Upgrade 6.7 - 7.4 failure

I upgraded elasticsearch from 6.7.1 to 7.4.0 and installed the latest SG plugin. Elastic and kibana are up and running OK, but I use the “admin” user because I keep getting permissions errors (these did NOT exist prior to the upgrade:

[2019-10-10T16:53:08,874][INFO ][c.f.s.p.PrivilegesEvaluator] [ktelastic] No permissions for [indices:admin/aliases, indices:admin/create]

[2019-10-10T16:53:29,359][WARN ][c.f.s.c.PrivilegesInterceptorImpl] [ktelastic] Tenant SGS_GLOBAL_TENANT is not allowed for user admin

I can query the “admin” user with the REST API and it does exist with the “admin” role which is mapped by the “sg_all_access” rolemapping.

How can I get this working again?!?!?!?!?

I also noticed that the “sgadmin.sh -migrate” command fails to run with the following errors when I run:

“sgadmin.sh -migrate ./sgconfig7 -cd …/sgconfig/” (+ all of the cert/key options).

INFO: searchguard index state is YELLOW, it seems you miss some replicas
Legacy index ‘searchguard’ (ES 6) detected (or forced). You should migrate the configuration!
See Upgrading from 6.x to 7.x | Security for Elasticsearch | Search Guard for more details.
== Migration started ==

Backup current configuration to /usr/share/elasticsearch/plugins/search-guard-7/tools/./sgconfig7
Will retrieve ‘sg/config’ into /usr/share/elasticsearch/plugins/search-guard-7/tools/./sgconfig7/sg_config.yml (legacy mode)
FAIL: Get configuration for ‘config’ because it does not exist
Will retrieve ‘sg/roles’ into /usr/share/elasticsearch/plugins/search-guard-7/tools/./sgconfig7/sg_roles.yml (legacy mode)
FAIL: Get configuration for ‘roles’ because it does not exist
Will retrieve ‘sg/rolesmapping’ into /usr/share/elasticsearch/plugins/search-guard-7/tools/./sgconfig7/sg_roles_mapping.yml (legacy mode)
FAIL: Get configuration for ‘rolesmapping’ because it does not exist
Will retrieve ‘sg/internalusers’ into /usr/share/elasticsearch/plugins/search-guard-7/tools/./sgconfig7/sg_internal_users.yml (legacy mode)
FAIL: Get configuration for ‘internalusers’ because it does not exist
Will retrieve ‘sg/actiongroups’ into /usr/share/elasticsearch/plugins/search-guard-7/tools/./sgconfig7/sg_action_groups.yml (legacy mode)
FAIL: Get configuration for ‘actiongroups’ because it does not exist

This might not be clear enough in the upgrade instructions, sorry for the issue. In 7.x, we have decided to ship Search Guard with a couple of fixed, built-in roles and action groups:

We have done this so we can update the permissions for these roles (Kibana and Logstash in particular) in case the permission schema changes from one Elasticsearch release to another.

Consequently, please map your admin user to the SGS_ALL_ACCESS built-in role instead of the (legacy) sg_all_access role.

Regarding the sgadmin error, can you @cstaley please have a look?

Did you complete the “Check your Search Guard configuration” like described in Upgrading from 6.x to 7.x | Security for Elasticsearch | Search Guard ?

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.