOTS

indices:

‘*’:

‘*’:

  • “indices:data/write/index”
  • “indices:admin/create”

in sg_roles_mapping.yml

sg_manage_restore:

users:

  • admin

backendroles:

  • admin

Thanks

Ashok

On Monday, January 22, 2018 at 1:33:35 PM UTC+5:30, JozsefB wrote:

Hi,

5.6.2

Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:

“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”

According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS

I manage to push the configuration with sgadmin.sh (done with success) into the ES

What is wrong?

Best Regads

Jozsef

Hi,

I set the searchguard.check_snapshot_restore_write_privileges option to false in my elasticsearch.yml. That is the only difference from your settings

Best Regards

Jozsef

···

On Thursday, February 8, 2018 at 10:22:22 AM UTC+1, priyadarshi bal wrote:

Yes , i have enabled snapshot and restore for regular users but no luck

Please find the elasticsearch.yml below

cluster.name: essreport123

node.name: “XXX.XX-essr1”

network.host: “XXX.XX-essr1”

transport.tcp.port: 9741

http.port: 9641

discovery.zen.ping.unicast.hosts: [“XXX.XX-essr1”]

path.data: /data/elasticsearch

path.logs: /logs/elasticsearch

path.repo: /data/elasticsearch-backup

#index.mapper.dynamic: false

index.refresh_interval: 180s

transport.netty.worker_count: 3

action.destructive_requires_name: true

index.query.bool.max_clause_count: 8192

searchguard.ssl.transport.keystore_filepath: node123-keystore.jks

searchguard.ssl.transport.keystore_password: xxxxx

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: xxxxxxx

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.enabled: true

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: node123-keystore.jks

searchguard.ssl.http.keystore_password: xxxxxx

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.http.truststore_password: changeit

searchguard.enable_snapshot_restore_privilege: true

searchguard.check_snapshot_restore_write_privileges: true

searchguard.authcz.admin_dn:

  • cn=admin,ou=Test,ou=ou,dc=company,dc=com

Thanks

Ashok

On Thursday, February 8, 2018 at 2:37:08 PM UTC+5:30, Jochen Kressin wrote:

You have not enabled snapshot and restore for regular users, that is exactly what the error message says. Please enable this in elasticsearch.yml or post your elasticsearch.yml here.

On Thursday, February 8, 2018 at 10:04:01 AM UTC+1, priyadarshi bal wrote:

Yes , i am using both the doc but no luck

error in elastic search log

cluster:admin/snapshot/restore is not allowed for a regular user

Thanks

Ashok

On Thursday, February 8, 2018 at 2:30:41 PM UTC+5:30, Jochen Kressin wrote:

Please refer to the documentation for snapshot/restore:

http://docs.search-guard.com/latest/snapshot-restore

There is also a pre-defined role int the demo configuration:

http://docs.search-guard.com/latest/demo-users-roles

On Thursday, February 8, 2018 at 9:58:31 AM UTC+1, priyadarshi bal wrote:

I am using below curl

curl -XPOST -u admin:xxxxx --insecure ‘https://HOSTNAME:9641/_snapshot/demotest/snapshot_1/_restore’ -d’

{

“indices”: “demotest-*”,

“include_global_state”: false

}’

Result

====

{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}],“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}

Can you please check , is this correct way for restore ?

Thanks

Ashok

On Thursday, February 8, 2018 at 2:12:59 PM UTC+5:30, JozsefB wrote:

Hi Ashok,

I have the same configuration and I managed to restore a snapshot.

But my user also has the sg_all_access role. Now I become uncertain which roles permit me to do the restore?

I am going to check it now and will come back.

Best Regards

Jozsef

On Thursday, February 8, 2018 at 8:03:47 AM UTC+1, priyadarshi bal wrote:

Hi ,

Can you please help me on below error

security_exception",“reason”:"no permissions for cluster:admin/snapshot/restore

Please find my setting

in sg_action_groups.yml

MANAGE_SNAPSHOTS:

permissions:

  • “cluster:admin/snapshot/*”
  • “cluster:admin/repository/*”

in sg_roles.yml

sg_manage_restore:

cluster:

  • MANAGE_SNAPSHOTS

indices:

‘*’:

‘*’:

  • “indices:data/write/index”
  • “indices:admin/create”

in sg_roles_mapping.yml

sg_manage_restore:

users:

  • admin

backendroles:

  • admin

Thanks

Ashok

On Monday, January 22, 2018 at 1:33:35 PM UTC+5:30, JozsefB wrote:

Hi,

5.6.2

Whenever I get a security exception in SearchGuard protected ES, the exception missing a roles for the user:

“type”: “security_exception”,
“reason”: “no permissions for [cluster:admin/snapshot/restore] and User [name=joe, roles=]”

According to my sg_roles_mapping.yml joe has a role of sg_restore which has a cluster wide action MANAGE_SNAPSHOTS

I manage to push the configuration with sgadmin.sh (done with success) into the ES

What is wrong?

Best Regads

Jozsef