Restoring a Snaphot is Failing with no permissions for cluster:admin/snapshot/restore
606 views
Skip to first unread message
Melanie Zamora
Jun 15, 2017, 1:30:31 PM6/15/17
to Search Guard
Hello, I've followed the instructions here: https://groups.google.com/forum/#!msg/search-guard/dQ3S5RGvAIo/Sya3065CEQAJ and http://floragunncom.github.io/search-guard-docs/snapshots.html and so far I still cannot successfully do a restore.
We are on ES 2.4.3 with SearchGuard 2.4 running.
I'm running:
curl -i -S --insecure -XPOST 'https://c4vlhbes001.test.cm.com:9200/_snapshot/elastic-backups/20170614-092100/_restore' -E ch.pem --key searchguard-keystore.pem -d '{
"indices": "scmatlas*",
"include_global_state": false
}'
and I get:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Search Guard"
Content-Type: text/plain; charset=UTF-8
Content-Length: 0
and in the elasticsearch logs I get:
[2017-06-15 11:11:39,964][WARN ][com.floragunn.searchguard.configuration.PrivilegesEvaluator] cluster:admin/snapshot/restore is not allowed for a regular user
I get this when I provide a username and password:
HTTP/1.1 403 Forbidden
Content-Type: application/json; charset=UTF-8
Content-Length: 219
{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for cluster:admin/snapshot/restore"}],"type":"security_exception","reason":"no permissions for cluster:admin/snapshot/restore"},"status":403}
Anyone been able to do a successful restore?? What else can I do?
Jochen Kressin
Jun 17, 2017, 4:55:06 AM6/17/17
to Search Guard
From this:
[2017-06-15 11:11:39,964][WARN ][com.floragunn.searchguard.configuration.PrivilegesEvaluator] cluster:admin/snapshot/restore is not allowed for a regular user
It seems that either your certificates are incorrect, or you did not enable TLS client authentication. Please have a look at the "Prerequisites" chapter in the REST API docs.
For curl, you need the certificate chain including any intermediate certificate.
Jochen Kressin
Jun 17, 2017, 5:03:44 AM6/17/17
to Search Guard
Also, could you send the complete logs on debug level from one node, from node start to the point where you get the WARN message from the PrivilegesEvaluator?
On Thursday, June 15, 2017 at 7:30:31 PM UTC+2, Melanie Zamora wrote:
Melanie Zamora
Jun 19, 2017, 2:30:01 PM6/19/17
to Search Guard
I started testing on my sandbox using the cert, chain and key provided in the example scripts. I ran this:
curl -i --insecure --cert chain.pem --key example-pki-scripts/kirk.key.pem -XPOST 'https://macky.atlas.cm.com:9200/_snapshot/elastic-backups/_verify?pretty'
and got this:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Search Guard"
Content-Type: text/plain; charset=UTF-8
Content-Length: 0
Any idea why??
Jochen Kressin
Jun 20, 2017, 4:01:40 PM6/20/17
to Search Guard
So, I assume you're using our example scripts in your sandbox, right?
Could also be a curl issue.
First make sure that the cahin.pem file actually contains the kirk certificate plus all intermediate certs plus the root CA. You can simply cat the certs together, as described here;
Next, check that the HTTP client auth mode is set to OPTIONAL at least in elasticsearch.yml:
searchguard.ssl.http.clientauth_mode: NONE
If this does not help, please post the output of:
curl --version
Jochen Kressin
Jun 20, 2017, 4:03:10 PM6/20/17
to Search Guard
Sorry, some typos, and I can't edit the post:
So, I assume you're using our example scripts in your sandbox, right?
First, make sure that the chain.pem file actually contains the kirk certificate plus all intermediate certs plus the root CA. You can simply cat the certs together, as described here:
Next, check that the HTTP client auth mode is set to OPTIONAL at least in elasticsearch.yml:
searchguard.ssl.http.clientauth_mode: OPTIONAL
If this does not help, please post the output of:
curl --version
Reply all
Reply to author
Forward
0 new messages