Snapshot Restore Error - no permissions for []

JasperNygaard · November 18, 2020, 12:26pm

Elasticsearch version:
7.9.0
Server OS version:
Windows 2012/2019
Kibana version (if relevant):
7.9.0

Describe the issue:
Having trouble restoring snapshots to my cluster and getting the following error message (note the empty brackets: *

“[security_exception] no permissions for and User [name=…”

Facts

All 4 nodes have searchguard.enable_snapshot_restore_privilege: true and searchguard.check_snapshot_restore_write_privileges: true and have been restarted
I’ve tried with my own user jmn, admin and the snapshotrestore user with same result. Note jmn and admin has SGS-ALL-ACCESS and SGS_MANAGE_SNAPSHOTS.

Provide configuration:
elasticsearch.yml (1.6 KB)
sg_roles_mapping.yml (2.9 KB)
sg_config.yml (6.8 KB)

Errors in browser console (if relevant):
Reponse:

{“statusCode”:403,“error”:“Forbidden”,“message”:"[security_exception] no permissions for and User [name=JMN, backend_roles=[… lots of AD security groups], requestedTenant=null]"}

jkressin · November 18, 2020, 12:57pm

Hi Jasper - this indeed seems strange, we’ll look into it. In the meantime, can you also add the Elasticsearch logfile when this error happens? The ES logs should contain more information about the actual permissions or settings that seem to be missing. They should also contain details about the user and the actual Search Guard roles the user has.

Also, are you sure that the snapshot does not contain the Search Guard configuration index by chance?

JasperNygaard · November 18, 2020, 2:43pm

Hi jkressin,

Well, I’m using the snapshot policy with the option “All data streams and indices, including system indices” enabled, so I expect everything is snapshotted. Just selecting a few indices actually works.

jkressin · November 19, 2020, 8:19am

Ok, then the problem is most probably that your snapshot also contains the Search Guard configuration index. Since this index contains the complete security configuration, by default we allow to restore it only when using an admin TLS certificate.

I see two options:

You can explicitly allow snapshot and restore of the Search Guard system indices:

This of course should be “handled with care” since some attacker could potentially restore the SG index and thus overwrite the security settings.

Option 2 would be to restore indices selectively.

JasperNygaard · November 19, 2020, 8:19am

Thank you so much! Makes perfectly sense - just the error message that threw me of guard.