Error : cluster:admin/snapshot/restore is not allowed for a regular user

[l...@ooworx.com]

Hi,

I want to use "snapshot and restore" system from elasticsearch with SG2 but this error happen :

Error : cluster:admin/snapshot/restore is not allowed for a regular user

Looking in the code i'v found : https://github.com/floragunncom/search-guard/blob/master/src/main/java/com/floragunn/searchguard/configuration/PrivilegesEvaluator.java#L132

How can I manage to use restore system with SG by rest http user ?

Regards,
Lucas

[SG]

Currently it's not possible to restore a snapshot via HTTP/REST (only through java api).
But we are aware of this so that a client cert authenticated will be available to do this with the next SG release.

> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/1499617b-6542-4c49-95fd-cb390b7479f8%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Sam Mingolelli]

Is there a timeline for when this feature will become available? Currently it's breaking us to the point where we won't be able to use search-guard-2.

[in...@search-guard.com]

There is no fixed timeline yet, but it is one of the top features in our backlog, and we already have outlined an implementation strategy. But given all the other things we have on the plate at the moment, expect at least another 4-6 weeks. Since opening the REST layer for SG index manipulation can introduce potential security holes, we need to audit and test the code thoroughly before we release it.

[SG]

Should be possible now with the latest snapshot:
https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/search-guard-2/2.3.5.6-SNAPSHOT/search-guard-2-2.3.5.6-20160819.103812-1.zip

Use it like:
cat example-pki-scripts/kirk.crt.pem example-pki-scripts/ca/chain-ca.pem > ch.pem
curl -Ss --insecure -XPOST 'https://localhost:9200/_snapshot/my_backup/snapshot_1/_restore' -E ch.pem --key example-pki-scripts/kirk.key.pem

Make sure:
* You have SSL activated for HTTP
* Kirk DN is listed as admin in elasticsearch.yml

> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/dda69483-2f82-458e-9ed3-967541836f14%40googlegroups.com.

[myin2000]

Getting the following error after applying the snapshot. The user is defined in sg_internal_users.yml, and has the role sg_all_access.   I added the user to the list of searchguard.authcz.admin_dn in elasticsearch.yml.  Does it support a user defined like this?

[2016-08-22 13:02:13,785][DEBUG][rest.suppressed          ] path: /_snapshot/my_backup/boa-test7s235q_1471885332038/_restore, params: {wait_for_completion=true, repository=my_backup, snapshot=boa-test7s235q_1471885332038}

ElasticsearchSecurityException[no permissions for cluster:admin/snapshot/restore]

at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:164)

at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)

at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:144)

[in...@search-guard.com]

are you sure you supplied a client certificate?

How do you call the restore command? Make sure its like:

cat example-pki-scripts/kirk.crt.pem example-pki-scripts/ca/chain-ca.pem > ch.pem 
curl -Ss --insecure -XPOST 'https://localhost:9200/_snapshot/my_backup/snapshot_1/_restore' -E ch.pem --key example-pki-scripts/kirk.key.pem 

Otherwise it wont work! You do not need to configure a user in the config or roles except in "searchguard.authcz.admin_dn". Its the same procedure as with sgadmin.

[Enzo Wang]

Does searchguard 5.0.2 support have this patch?

[Search Guard]

yes