Make permission for cluster:admin/snapshot/restore configurable
511 views
Skip to first unread message
Lucas Bremgartner
Sep 21, 2016, 4:29:54 AM9/21/16
to Search Guard
Hello
I'm aware of the topics https://groups.google.com/forum/#!searchin/search-guard/snapshot|sort:relevance/search-guard/dQ3S5RGvAIo/Yikmky-BCAAJ and https://groups.google.com/forum/#!searchin/search-guard/snapshot|sort:relevance/search-guard/ZhdoSEtnSi8/5JF97v-EBgAJ and I do understand the reasons for this limitation. Securely store backups and prohibit unauthorized access is a hard topic.
Nevertheless I would like to request to possibility to change the current behavior (cluster:admin/snapshot/restore not allowed for a regular user) via elasticsearch.yml configuration file. Would this be possible?
An other possible solution might be to restrict the restore functionality only for the SearchGuard-Index.
Regards,
Lucas
SG
Sep 22, 2016, 2:55:24 PM9/22/16
to search...@googlegroups.com
this is solved for SG version 6
just use curl (or your browser) with an admin ssl certificate
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f6592cd3-e86a-41a5-b988-d12fed58be38%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
just use curl (or your browser) with an admin ssl certificate
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f6592cd3-e86a-41a5-b988-d12fed58be38%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Melanie Zamora
Jun 15, 2017, 1:46:44 PM6/15/17
to Search Guard
Any idea why following these instructions do not work?
We are on SearchGuard 2.4.
I've set this:
searchguard.enable_snapshot_restore_privilege: true
And added this:
sg_snapshot_restore:
cluster:
- cluster:admin/repository/put
- cluster:admin/repository/get
- cluster:admin/snapshot/status
- cluster:admin/snapshot/get
- cluster:admin/snapshot/create
- cluster:admin/snapshot/restore
- cluster:admin/snapshot/delete
indices:
'*':
'*':
- indices:data/write/index
- indices:admin/createRestores are
Melanie Zamora
Jun 15, 2017, 1:47:10 PM6/15/17
to Search Guard
Restores are still failing for me.
Jochen Kressin
Jun 17, 2017, 4:49:12 AM6/17/17
to Search Guard
- Did you map a user to this role, and are you sure you use that user in your curl calls?
- Do you exclude global state and the Search Guard index when you restore?
- Do you exclude global state and the Search Guard index when you restore?
Post the config, the curl call and the curl result please.
Jochen Kressin
Jun 17, 2017, 5:04:38 AM6/17/17
to Search Guard
Also, could you send the complete logs on debug level from one node, from node start to the point where you get the restore error?
Lucas Bremgartner
Jun 19, 2017, 2:16:54 AM6/19/17
to Search Guard
If I remember correctly, this feature was only added to Search Guard 5 for usage with Elasticsearch version 5.x. So you first need to update your installation.
Jochen Kressin
Jun 19, 2017, 6:15:24 AM6/19/17
to Search Guard
You're right, I overlooked that we're talking about ES 2.x here. Updated the docs accordingly as well. So, for SG 2.x you need restore the snapshot by using an admin certificate.
Reply all
Reply to author
Forward
0 new messages