Performing backups / snapshots as 'snapshotrestore' - Not working out-of-the-box

Hi,

I’m running search guard 22.3 with ElasticSearch 6.3.0.

I’m trying to configure Backups (snapshots) using Curator. I can perform my required snapshots using the inbuilt admin account, but it seems there is a built-in role called ‘snapshotrestore’ that should be used for this purpose.

Does the default roles and permissions allow for ‘snapshotrestore’ to perform these snapshots? (Me testing shows that is doesn’t).

Is the ‘snapshotrestore’ account supposed to work out-of-the-box or is it there as an incomplete example?

Is there a permission structure that you can recommend for backup account to use that doesn’t rely on administrator type permissions?

Many Thanks

Cam

sg_roles.yml :

sg_manage_snapshots:
cluster:
- MANAGE_SNAPSHOTS
indices:
’:
'
’:
- “indices:data/write/index”
- “indices:admin/create”

``

sg_roles_mapping.yml

sg_manage_snapshots:
readonly: true
backendroles:
- snapshotrestore

``

Hi,

please refer to this chapter in the docs:

The recommended way is to use an admin certificate for snapshot/restore. If you want to allow regular users to perform snapshot/restore operations, you need to enable it in elasticsearch.yml:

searchguard.enable_snapshot_restore_privilege: true

``

The you can use the snapshotrestore user/role.

···

On Monday, August 6, 2018 at 6:04:11 AM UTC+2, Cam McKenzie wrote:

Hi,

I’m running search guard 22.3 with ElasticSearch 6.3.0.

I’m trying to configure Backups (snapshots) using Curator. I can perform my required snapshots using the inbuilt admin account, but it seems there is a built-in role called ‘snapshotrestore’ that should be used for this purpose.

Does the default roles and permissions allow for ‘snapshotrestore’ to perform these snapshots? (Me testing shows that is doesn’t).

Is the ‘snapshotrestore’ account supposed to work out-of-the-box or is it there as an incomplete example?

Is there a permission structure that you can recommend for backup account to use that doesn’t rely on administrator type permissions?

Many Thanks

Cam

sg_roles.yml :

sg_manage_snapshots:
cluster:
- MANAGE_SNAPSHOTS
indices:
’:
'
’:
- “indices:data/write/index”
- “indices:admin/create”

``

sg_roles_mapping.yml

sg_manage_snapshots:
readonly: true
backendroles:
- snapshotrestore

``

Hello,

I was trying to give it less authorisation than the (inbuilt) admin account not more :slight_smile:

Sounds like I’d need to enable (as mentioned) searchguard.enable_snapshot_restore_privilege ``

And grant that role explicit privileges to the snapshot_restore role - I just thought it might work out the box.

Cheers
``