Permissions error retrieving configuration, cannot upgrade, HELP!

Im trying to upgrade from 6.7.1 to 7.4.0 and am stuck, I cannot get sgadmin to work well enough to upgrade my configuration so that SG will work in 7.4.0 environment so Im unable to do very much.

I followed the instructions for upgrading from 6.X - 7.X but never got past the “migrate” step because the sgadmin seems unable to perform any operations due to permissions. It seems like a chicken/egg issue, something needs to be fixed in the elasticsearch tables to allow the admin user the right permissions, but I don’t have any way to do that since the “admin” user WAS the primary administrative account which worked just fine under 6.7.1. The new permission schema in 7.4.0 is not working.

Please HELP, Im totally dead in the water and do not want to disable SG but my users are getting anxious.

I cannot even retrieve the current configuration with sgadmin, Below are errors:

$ sgadmin.sh -icl -key $KEYFILE 8 -cert $CERT -cacert $CACERT -nhnv -r
WARNING: JAVA_HOME not set, will use /usr/bin/java
Search Guard Admin v7
Will connect to localhost:9300 … done
Connected as CN=,O=,L=,ST=,C=**
Elasticsearch Version: 7.4.0
Search Guard Version: 7.4.0-37.0.0
Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …
Clustername: ktelastic
Clusterstate: YELLOW
Number of nodes: 2
Number of data nodes: 2
searchguard index already exists, so we do not need to create one.
INFO: searchguard index state is YELLOW, it seems you miss some replicas
Legacy index ‘searchguard’ (ES 6) detected (or forced). You should migrate the configuration!
See Upgrading from 6.x to 7.x | Security for Elasticsearch | Search Guard for more details.
Will retrieve ‘sg/config’ into ./sg_config_2019-Oct-11_10-57-40.yml (legacy mode)
FAIL: Get configuration for ‘config’ because it does not exist
Will retrieve ‘sg/roles’ into ./sg_roles_2019-Oct-11_10-57-40.yml (legacy mode)
FAIL: Get configuration for ‘roles’ because it does not exist
Will retrieve ‘sg/rolesmapping’ into ./sg_roles_mapping_2019-Oct-11_10-57-40.yml (legacy mode)
FAIL: Get configuration for ‘rolesmapping’ because it does not exist
Will retrieve ‘sg/internalusers’ into ./sg_internal_users_2019-Oct-11_10-57-40.yml (legacy mode)
FAIL: Get configuration for ‘internalusers’ because it does not exist
Will retrieve ‘sg/actiongroups’ into ./sg_action_groups_2019-Oct-11_10-57-40.yml (legacy mode)
FAIL: Get configuration for ‘actiongroups’ because it does not exist

The error in elasticsearch log looks like:

[2019-10-11T11:01:32,201][INFO ][c.f.s.p.PrivilegesEvaluator] [ktelastic] No permissions for [indices:admin/aliases, indices:admin/create]

I might be wrong here, but I think you are talking about two different issues:

If you use sgadmin with an admin TLS certificate (as configured in elasticsearch.yml), this effectively bypasses the Search Guard security checks and enables reading and writing from/to the Search Guard configuration indes. So this error message here:

is in my opinion not related to sgadmin. It must come from somewhere else.

First, it seems the replica setting is not correct. You have 2 nodes, but probably configured a higher number of replica shards. Can your run sgadmin with the -era flag (enable replica auto expansion)? This should set the number of replicas automatically to the actual number of available nodes:

Next, what happens if you follow the steps to backup and validate your existing config as described here:

The -backup switch should give you the currently active configuration, which you can then verify and re-upload.

Note: I am assuming that $KEYFILE and $CERT point to an admin TLS certificate (and key) as configured in elasticsearch.yml, can you verify this?

The problem was not the certs or keys (which were correct).

The problem was the I could not get sgadmin to migrate my index from 6.7 to 7.4. Ultimately, I had to remove the search guard plugin entirely, re-index the “searchguard” index to a new name, delete the “searchguard” index, and re-install searchguard for elasticsearch 7.4.0 as if it were brand new. Not an optimal solution, but after fighting with the permissions issue for a day or more I had to get it working.

Something definitely went wrong during the upgrade process, I followed the instructions (or so I thought), but perhaps I needed to backup and migrate prior to upgrading my elasticsearch cluster itself. I got into a state that could not be upgraded or corrected. Elastic was running 7.4.0 but the searchguard index was still 6.7 and I couldnt get it in sync. I could not run “-migrate” or re-set the SG configuration.

Did you complete the “Check your Search Guard configuration” like described in Upgrading from 6.x to 7.x | Security for Elasticsearch | Search Guard ?

Yes, multiple times.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.