Im trying to upgrade from 6.7.1 to 7.4.0 and am stuck, I cannot get sgadmin to work well enough to upgrade my configuration so that SG will work in 7.4.0 environment so Im unable to do very much.
I followed the instructions for upgrading from 6.X - 7.X but never got past the “migrate” step because the sgadmin seems unable to perform any operations due to permissions. It seems like a chicken/egg issue, something needs to be fixed in the elasticsearch tables to allow the admin user the right permissions, but I don’t have any way to do that since the “admin” user WAS the primary administrative account which worked just fine under 6.7.1. The new permission schema in 7.4.0 is not working.
Please HELP, Im totally dead in the water and do not want to disable SG but my users are getting anxious.
I cannot even retrieve the current configuration with sgadmin, Below are errors:
$ sgadmin.sh -icl -key $KEYFILE 8 -cert $CERT -cacert $CACERT -nhnv -r
WARNING: JAVA_HOME not set, will use /usr/bin/java
Search Guard Admin v7
Will connect to localhost:9300 … done
Connected as CN=,O=,L=,ST=,C=**
Elasticsearch Version: 7.4.0
Search Guard Version: 7.4.0-37.0.0
Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …
Number of nodes: 2
Number of data nodes: 2
searchguard index already exists, so we do not need to create one.
INFO: searchguard index state is YELLOW, it seems you miss some replicas
Legacy index ‘searchguard’ (ES 6) detected (or forced). You should migrate the configuration!
See https://docs.search-guard.com/latest/upgrading-6-7 for more details.
Will retrieve ‘sg/config’ into ./sg_config_2019-Oct-11_10-57-40.yml (legacy mode)
FAIL: Get configuration for ‘config’ because it does not exist
Will retrieve ‘sg/roles’ into ./sg_roles_2019-Oct-11_10-57-40.yml (legacy mode)
FAIL: Get configuration for ‘roles’ because it does not exist
Will retrieve ‘sg/rolesmapping’ into ./sg_roles_mapping_2019-Oct-11_10-57-40.yml (legacy mode)
FAIL: Get configuration for ‘rolesmapping’ because it does not exist
Will retrieve ‘sg/internalusers’ into ./sg_internal_users_2019-Oct-11_10-57-40.yml (legacy mode)
FAIL: Get configuration for ‘internalusers’ because it does not exist
Will retrieve ‘sg/actiongroups’ into ./sg_action_groups_2019-Oct-11_10-57-40.yml (legacy mode)
FAIL: Get configuration for ‘actiongroups’ because it does not exist
The error in elasticsearch log looks like:
[2019-10-11T11:01:32,201][INFO ][c.f.s.p.PrivilegesEvaluator] [ktelastic] No permissions for [indices:admin/aliases, indices:admin/create]