Restoring a Snaphot is Failing with no permissions for cluster:admin/snapshot/restore

Hello, I’ve followed the instructions here: Redirecting to Google Groups and Redirecting… and so far I still cannot successfully do a restore.
We are on ES 2.4.3 with SearchGuard 2.4 running.

I’m running:

curl -i -S --insecure -XPOST ‘https://c4vlhbes001.test.cm.com:9200/_snapshot/elastic-backups/20170614-092100/_restore’ -E ch.pem --key searchguard-keystore.pem -d '{

“indices”: “scmatlas*”,

“include_global_state”: false

}’

and I get:

HTTP/1.1 401 Unauthorized

WWW-Authenticate: Basic realm=“Search Guard”

Content-Type: text/plain; charset=UTF-8

Content-Length: 0

and in the elasticsearch logs I get:

[2017-06-15 11:11:39,964][WARN ][com.floragunn.searchguard.configuration.PrivilegesEvaluator] cluster:admin/snapshot/restore is not allowed for a regular user

I get this when I provide a username and password:

HTTP/1.1 403 Forbidden

Content-Type: application/json; charset=UTF-8

Content-Length: 219

{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}],“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”},“status”:403}

Anyone been able to do a successful restore?? What else can I do?

From this:

[2017-06-15 11:11:39,964][WARN ][com.floragunn.searchguard.configuration.PrivilegesEvaluator] cluster:admin/snapshot/restore is not allowed for a regular user

It seems that either your certificates are incorrect, or you did not enable TLS client authentication. Please have a look at the “Prerequisites” chapter in the REST API docs.

https://github.com/floragunncom/search-guard-docs/blob/master/managementapi.md

For curl, you need the certificate chain including any intermediate certificate.

···

On Thursday, June 15, 2017 at 7:30:31 PM UTC+2, Melanie Zamora wrote:

Hello, I’ve followed the instructions here: https://groups.google.com/forum/#!msg/search-guard/dQ3S5RGvAIo/Sya3065CEQAJ and http://floragunncom.github.io/search-guard-docs/snapshots.html and so far I still cannot successfully do a restore.
We are on ES 2.4.3 with SearchGuard 2.4 running.

I’m running:

curl -i -S --insecure -XPOST ‘https://c4vlhbes001.test.cm.com:9200/_snapshot/elastic-backups/20170614-092100/_restore’ -E ch.pem --key searchguard-keystore.pem -d '{

“indices”: “scmatlas*”,

“include_global_state”: false

}’

and I get:

HTTP/1.1 401 Unauthorized

WWW-Authenticate: Basic realm=“Search Guard”

Content-Type: text/plain; charset=UTF-8

Content-Length: 0

and in the elasticsearch logs I get:

[2017-06-15 11:11:39,964][WARN ][com.floragunn.searchguard.configuration.PrivilegesEvaluator] cluster:admin/snapshot/restore is not allowed for a regular user

I get this when I provide a username and password:

HTTP/1.1 403 Forbidden

Content-Type: application/json; charset=UTF-8

Content-Length: 219

{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}],“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”},“status”:403}

Anyone been able to do a successful restore?? What else can I do?

Also, could you send the complete logs on debug level from one node, from node start to the point where you get the WARN message from the PrivilegesEvaluator?

···

On Thursday, June 15, 2017 at 7:30:31 PM UTC+2, Melanie Zamora wrote:

Hello, I’ve followed the instructions here: https://groups.google.com/forum/#!msg/search-guard/dQ3S5RGvAIo/Sya3065CEQAJ and http://floragunncom.github.io/search-guard-docs/snapshots.html and so far I still cannot successfully do a restore.
We are on ES 2.4.3 with SearchGuard 2.4 running.

I’m running:

curl -i -S --insecure -XPOST ‘https://c4vlhbes001.test.cm.com:9200/_snapshot/elastic-backups/20170614-092100/_restore’ -E ch.pem --key searchguard-keystore.pem -d '{

“indices”: “scmatlas*”,

“include_global_state”: false

}’

and I get:

HTTP/1.1 401 Unauthorized

WWW-Authenticate: Basic realm=“Search Guard”

Content-Type: text/plain; charset=UTF-8

Content-Length: 0

and in the elasticsearch logs I get:

[2017-06-15 11:11:39,964][WARN ][com.floragunn.searchguard.configuration.PrivilegesEvaluator] cluster:admin/snapshot/restore is not allowed for a regular user

I get this when I provide a username and password:

HTTP/1.1 403 Forbidden

Content-Type: application/json; charset=UTF-8

Content-Length: 219

{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}],“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”},“status”:403}

Anyone been able to do a successful restore?? What else can I do?

I started testing on my sandbox using the cert, chain and key provided in the example scripts. I ran this:
curl -i --insecure --cert chain.pem --key example-pki-scripts/kirk.key.pem -XPOST ‘https://macky.atlas.cm.com:9200/_snapshot/elastic-backups/_verify?pretty

and got this:

HTTP/1.1 401 Unauthorized

WWW-Authenticate: Basic realm=“Search Guard”

Content-Type: text/plain; charset=UTF-8

Content-Length: 0

Any idea why??

···

On Saturday, June 17, 2017 at 4:03:44 AM UTC-5, Jochen Kressin wrote:

Also, could you send the complete logs on debug level from one node, from node start to the point where you get the WARN message from the PrivilegesEvaluator?

On Thursday, June 15, 2017 at 7:30:31 PM UTC+2, Melanie Zamora wrote:

Hello, I’ve followed the instructions here: https://groups.google.com/forum/#!msg/search-guard/dQ3S5RGvAIo/Sya3065CEQAJ and http://floragunncom.github.io/search-guard-docs/snapshots.html and so far I still cannot successfully do a restore.
We are on ES 2.4.3 with SearchGuard 2.4 running.

I’m running:

curl -i -S --insecure -XPOST ‘https://c4vlhbes001.test.cm.com:9200/_snapshot/elastic-backups/20170614-092100/_restore’ -E ch.pem --key searchguard-keystore.pem -d '{

“indices”: “scmatlas*”,

“include_global_state”: false

}’

and I get:

HTTP/1.1 401 Unauthorized

WWW-Authenticate: Basic realm=“Search Guard”

Content-Type: text/plain; charset=UTF-8

Content-Length: 0

and in the elasticsearch logs I get:

[2017-06-15 11:11:39,964][WARN ][com.floragunn.searchguard.configuration.PrivilegesEvaluator] cluster:admin/snapshot/restore is not allowed for a regular user

I get this when I provide a username and password:

HTTP/1.1 403 Forbidden

Content-Type: application/json; charset=UTF-8

Content-Length: 219

{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}],“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”},“status”:403}

Anyone been able to do a successful restore?? What else can I do?

So, I assume you’re using our example scripts in your sandbox, right?

First make sure that the cahin.pem file actually contains the kirk certificate plus all intermediate certs plus the root CA. You can simply cat the certs together, as described here;

https://github.com/floragunncom/search-guard-docs/blob/master/managementapi.md

Next, check that the HTTP client auth mode is set to OPTIONAL at least in elasticsearch.yml:

searchguard.ssl.http.clientauth_mode: NONE

If this does not help, please post the output of:

curl --version

Could also be a curl issue.

···

On Monday, June 19, 2017 at 8:30:01 PM UTC+2, Melanie Zamora wrote:

I started testing on my sandbox using the cert, chain and key provided in the example scripts. I ran this:
curl -i --insecure --cert chain.pem --key example-pki-scripts/kirk.key.pem -XPOST ‘https://macky.atlas.cm.com:9200/_snapshot/elastic-backups/_verify?pretty

and got this:

HTTP/1.1 401 Unauthorized

WWW-Authenticate: Basic realm=“Search Guard”

Content-Type: text/plain; charset=UTF-8

Content-Length: 0

Any idea why??

On Saturday, June 17, 2017 at 4:03:44 AM UTC-5, Jochen Kressin wrote:

Also, could you send the complete logs on debug level from one node, from node start to the point where you get the WARN message from the PrivilegesEvaluator?

On Thursday, June 15, 2017 at 7:30:31 PM UTC+2, Melanie Zamora wrote:

Hello, I’ve followed the instructions here: https://groups.google.com/forum/#!msg/search-guard/dQ3S5RGvAIo/Sya3065CEQAJ and http://floragunncom.github.io/search-guard-docs/snapshots.html and so far I still cannot successfully do a restore.
We are on ES 2.4.3 with SearchGuard 2.4 running.

I’m running:

curl -i -S --insecure -XPOST ‘https://c4vlhbes001.test.cm.com:9200/_snapshot/elastic-backups/20170614-092100/_restore’ -E ch.pem --key searchguard-keystore.pem -d '{

“indices”: “scmatlas*”,

“include_global_state”: false

}’

and I get:

HTTP/1.1 401 Unauthorized

WWW-Authenticate: Basic realm=“Search Guard”

Content-Type: text/plain; charset=UTF-8

Content-Length: 0

and in the elasticsearch logs I get:

[2017-06-15 11:11:39,964][WARN ][com.floragunn.searchguard.configuration.PrivilegesEvaluator] cluster:admin/snapshot/restore is not allowed for a regular user

I get this when I provide a username and password:

HTTP/1.1 403 Forbidden

Content-Type: application/json; charset=UTF-8

Content-Length: 219

{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}],“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”},“status”:403}

Anyone been able to do a successful restore?? What else can I do?

Sorry, some typos, and I can’t edit the post:

So, I assume you’re using our example scripts in your sandbox, right?

First, make sure that the chain.pem file actually contains the kirk certificate plus all intermediate certs plus the root CA. You can simply cat the certs together, as described here:

https://github.com/floragunncom/search-guard-docs/blob/master/managementapi.md

Next, check that the HTTP client auth mode is set to OPTIONAL at least in elasticsearch.yml:

searchguard.ssl.http.clientauth_mode: OPTIONAL

If this does not help, please post the output of:

curl --version

···

On Tuesday, June 20, 2017 at 10:01:40 PM UTC+2, Jochen Kressin wrote:

So, I assume you’re using our example scripts in your sandbox, right?

First make sure that the cahin.pem file actually contains the kirk certificate plus all intermediate certs plus the root CA. You can simply cat the certs together, as described here;

https://github.com/floragunncom/search-guard-docs/blob/master/managementapi.md

Next, check that the HTTP client auth mode is set to OPTIONAL at least in elasticsearch.yml:

searchguard.ssl.http.clientauth_mode: NONE

If this does not help, please post the output of:

curl --version

Could also be a curl issue.

On Monday, June 19, 2017 at 8:30:01 PM UTC+2, Melanie Zamora wrote:

I started testing on my sandbox using the cert, chain and key provided in the example scripts. I ran this:
curl -i --insecure --cert chain.pem --key example-pki-scripts/kirk.key.pem -XPOST ‘https://macky.atlas.cm.com:9200/_snapshot/elastic-backups/_verify?pretty

and got this:

HTTP/1.1 401 Unauthorized

WWW-Authenticate: Basic realm=“Search Guard”

Content-Type: text/plain; charset=UTF-8

Content-Length: 0

Any idea why??

On Saturday, June 17, 2017 at 4:03:44 AM UTC-5, Jochen Kressin wrote:

Also, could you send the complete logs on debug level from one node, from node start to the point where you get the WARN message from the PrivilegesEvaluator?

On Thursday, June 15, 2017 at 7:30:31 PM UTC+2, Melanie Zamora wrote:

Hello, I’ve followed the instructions here: https://groups.google.com/forum/#!msg/search-guard/dQ3S5RGvAIo/Sya3065CEQAJ and http://floragunncom.github.io/search-guard-docs/snapshots.html and so far I still cannot successfully do a restore.
We are on ES 2.4.3 with SearchGuard 2.4 running.

I’m running:

curl -i -S --insecure -XPOST ‘https://c4vlhbes001.test.cm.com:9200/_snapshot/elastic-backups/20170614-092100/_restore’ -E ch.pem --key searchguard-keystore.pem -d '{

“indices”: “scmatlas*”,

“include_global_state”: false

}’

and I get:

HTTP/1.1 401 Unauthorized

WWW-Authenticate: Basic realm=“Search Guard”

Content-Type: text/plain; charset=UTF-8

Content-Length: 0

and in the elasticsearch logs I get:

[2017-06-15 11:11:39,964][WARN ][com.floragunn.searchguard.configuration.PrivilegesEvaluator] cluster:admin/snapshot/restore is not allowed for a regular user

I get this when I provide a username and password:

HTTP/1.1 403 Forbidden

Content-Type: application/json; charset=UTF-8

Content-Length: 219

{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”}],“type”:“security_exception”,“reason”:“no permissions for cluster:admin/snapshot/restore”},“status”:403}

Anyone been able to do a successful restore?? What else can I do?